What are the Actual Flaws in Important Smart Contracts (and How Can We Find Them)?

An important problem in smart contract security is understanding the likelihood and criticality of discovered, or potential, weaknesses in contracts. In this paper we provide a summary of Ethereum smart contract audits performed for 23 professional stakeholders, avoiding the common problem of reporting issues mostly prevalent in low-quality contracts. These audits were performed at a leading company in blockchain security, using both open-source and proprietary tools, as well as human code analysis performed by professional security engineers. We categorize 246 individual defects, making it possible to compare the severity and frequency of different vulnerability types, compare smart contract and non-smart contract flaws, and to estimate the efficacy of automated vulnerability detection approaches.

[1]  Stéphane Ducasse,et al.  SmartAnvil: Open-Source Tool Suite for Smart Contract Analysis , 2019 .

[2]  B. Gazzard,et al.  What we know so far. , 1996, AIDS.

[3]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[4]  Ardit Dika,et al.  Ethereum Smart Contracts: Security Vulnerabilities and Security Tools , 2017 .

[5]  Vincent Gramoli,et al.  Vandal: A Scalable Security Analysis Framework for Smart Contracts , 2018, ArXiv.

[6]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[7]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[8]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2011, SIGP.

[9]  Alex Groce,et al.  Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[10]  Benjamin Livshits,et al.  Smart Contract Vulnerabilities: Does Anyone Care? , 2019, ArXiv.

[11]  Matteo Maffei,et al.  Foundations and Tools for the Static Analysis of Ethereum Smart Contracts , 2018, CAV.

[12]  Ilya Grishchenko,et al.  EtherTrust: Sound Static Analysis of Ethereum bytecode , 2018 .

[13]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[14]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[15]  Andrea C. Arpaci-Dusseau,et al.  Error propagation analysis for file systems , 2009, PLDI '09.

[16]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[17]  Mariusz Nowostawski,et al.  Security Vulnerabilities in Ethereum Smart Contracts , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[18]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[19]  Alex Groce,et al.  TSTL: the template scripting testing language , 2018, International Journal on Software Tools for Technology Transfer.

[20]  S GunawiHaryadi,et al.  Error propagation analysis for file systems , 2009 .

[21]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[22]  Aziz Mohaisen,et al.  Exploring the Attack Surface of Blockchain: A Systematic Overview , 2019, ArXiv.

[23]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .