a study of static analysis tools for ethereum smart contracts
TRANSCRIPT
A Study of Static Analysis Tools for Ethereum Smart
Contracts
Antonio Pedro Cruz Monteiro
Thesis to obtain the Master of Science Degree in
Information Systems and Computer Engineering
Supervisor: Prof. Joao Fernando Peixoto Ferreira
Examination Committee
Chairperson: Prof. Joao Antonio Madeiras PereiraSupervisor: Prof. Joao Fernando Peixoto Ferreira
Member of the Committee: Prof. Rui Filipe Lima Maranhao de Abreu
October 2019
Acknowledgments
I would like to thank my supervisor Joao F. Ferreira for presenting the theme and for all the support
during this work. I would also like to thank Rui Maranhao and Thomas Durieux for contributions to
SmartBugs and to the research paper that supports Chapter 4. Finally, I thank my family and friends
for the continuous support in all my academic journey.
Abstract
Blockchain technology has been receiving considerable attention from industry and academia, for it
promises to disrupt the digital online world by enabling a democratic, open, and scalable digital economy
based on decentralized distributed consensus without the intervention of third-party trusted authorities.
Smart contracts, computer programs executed on top of a blockchain, are at the core of this technology,
for they allow the creation of new distributed applications. Millions of smart contracts have been deployed
on Ethereum, a major blockchain platform for smart contracts, and although they are seen with great
potential, smart contracts have been known to have several security problems. Recent attacks on smart
contracts and critical vulnerabilities discovered show us the huge financial loss they can impose on the
users and warn us for the necessity of having methods that lead to secure and reliable implementations.
Over the last few years several static analysis tools have been developed specifically targeting Ethereum
smart contracts. In this dissertation, we present a review of state-of-the-art static analysis tools and
introduce SmartBugs, a new extendable execution framework, created to facilitate the integration and
comparison between multiple analysis tools and the analysis of Ethereum smart contracts. SmartBugs
includes two datasets with a total of 47,661 Solidity smart contracts. We use SmartBugs to perform an
empirical evaluation of 7 state-of-the-art automated analysis tools using the two new datasets. Our study
shows that Mythril is the most sensitive and Slither has the best precision. In addition, we present an
extension that improves SmartCheck.
Keywords
Blockchain, Ethereum, Smart Contracts, Static Analysis, Vulnerabilities, Solidity
iii
Resumo
A tecnologia blockchain tem recebido consideravel atencao por parte da industria e academia, pelas suas
promessas em mudar o mundo digital permitindo uma economia digital aberta, democratica e escalavel
baseada em consenso distribuıdo de forma descentralizada. Smart contracts, programas de computador
executados em blockchain, sao parte nuclear desta tecnologia, pois permitem a criacao de novas aplicacoes
distribuıdas. Milhoes de smart contracts foram submetidos na rede Ethereum, a maior plataforma de
blockchain para smart contracts e, embora sejam vistos com grande potencial, sabe-se que smart contracts
tem tido varios problemas de seguranca. Ataques recentes a smart contracts e vulnerabilidades crıticas
descobertas mostram a enorme perda financeira que podem causar aos utilizadores e alertam-nos para a
necessidade de uma implementacao segura e confiavel, alertando para a necessidade de aplicar tecnicas
de verificacao. Nos ultimos anos, foram desenvolvidas varias ferramentas de analise estatica visando
especificamente smart contracts da rede Ethereum. Nesta dissertacao apresentamos uma revisao de
ferramentas de analise a smart contracts e introduzimos o SmartBugs, um novo framework de execucao
extensıvel, criado para facilitar a integracao e a comparacao entre varias ferramentas de analise e a analise
de smart contracts. O SmartBugs inclui dois datasets com um total de 47,661 smart contracts escritos
em Solidity e e utilizado para realizar uma avaliacao empırica de 7 ferramentas de analise estatica usando
os dois novos datasets. O nosso estudo mostra que Mythril e a ferramenta mais sensıvel e Slither tem a
melhor precisao. Alem disso, apresentamos uma extensao que melhora o SmartCheck.
