Abstract
Smart contracts had a very fast increasing development in the last years. Once a smart contract is deployed on a blockchain due to code immutability, its residual vulnerabilities cannot be patched. Reducing the number of residual vulnerabilities becomes thus very important and normally is achieved through static analyzers. This paper investigates the physical position (location) of vulnerabilities in Solidity smart contracts. To this purpose, we use a language-independent systematization of vulnerabilities and we consider the outputs of a set of static analyzers processing a representative set of smart contracts. We analyze the distributions of the locations where tools find positive outcomes. We create the ground truth of vulnerabilities for a subset S of smart contracts through manual inspection and we first perform a comparison of the distributions within this set. Then we generalize our findings by comparing the distributions between the manually inspected subset and the full set. Such comparison allows us to identify where certain classes of vulnerabilities are located, suggesting specific areas in Solidity smart contracts where the search for vulnerabilities should focus.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The list of addresses can be retrieved at https://doi.org/10.5281/zenodo.5046761.
References
Okun, V., Guthrie, WF., Gaucher, R., Black, P.E.: Effect of static analysis tools on software security: preliminary investigation. In: Proceedings of the ACM Conference on Computer and Communications Security. ACM, Alexandria, USA (2007)
Staderini, M., Palli, C., Bondavalli, A.: Classification of ethereum vulnerabilities and their propagations. In: 2020 Second International Conference on Blockchain Computing and Applications (BCCA), pp. 44–51. IEEE, Antalya, Turkey (2020)
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Chen, H., Pendleton, M., Njilla, L., Xu, S.: A Survey on ethereum systems security: vulnerabilities, attacks, and defenses. ACM Comput. Surv. 53(3), 1–43 (2020)
CWE Homepage. https://cwe.mitre.org. Accessed on 30 April 2021
CWE Mapping & Navigation Guidance. https://cwe.mitre.org/documents/cwe_usage/mapping_navigation.html. Accessed on 20 April 2021
Di Angelo, M., Salzer, G.: A survey of tools for analyzing ethereum smart contracts. In: 2019 IEEE International Conference on Decentralized Applications and Infrastructures, pp. 69–78. IEEE, USA (2019)
Frank, J., Aschermann, C., Holz, T.: ETHBMC: A bounded model checker for smart contracts. In: Proceedings of the 29th USENIX Security Symposium, pp. 2757–2774. USENIX Association (2020)
Durieux, T., Ferreira, JF., Abreu, R., Cruz, P.: Empirical review of automated analysis tools on 47,587 Ethereum smart contracts. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 530–541. South Corea (2020)
Securify v2.0. https://github.com/eth-sri/securify2. Accessed on 31 Jan 2021
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bünzli, F., Vechev, M.: Securify: practical Security Analysis of Smart Contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82. Canada (2018)
Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8–15. IEEE, Canada (2019)
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: SmartCheck: static analysis of ethereum smart contracts. In: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9–16. ACM, Sweden (2018)
Remix Project. https://github.com/ethereum/remix-project. Accessed on 30 March 2021
Mythril – repository. https://github.com/ConsenSys/mythril. Accessed on 30 March 2021
Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the ACM Conference on Computer and Communications Security, vol. 24, pp. 254–269. ACM (2016)
Torres, C.F., Schütte, J., State, R.: Osiris: hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 664–676. ACM, USA (2018)
Oliva, G.A., Hassan, A.E., Jiang, Z.M.: An exploratory study of smart contracts in the Ethereum blockchain platform. Empir. Softw. Eng. 25(3), 1864–1904 (2020). https://doi.org/10.1007/s10664-019-09796-5
Parizi, R.M., Dehghantanha, A., Choo, K.-K.R., Singh, A.: Empirical vulnerability analysis of automated smart contracts security testing on blockchains. Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering, pp. 103–113. IBM Corp., USA (2018)
Zhang, P., Xiao, F., Luo, X.: A Framework and dataset for bugs in ethereum smart contracts. In: 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 139–150. IEEE, Australia (2020)
SWC Registry. https://swcregistry.io/. Accessed on 25 June 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Staderini, M., Bondavalli, A. (2022). Investigation on Vulnerabilities Location in Solidity Smart Contracts. In: Prieto, J., Partida, A., Leitão, P., Pinto, A. (eds) Blockchain and Applications. BLOCKCHAIN 2021. Lecture Notes in Networks and Systems, vol 320. Springer, Cham. https://doi.org/10.1007/978-3-030-86162-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-86162-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86161-2
Online ISBN: 978-3-030-86162-9
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)