Smart Contract and DeFi Security: Insights from Tool Evaluations and Practitioner Surveys

The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated \$6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain. In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in \$2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to \$149 million out of the \$2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem.

[1]  Arthur Gervais,et al.  SoK: Decentralized Finance (DeFi) Attacks , 2022, 2023 IEEE Symposium on Security and Privacy (SP).

[2]  Yinxing Xue,et al.  Machine Learning Guided Cross-Contract Fuzzing , 2021, IEEE Transactions on Dependable and Secure Computing.

[3]  Chengnian Sun,et al.  Empirical evaluation of smart contract testing: what is the best choice? , 2021, ISSTA.

[4]  David Lo,et al.  Smart Contract Security: A Practitioners' Perspective: The Artifact of a Paper Accepted in the 43rd IEEE/ACM International Conference on Software Engineering (ICSE 2021) , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[5]  Lei Wu,et al.  DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications , 2021, ArXiv.

[6]  Antonio Ken Iannillo,et al.  ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts , 2021, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Benjamin Livshits,et al.  On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[8]  Sam M. Werner,et al.  SoK: Decentralized Finance (DeFi) , 2021, AFT.

[9]  Arthur Gervais,et al.  High-Frequency Trading on Decentralized On-Chain Exchanges , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[10]  Ting Chen,et al.  DefectChecker: Automated Smart Contract Defect Detection by Analyzing EVM Bytecode , 2020, IEEE Transactions on Software Engineering.

[11]  Yinxing Xue,et al.  Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts , 2020, 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[12]  Pengcheng Zhang,et al.  A Framework and DataSet for Bugs in Ethereum Smart Contracts , 2020, 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[13]  Bin Hu,et al.  A comprehensive survey on smart contract construction and execution: paradigms, tools, and systems , 2020, Patterns.

[14]  Alex Groce,et al.  Echidna: effective, usable, and fast fuzzing for smart contracts , 2020, ISSTA.

[15]  Yinxing Xue,et al.  Clairvoyance: cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts , 2020, ICSE.

[16]  Yannis Smaragdakis,et al.  Ethainter: a smart contract security analyzer for composite vulnerabilities , 2020, PLDI.

[17]  Dimitar Dimitrov,et al.  VerX: Safety Verification of Smart Contracts , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[18]  Ari Juels,et al.  Flash Boys 2.0: Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[19]  Jun Sun,et al.  sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[20]  Manar H. Alalfi,et al.  Reentrancy Vulnerability Identification in Ethereum Smart Contracts , 2020, 2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE).

[21]  Roger Zimmermann,et al.  Towards Automated Reentrancy Detection for Smart Contracts Based on Sequential Models , 2020, IEEE Access.

[22]  Chunhua Su,et al.  ContractWard: Automated Vulnerability Detection Models for Ethereum Smart Contracts , 2020, IEEE Transactions on Network Science and Engineering.

[23]  Pengcheng Zhang,et al.  SolidityCheck : Quickly Detecting Smart Contract Problems Through Regular Expressions , 2019, ArXiv.

[24]  Rui Abreu,et al.  Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts , 2019, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[25]  Heejo Lee,et al.  VERISMART: A Highly Precise Safety Verifier for Ethereum Smart Contracts , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[26]  Huashan Chen,et al.  A Survey on Ethereum Systems Security , 2019, ACM Comput. Surv..

[27]  Alex Groce,et al.  Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[28]  Valentin Wüstholz,et al.  Harvey: a greybox fuzzer for smart contracts , 2019, ESEC/SIGSOFT FSE.

[29]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[30]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[31]  William J. Knottenbelt,et al.  Towards Safer Smart Contracts: A Survey of Languages and Verification Methods , 2018, ArXiv.

[32]  Vincent Gramoli,et al.  Vandal: A Scalable Security Analysis Framework for Smart Contracts , 2018, ArXiv.

[33]  Chao Liu,et al.  S-gram: Towards Semantic-Aware Security Auditing for Ethereum Smart Contracts , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[34]  Bo Gao,et al.  sCompile: Critical Path Identification and Analysis for Smart Contracts , 2018, ICFEM.

[35]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[36]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[37]  Zhong Chen,et al.  ReGuard: Finding Reentrancy Bugs in Smart Contracts , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[38]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[39]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[40]  Jun Sun,et al.  Security Assurance for Smart Contract , 2018, 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[41]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[42]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[43]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[44]  Elaine Shi,et al.  Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab , 2016, Financial Cryptography Workshops.

[45]  Christopher B. Mayhorn,et al.  Quantifying developers' adoption of security tools , 2015, ESEC/SIGSOFT FSE.

[46]  Emerson R. Murphy-Hill,et al.  Improving developer participation rates in surveys , 2013, 2013 6th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE).

[47]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[48]  Janice Singer,et al.  Guide to Advanced Empirical Software Engineering , 2007 .

[49]  Satpal Singh Kushwaha,et al.  Ethereum Smart Contract Analysis Tools: A Systematic Review , 2022, IEEE Access.

[50]  Benjamin Livshits,et al.  Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited , 2021, USENIX Security Symposium.

[51]  Thorsten Holz,et al.  ETHBMC: A Bounded Model Checker for Smart Contracts , 2020, USENIX Security Symposium.

[52]  Emerson R. Murphy-Hill,et al.  Why Can't Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security , 2020, SOUPS @ USENIX Security Symposium.

[53]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[54]  Robert Feldt,et al.  Validity Threats in Empirical Software Engineering Research - An Initial Survey , 2010, SEKE.

[55]  Shari Lawrence Pfleeger,et al.  Personal Opinion Surveys , 2008, Guide to Advanced Empirical Software Engineering.