Palavras Chave
Blockchain, Ethereum, Smart Contracts, Analise Estatica, Vulnerabilidades, Solidity
v
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Objectives and Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Topic Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Background 7
2.1 Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Ethereum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Vulnerabilities of Ethereum Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.1 Taxonomies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.2 DASP 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4.2.1 Reentrancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4.2.2 Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4.2.3 Arithmetic Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4.2.4 Unchecked Low Level Calls . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4.2.5 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4.2.6 Bad Randomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.4.2.7 Front Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4.2.8 Time manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.4.2.9 Short Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.2.10 Unknown Unknowns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Static Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.5.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.5.2 State Of The Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3 SmartBugs: An Execution Framework 31
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
vii
3.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.1 sbcurated: A Dataset of 143 Vulnerable Smart Contracts . . . . . . . . . . . . . . . 35
3.3.1.1 sbcurated Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4 Framework Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.4.2 Methodology for adding tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.3 Methodology for filtering bugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.4 CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.5 WUI Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.5 Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4 Analysis: An Empirical Review 43
4.1 Analysis of 47,587 Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.1.1 Data Collection: sbwild . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.1.2 Tools’ Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.1.3 Large-scale Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.1.4 sbcurated: Analysis of 69 Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . 46
4.1.5 sbwild: Vulnerabilities in Production Smart Contracts . . . . . . . . . . . . . . . . 49
4.1.6 Execution Time of the Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2 Precision of the Static Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.2.1 Testing Environment and Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . 53
4.2.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5 SmartCheck Extension 55
5.1 SmartCheck Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2 Patterns Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.4 Availabity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6 Conclusion 63
6.1 Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
viii
List of Figures
2.1 Chain of blocks (Nakamoto, 2008) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Schematic of a blockchain platform with smart contracts. (Delmolino et al., 2015) . . . . 11
2.3 Example execution of a smart contract on Ethereum. (Fontein, 2018) . . . . . . . . . . . . 12
2.4 Overview of workflow in the Ethereum network (Bhargavan et al., 2016) . . . . . . . . . . 13
2.5 The recursive loop of a reentrancy attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1 SmartBugs Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2 SmartBugs Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3 Input panel for smart contracts and tool’s choice (Oyente, Slither and SmartCheck are
selected) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.4 Number of issues found by each tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.5 Issues found by Oyente . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1 Proportion of vulnerabilities identified by exactly one (1), two (2) or three (3) tools, and
by four tools or more (4+) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.2 Evolution of number of vulnerabilities over time. . . . . . . . . . . . . . . . . . . . . . . . 51
4.3 Correlation between the number of vulnerabilities and balance in Wei (one Ether is 1018
Wei) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1 Parse tree for the Balance equality code example (SmartCheck, 2018) . . . . . . . . . . . 57
ix
List of Tables
2.1 Taxonomy of vulnerabilities by Atzei et al. [1] . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 DASP Top 10 vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3 Solidity methods to transfer Ether . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4 Tools identified and their URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5 Excluded analysis tools based on our inclusion criteria. . . . . . . . . . . . . . . . . . . . . 29
2.6 Included analysis tools based on our inclusion criteria. . . . . . . . . . . . . . . . . . . . . 29
3.1 Categories of vulnerabilities available in the dataset. (computed using cloc 1.82). . . . . . 36
4.1 Statistics on the collection of Solidity smart contracts from the Ethereum blockchain. . . 46
4.2 Categories of vulnerabilities available in the dataset sbcurated used in the study. (computed
using cloc 1.82). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3 Vulnerabilities identified per category by each tool. . . . . . . . . . . . . . . . . . . . . . . 48
4.4 Total number of detected vulnerabilities by each tool, including vulnerabilities not tagged
in the dataset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.5 Combined tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.6 The total number of contracts that have at least one vulnerability (analysis of 47,518
