Skip to main content
SpringerLink
Log in

Investigation on Vulnerabilities Location in Solidity Smart Contracts

  • Conference paper
  • First Online:
Blockchain and Applications (BLOCKCHAIN 2021)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 320))

Included in the following conference series:

  • 1831 Accesses

Abstract

Smart contracts had a very fast increasing development in the last years. Once a smart contract is deployed on a blockchain due to code immutability, its residual vulnerabilities cannot be patched. Reducing the number of residual vulnerabilities becomes thus very important and normally is achieved through static analyzers. This paper investigates the physical position (location) of vulnerabilities in Solidity smart contracts. To this purpose, we use a language-independent systematization of vulnerabilities and we consider the outputs of a set of static analyzers processing a representative set of smart contracts. We analyze the distributions of the locations where tools find positive outcomes. We create the ground truth of vulnerabilities for a subset S of smart contracts through manual inspection and we first perform a comparison of the distributions within this set. Then we generalize our findings by comparing the distributions between the manually inspected subset and the full set. Such comparison allows us to identify where certain classes of vulnerabilities are located, suggesting specific areas in Solidity smart contracts where the search for vulnerabilities should focus.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The list of addresses can be retrieved at https://doi.org/10.5281/zenodo.5046761.

References

  1. Okun, V., Guthrie, WF., Gaucher, R., Black, P.E.: Effect of static analysis tools on software security: preliminary investigation. In: Proceedings of the ACM Conference on Computer and Communications Security. ACM, Alexandria, USA (2007)

    Google Scholar 

  2. Staderini, M., Palli, C., Bondavalli, A.: Classification of ethereum vulnerabilities and their propagations. In: 2020 Second International Conference on Blockchain Computing and Applications (BCCA), pp. 44–51. IEEE, Antalya, Turkey (2020)

    Google Scholar 

  3. Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8

    Chapter  Google Scholar 

  4. Chen, H., Pendleton, M., Njilla, L., Xu, S.: A Survey on ethereum systems security: vulnerabilities, attacks, and defenses. ACM Comput. Surv. 53(3), 1–43 (2020)

    Article  Google Scholar 

  5. CWE Homepage. https://cwe.mitre.org. Accessed on 30 April 2021

  6. CWE Mapping & Navigation Guidance. https://cwe.mitre.org/documents/cwe_usage/mapping_navigation.html. Accessed on 20 April 2021

  7. Di Angelo, M., Salzer, G.: A survey of tools for analyzing ethereum smart contracts. In: 2019 IEEE International Conference on Decentralized Applications and Infrastructures, pp. 69–78. IEEE, USA (2019)

    Google Scholar 

  8. Frank, J., Aschermann, C., Holz, T.: ETHBMC: A bounded model checker for smart contracts. In: Proceedings of the 29th USENIX Security Symposium, pp. 2757–2774. USENIX Association (2020)

    Google Scholar 

  9. Durieux, T., Ferreira, JF., Abreu, R., Cruz, P.: Empirical review of automated analysis tools on 47,587 Ethereum smart contracts. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 530–541. South Corea (2020)

    Google Scholar 

  10. Securify v2.0. https://github.com/eth-sri/securify2. Accessed on 31 Jan 2021

  11. Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bünzli, F., Vechev, M.: Securify: practical Security Analysis of Smart Contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82. Canada (2018)

    Google Scholar 

  12. Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8–15. IEEE, Canada (2019)

    Google Scholar 

  13. Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: SmartCheck: static analysis of ethereum smart contracts. In: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9–16. ACM, Sweden (2018)

    Google Scholar 

  14. Remix Project. https://github.com/ethereum/remix-project. Accessed on 30 March 2021

  15. Mythril – repository. https://github.com/ConsenSys/mythril. Accessed on 30 March 2021

  16. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the ACM Conference on Computer and Communications Security, vol. 24, pp. 254–269. ACM (2016)

    Google Scholar 

  17. Torres, C.F., Schütte, J., State, R.: Osiris: hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 664–676. ACM, USA (2018)

    Google Scholar 

  18. Oliva, G.A., Hassan, A.E., Jiang, Z.M.: An exploratory study of smart contracts in the Ethereum blockchain platform. Empir. Softw. Eng. 25(3), 1864–1904 (2020). https://doi.org/10.1007/s10664-019-09796-5

    Article  Google Scholar 

  19. Parizi, R.M., Dehghantanha, A., Choo, K.-K.R., Singh, A.: Empirical vulnerability analysis of automated smart contracts security testing on blockchains. Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering, pp. 103–113. IBM Corp., USA (2018)

    Google Scholar 

  20. Zhang, P., Xiao, F., Luo, X.: A Framework and dataset for bugs in ethereum smart contracts. In: 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 139–150. IEEE, Australia (2020)

    Google Scholar 

  21. SWC Registry. https://swcregistry.io/. Accessed on 25 June 2021

Download references

Author information

Authors and Affiliations

  1. Department of Mathematics and Informatics, University of Florence, 50134, Florence, Italy

    Mirko Staderini & Andrea Bondavalli

Authors
  1. Mirko Staderini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrea Bondavalli
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mirko Staderini .

Editor information

Editors and Affiliations

  1. Building Edificio I+D+i, Room 24.1, University of Salamanca, Salamanca, Salamanca, Spain

    Javier Prieto

  2. Universidad Rey Juan Carlos, Móstoles, Madrid, Spain

    Alberto Partida

  3. Research Centre in Digitalization, Instituto Politécnico de Bragança, Bragança, Portugal

    Paulo Leitão

  4. ESTG, Instituto Politécnico do Porto, Felgueiras, Portugal

    António Pinto

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Staderini, M., Bondavalli, A. (2022). Investigation on Vulnerabilities Location in Solidity Smart Contracts. In: Prieto, J., Partida, A., Leitão, P., Pinto, A. (eds) Blockchain and Applications. BLOCKCHAIN 2021. Lecture Notes in Networks and Systems, vol 320. Springer, Cham. https://doi.org/10.1007/978-3-030-86162-9_20

Download citation

Publish with us

Policies and ethics

Search

Navigation