The Good, The Bad and The Ugly: Pitfalls and Best Practices in Automated Sound Static Analysis of Ethereum Smart Contracts

Ethereum smart contracts are distributed programs running on top of the Ethereum blockchain. Since program flaws can cause significant monetary losses and can hardly be fixed due to the immutable nature of the blockchain, there is a strong need of automated analysis tools which provide formal security guarantees. Designing such analyzers, however, proved to be challenging and error-prone. We review the existing approaches to automated, sound, static analysis of Ethereum smart contracts and highlight prevalent issues in the state of the art. Finally, we overview eThor , a recent static analysis tool that we developed following a principled design and implementation approach based on rigorous semantic foundations to overcome the problems of past works.

[1]  Sijie Chen,et al.  Smart contract-based campus demonstration of decentralized transactive energy auctions , 2017, 2017 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT).

[2]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[3]  Matteo Maffei,et al.  Foundations and Tools for the Static Analysis of Ethereum Smart Contracts , 2018, CAV.

[4]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[5]  Adrian-Tudor Panescu,et al.  Smart Contracts for Research Data Rights Management over the Ethereum Blockchain Network , 2018 .

[6]  Christian Esposito,et al.  NeuCheck: A more practical Ethereum smart contract security analysis tool , 2019, Softw. Pract. Exp..

[7]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[8]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[9]  Clara Schneidewind,et al.  eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts , 2020, CCS.

[10]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[11]  Naoto Yanai,et al.  RBAC-SC: Role-Based Access Control Using Smart Contract , 2018, IEEE Access.

[12]  Yi Zhang,et al.  KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[13]  Jakub Zakrzewski,et al.  Towards Verification of Ethereum Smart Contracts: A Formalization of Core of Solidity , 2018, VSTTE.

[14]  Andrew Lippman,et al.  MedRec: Using Blockchain for Medical Data Access and Permission Management , 2016, 2016 2nd International Conference on Open and Big Data (OBD).

[15]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[16]  Chandra Adhikari,et al.  Secure Framework for Healthcare Data Management Using Ethereum-based Blockchain Technology , 2017 .

[17]  Bernhard Scholz,et al.  Soufflé: On Synthesis of Program Analyzers , 2016, CAV.

[18]  Amr M. Youssef,et al.  Verifiable Sealed-Bid Auction on the Ethereum Blockchain , 2018, IACR Cryptol. ePrint Arch..

[19]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[20]  Hang Lei,et al.  Lolisa: Formal Syntax and Semantics for a Subset of the Solidity Programming Language , 2018, Mathematical Problems in Engineering.

[21]  Massimo Bartoletti,et al.  A minimal core calculus for Solidity contracts , 2019, DPM/CBT@ESORICS.

[22]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[23]  Yoichi Hirai,et al.  Defining the Ethereum Virtual Machine for Interactive Theorem Provers , 2017, Financial Cryptography Workshops.

[24]  Ittai Abraham,et al.  Online detection of effectively callback free objects with applications to smart contracts , 2017, Proc. ACM Program. Lang..

[25]  Silvia Crafa,et al.  Is Solidity Solid Enough? , 2019, Financial Cryptography Workshops.

[26]  Feng Hao,et al.  A Smart Contract for Boardroom Voting with Maximum Voter Privacy , 2017, IACR Cryptol. ePrint Arch..

[27]  Jun Sun,et al.  Executable Operational Semantics of Solidity , 2018, ArXiv.

[28]  Sidney Amani,et al.  Towards verifying ethereum smart contract bytecode in Isabelle/HOL , 2018, CPP.

[29]  Christof Weinhardt,et al.  Trading Stocks on Blocks - Engineering Decentralized Markets , 2017, DESRIST.