contracts). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.7 Average execution time for each tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.8 Metrics of the tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.1 Vulnerabilities identified per category by SmartCheck and SmartCheck Extended in sbcurated. 60
5.2 SmartCheck and SmartCheck Extended metrics. . . . . . . . . . . . . . . . . . . . . . . . 61
5.3 Positives of SmartCheck Extended. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
xi
Listings
2.1 Vulnerable - accounts is updated after message call. . . . . . . . . . . . . . . . . . . . . . 16
2.2 Safe - accounts is updated before message call. . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 Simplified example of The DAO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4 Malicious contract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5 Modifier defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.6 Vulnerable - changeOwner is not protected. . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.7 Safe - modifier is used correctly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.8 Vulnerable - does not check for overflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.9 Safe - checks for overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.10 Safe - using SafeMath library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.11 Vulnerable - send() can fail and prizePaidOut will be sent to true regardless. . . . . . . . 21
2.12 Safe - prizePaidOut will be sent to true if send() is true. . . . . . . . . . . . . . . . . . . . 22
2.13 Vulnerable - send may fail and no one else will be able to bid. . . . . . . . . . . . . . . . . 22
2.14 Safe - the refund is recorded safely. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.15 Vulnerable to bad randomness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.16 Vulnerable to Front Running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.17 Vulnerable to time manipulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.1 Balance equality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2 XPath pattern for the Balance equality issue. . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.3 SOLIDITY BAD RANDOMNESS : XPath pattern to detect bad randomness vulnerabilities. 58
5.4 SOLIDITY UNPROTECTED : XPath pattern to detect unprotected ownership transfers. 59
5.5 SOLIDITY UNPROTECTED : XPath pattern to detect unprotected suicides. . . . . . . . 59
5.6 SOLIDITY EXACT TIME : XPath pattern to detect time manipulation vulnerabilities. . 60
xiii
1Introduction
Contents
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Objectives and Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Topic Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1
1.1 Motivation
Blockchain technology and cryptocurrencies, introduced by Bitcoin [2], have gained and continue to gain
attention and popularity. Blockchain, a shared, decentralized, cryptographically secure and immutable
digital ledger maintained by nodes in a peer-to-peer network is considered to be one of the most prominent
technologies introduced in this century. Cryptocurrencies, which have become a global phenomenon, use
this data structure as a public ledger to record all valid transactions. Blockchain acts as public append-
only database that keeps a permanent and immutable record of digital transactions without relying on
trust to secure it, instead it is secured by a peer-to-peer network using a consensus algorithm.
One of the blockchain appeals is being a technology that promises secure distributed computations
even in the absence of trusted third parties. These computations, called smart contracts — interactions
between mutually distrusting entities, are automatically enforced by the consensus mechanism of the
blockchain, using incentives and cryptography. These immutable pieces of code, when deployed on the
blockchain, allow parties to manifest contract terms in the form of program code.
Most transactions made today are by means of intermediaries. These trusted third parties facilitate
transactions and provide the connection between the entities involved, overcoming trust issues and en-
suring that the agreement is fulfilled. Smart contracts can present themselves as substitutes for these
third parties as they can overcome the issue of missing trust. Multiple blockchain platforms have been
presented since the introduction of Bitcoin, extending the number of applications of the technology.
Ethereum [3], which was introduced with the proclaimed intention of being a platform aimed to support
smart contracts, gave birth to a new generation of the blockchain — the second generation. Ethereum
is the most famous network to deploy smart contracts, where they are written in a Turing-complete
language. Solidity is the most used language by developers to create smart contracts on Ethereum.
While smart contracts can represent a great improvement to our society model, as they do not rely
on gained trust, they have shown several major security vulnerabilities. In a study performed on nearly
one million Ethereum smart contracts, 34,200 of them were flagged as vulnerable [4]. A different study
showed that of 19,366 smart contracts analysed, also in Ethereum, 8,833 (around 46%) were flagged as
vulnerable [5]. A need to review and improve smart contracts implementation is therefore needed and
it is a key element to enable massive adoption of smart contracts technology. Recent incidents related
to bugs on smart contracts have been linked with losses of millions in cryptocurrency (see Section 2.4),
warning us for the urgent need of safer smart contracts. We propose the use of static analysis tools as
part of the solution, helping finding potential mistakes and preventing unsafe code to be deployed on the
blockchain.
3
1.2 Objectives and Contributions
We propose to explore and discuss smart contracts and their secure implementation using static analysis
tools, which can be used to analyse the correctness of the code. The main objectives are to study analysers
that verify Ethereum smart contracts and introduce new tools and datasets to facilitate the use of static
analysis in research and smart contracts development.
To achieve these objectives, we start by providing an overview on blockchain technology to later focus
on Ethereum smart contracts. We overview the top 10 vulnerabilities categories found in Ethereum smart
contracts, discuss major attacks and their mitigation, and collect a list of state-of-the-art automated smart
contract analysers that analyse Ethereum smart contracts.
Later, we describe a novel, extendable, and easy-to-use execution framework, SmartBugs, that simpli-
fies research and execution of automated analysis tools for smart contracts. With this framework we also
introduce a dataset of 143 annotated vulnerable Solidity smart contracts, sbcurated, setting the ground
for fair comparisons and a reference for the research community to use for benchmarks on analyses tools.
We use SmartBugs to execute 7 state-of-the-art static analysis tools on two datasets, sbcurated and
sbwild, with a total of 47,587 contracts being analysed. The second dataset contains all available smart
contracts in the Ethereum blockchain that have Solidity source code available on Etherscan1 (a total
of 47,518 contracts). We perform an empirical analysis of this 7 tools on this datasets and present a
discussion of the results.
To conclude, we present an extension of SmartCheck, a state-of-the-art static analysis tool, improving
its detection of vulnerabilities and adding the capability to detect a category of vulnerabilities that
previous was not in the scope of detection of SmartCheck.
Throughtout this work, we propose to answer the following research questions:
1. What are the state-of-the-art analysis tools for Ethereum smart contracts?
2. What is the precision of the state-of-the-art analysis tools in detecting vulnerabilities on Ethereum
smart contracts?
3. Which categories of vulnerabilities are most detected?
4. How many vulnerable contracts are present in the Ethereum blockchain?
5. How long do the tools require to analyse the smart contracts?
6. How can we improve a state-of-the-art analysis tool?
1Etherscan: https://etherscan.io
4
Our main contributions can be summarized as follows:
• We review, explain and discuss vulnerabilities found on Ethereum smart contracts;
• We present an overview of state-of-the-art automated smart contract analysers focused on Ethereum
smart contracts;
• We introduce SmartBugs, an extendable execution framework designed to facilitate the integration
and comparison between multiple analysis tools and the analysis of Ethereum smart contracts;
• We present sbcurated, a dataset of 143 annotated vulnerable Solidity smart contracts with a defined
vulnerability taxonomy as a reference dataset to the research community;
• We provide an analysis of the execution of 7 state-of-the-art analysis tools with SmartBugs on
47,587 smart contracts;
• We extend SmartCheck, a state-of-the-art static analysis tool, to improve detection of vulnerabili-
ties.
1.3 Topic Overview
Smart contract programming is in many ways similar to traditional programming, but raises important
new security challenges and has unique characteristics. Virtual currencies have real value and smart
contracts are directly related to them. If a smart contract has a vulnerability it can represent a potential
financial loss.
Recently a set of static analysis tools have been developed and introduced specifically targeting
Ethereum smart contracts. We aim to study static analysis tools for Ethereum smart contracts while
introducing an execution framework to facilitate their execution and thus set an easier environment to
execute static analysis on smart contracts.
In smart contracts security should be of paramount importance for multiple reasons [6]:
• Recent technology - The concept of smart contracts is relatively new and their execution envi-
ronment differs from the most popular: mobile, desktop or cloud. Developers are not used to their
code being executed in a blockchain, a decentralzized peer-to-peer network.
• Immutability - Once deployed, a smart contract can not be patched or corrected (although some
workarounds exists, e.g using a proxy pattern). The correctness of the contract must thus be verified
before deployment.
• Motivated hackers - Due to the financial value of smart contracts, hackers are more motivated to
exploit vulnerabilities. Recent history show us the huge financial loss imposed by attacks on smart
contracts.
5
• Rapid pace of development - Blockchain industry and development is growing fast, smart con-
tracts programming and use are increasing quickly. Also, smart contracts programming languages
are quickly evolving. For example, Solidity, the main programming language used to write smart
contracts on Ethereum, has a very fast pace and suffers updates constantly.
1.4 Thesis Outline
The remainder of the document is structured as follows. Chapter 2 overviews blockchain technology,
the Ethereum network, smart contracts, and presents a review of smart contract vulnerabilities and
static analysis tools. Chapter 3 introduces SmartBugs, an extendable execution framework, and the
dataset sbcurated. Chapter 4 provides an empirical review of the analysis of two datasets, sbcurated and
sbwild, using SmartBugs. The first section of Chapter 4 was co-authored by three INESC-ID researchers,
submitted to ICSE 2020 and published in [7]. Chapter 5 describes a proposal to improve SmartCheck’s
capability to detect vulnerabilities. Finally, Chapter 6 presents conclusions regarding the work done and
discusses future work.
6
2Background
Contents
2.1 Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Ethereum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Vulnerabilities of Ethereum Smart Contracts . . . . . . . . . . . . . . . . . 14
2.5 Static Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7
In this chapter we start by presenting an overview of Blockchain and smart contracts technology.
Later we focus on Ethereum and discuss security issues within Ethereum smart contracts and tools to
perform static analysis.
This chapter is divided in five sections: Blockchain, Smart Contracts, Ethereum, Vulnerabilities of
Ethereum Smart Contracts and Static Analysis Tools.
2.1 Blockchain
In 2008 Satashi Nakamoto proposed Bitcoin, “a system for electronic transactions without relying on
trust” [2], presenting a decentralized peer-to-peer network using proof-of-work, a consensus protocol, as
a solution to the double-spending1 problem. In this scenario, bitcoin (BTC) represents a cryptographic
currency that can be exchanged between untrusted parties and the key idea is that the exchange of
bitcoins between these entities is registered in a append-only database maintained by a network of peers
that can not be tampered. This append-only database is built by chaining multiple validated blocks that
contain transactions and is referred as blockchain. Blockchains can be divided in two different types:
permissionless and permissioned. Bitcoin is the first permissionless blockchain, meaning that everyone
can participate and interact with the network. Permissioned blockchains, on the other hand, are more
restricted and the participants are controlled.
Blockchain can be described as a continuously ordered list of records, which are bundled in blocks
and can consist of any information - cryptocurrency, computer code or any other kind of data. These
blocks are linked one to another, like a chain, where each block references the block that came before
it and is identified by its cryptographic hash, as shown in Figure 2.1, making the links between blocks
virtually unbreakable. Each block consists of a set of transactions and once created and appended to the
blockchain, the transactions in that block become immutable, cannot be changed or reverted, ensuring
the integrity of the transactions. This data structure is shared by the nodes in the network. For a record
to be appended in the blockchain it needs to be verified and validated.
Figure 2.1: Chain of blocks (Nakamoto, 2008)
Any user can create and interact with permissionless blockchain by publishing a signed transaction.
These transactions are broadcasted to the network. It is then executed by the nodes in the network (min-
1Double-spending is the result of successfully spending the same digital token more than once. It is a potential flaw ina digital cash systems in which the same single digital token can be spent more than once.
9
ers), where the correct execution is ensured by the consensus protocol. The miners propagate information,
store data, and when a consensus is reached they update the state on the blockchain accordingly.
The consensus protocol enables mutually distrusting parties to create transactions and reach consensus
on the outcome of the execution and is a crucial layer of a blockchain. There are several protocols that
can be used to reach consensus. Commonly, in permissionless blockchains, it consists either in proof
of work (Bitcoin and Ethereum at the time of writing) or proof of stake. In Proof of work (PoW)
miners need to compute and solve an exceptionally difficult computational problem but easily verifiable
to be able to validate a block and get their reward. Finding the solution to this difficult computational
problem is an arduous guessing game and requires a considerable amount of computing power to compete
with all the miners in the network to produce the correct output. Once a miner computes the correct
answer, the block is broadcasted to the network for the other miners to verify it. The other miners in
the network check if the hash is valid, and if it is, they accept the block from the miner. In contrast,
Proof of stake (PoS) states that validators (miners in PoS) can validate block transactions according to
how many coins they hold. The validator stakes an amount of the available currency to verify a block of
transactions, meaning that the bigger the amount staked, the more validation power the validator has.
The cryptographic calculations in PoS are much simpler to solve than in PoW and thus do not require
as much computational power. In PoS, unlike PoW, there is no coin mining; instead, validators collect
transaction fees instead of newly minted coins.
In terms of costs and energy consumption, proof of stake systems are more cost-efficient and thus more
environmental appealing than proof of work systems, as they do not require the intensive computational
power that proof of work requires. Regarding security, proof of stake can reduce the possibility of
malicious attacks. Carrying out an attack in PoS is expensive, since if a validator acts maliciously their
validation power will be revoked and their amount staked will be ceased. PoS systems can also be seen
as more decentralized and as a more fair solution, since the amount of network control a participant can
gain in a PoS system is directly proportional to the amount staked. In PoW, the more the miner invests
in equipment, the more computational power they will have, making it increasingly less profitable and
more difficult for individuals to compete against large mining pools. In Bitcoin, a disproportionately
large number of blocks are mined by pools rather than by individual miners [8].
2.2 Smart Contracts
So far we have mentioned the concept of smart contracts and briefly explained it. We will now go deeper
into smart contracts implementation and applications.
Smart contracts are pieces of code, deployed on a Blockchain, where it is possible to codify agreements
and trust relations. They are able to keep a record of the state, exchange digital assets, take user input
and store data. But the concept of smart contracts is not new. Actually, it has been around for more
10
than two decades as the term was first defined in 1996 by Nick Szabo.
Szabo describes a smart contract as a “ set of promises, specified in digital form, including protocols
within which the parties perform on the other promises” [9]. In his work, Szabo says that “the primitive
ancestor of smart contracts, is the humble vending machine” [9] as it takes coins, delivers change and
gives a product in return. This process is done in an automated way like a finite state machine. With the
development of blockchain technology, Szabo idea of smart contracts gained a new life and possibility.
Blockchain became the perfect host.
Smart contracts, autonomous applications composed by fields and functions, can now bring to the
real world the idea envisioned by Szabo, being stored and executed in a blockchain. As any software
application driven to produce an expected result, a smart contract should always be deterministic, i.e.
the same input should always produce the same output. That being, what we call now a smart contract
can be said to be a technical implementation of Szabo’s idea: a computer program executed on the
blockchain.
Figure 2.2: Schematic of a blockchain platform with smart contracts. (Delmolino et al., 2015)
Smart contracts are stored and executed by the network of nodes who update the state of the smart
contract on the blockchain when consensus on the outcome of the execution is reached. Users can
exchange value or data and interact with contracts by publishing signed transactions to the network.
A schematic of a blockchain with smart contracts is shown in Figure 2.2. Smart contract execution
sometimes requires heavy computational tasks and since they are performed by computers (nodes) in
the network, each computational task has a cost, which is called gas in Ethereum. These execution fees
represent the cost paid by the user to the miners to execute code.
What makes smart contracts such a powerful concept, needless trust between parties involved and
immutability, can be also for seen as a weakness and must be handled carefully. Any mistake or bug
in the code of a smart contract can be exploited. The code is near impossible to correct (if the smart
contract was not designed to suffer upgrades) so a smart contract with vulnerabilities can not be patched.
11
In blockchain, code is law. A need of proper code verification is thus crucial to make the contract as safe
and reliable as possible, before it is deployed.
2.3 Ethereum
Ethereum [3] was introduced in 2014 and was the first to introduce a Turing-complete language in a
blockchain platform, creating a second generation of blockchains. It has its own cryptocurrency, called
Ether (ETH), and smart contracts represent one of the main components of the platform. Ethereum, like
Bitcoin, is a permissionless blockchain where any network participant is allowed to interact and perform
transactions within the network, such as transfer Ether or interact with a smart contract deployed on
the network.
There are two types of accounts in Ethereum: Externally owned accounts (EOAs) and contract
accounts. EOAs are controlled by private keys that can be used to make transactions and sign data and
have no code associated, similar to bitcoin wallet addresses. The owner of the private key has full control
of the account. Contract accounts are controlled by their contract code. They can receive funds and make
transactions like EOAs, but there is generally no single private key that is used to make transactions.
Instead, the logic on how transactions are made is defined via the smart contract code. Unlike EOAs,
contract accounts can not initiate new transactions. Any transaction in Ethereum is always initiated by
an EOA.
Figure 2.3: Example execution of a smart contract on Ethereum. (Fontein, 2018)
The sequence of transactions determines the state of each contract and the balance of each user. A
transaction uses the state stored in the previous block to compute a new state and both the transaction
and the new state are stored in the new block, as seen in Figure 2.3. These transactions will then be
12
grouped in blocks and appended to the blockchain, using miners - untrusted peers in the network - to
process it. Potential conflicts are resolved using a consensus mechanism, in this case Proof of Work
(Although it is still the current mechanism used in Ethereum, a future implementation called Casper is
scheduled to change the consensus protocol to Proof of Stake [10]).
Figure 2.4: Overview of workflow in the Ethereum network (Bhargavan et al., 2016)
Smart contracts are compiled into a stack-based bytecode language and then executed by the Ethereum
Virtual Machine (EVM). EVM is a turing complete virtual machine2, specific to Ethereum that pro-
cesses every transaction. Every participating node in the network runs their own instance of the EVM
making possible the execution of code in a trustless environment. Once deployed, the smart contract
becomes immutable and each instruction execution will have a consumption cost, a positive amount of
gas - computational budget. A gas limit is specified by the sender of the transaction, which when ex-
ceeded results in an exception that reverts the effects of the current transaction. The Ether price of a
gas unit is determined by the market. To deploy a contract to the network a transaction is broadcasted
containing its bytecode and initialization parameters. Like any other transaction, after being validated it
will be included in a block. The contract will be permanently stored at a unique address, used by users
to interact with the smart contract. Users broadcast transactions to that address defining the function to
be called, and, if necessary, its arguments. Contracts can also interact with other contracts. An overview
of the workflow of the network is presented in Figure 2.4.
Solidity is the most used language by developers to create smart contracts on Ethereum. It is an
object-oriented, high-level JavaScript-like language and is compiled to EVM bytecode to be executed
by the EVM. Solidity is statically typed, supports inheritance, libraries and, like many programming
languages, it offers common features like control flow structures, types, functions or structs. Several
examples of Solidity code are shown in the next section.
2EVM code can encode any computation that can be conceivably carried out, including infinite loops.
13
2.4 Vulnerabilities of Ethereum Smart Contracts
In this section our goal is to overview some of the vulnerabilities found in smart contracts, more specifically
in Ethereum smart contracts, and explain them while presenting exploits, mitigation methods and real
world attack scenarios.
2.4.1 Taxonomies
There are multiple kinds of vulnerabilities and they can be presented in different forms. Atzei et al. [1]
presented a taxonomy of vulnerabilities, regarding Ethereum smart contracts, providing the vulnerability
and the level at which the vulnerability occurs - shown in Table 2.1. We also added a cause to briefly
describe each vulnerability.
Level Vulnerability Cause
Solidity
Call to unknown Called function does not exitGasless send Callee’s fallback function is invoked
Exception disorders Bad exception handlingType casts No expectation is thrown, if type-mismatchedReentrancy Non-recursive function reenter before termination
Keeping secrets Contracts private fields, secrecy is not guaranteed
EVMImmutable bugs Defective contracts cannot be patched
Ether lost in transfer Ether sent to orphan address is lostStack size limit The number of values exceeds 1024 in the stack
BlockchainUnpredictable state State of the contract is changed before invoking
Generating randomness Malicious miner biases the outcomeTime constraints Block timestamp is changed by malicious miner
Table 2.1: Taxonomy of vulnerabilities by Atzei et al. [1]
In our work we opted for a more broad and prevailing approach to explain the vulnerabilities found in
smart contracts, following the taxonomy of DASP Top 10 [11] (shown in Table 2.2). The DASP taxonomy
seems to be more prominent as it is updated when necessary, meaning that vulnerabilities such as stack
size limit are not included, as this has been fixed.
We also added a risk level associated to each vulnerability (1 - low, 2 - medium, 3 - high) based on
our research [6] and attacks that will allow us to later isolate high risk vulnerabilities.
Some vulnerabilities may be referred by different names, as seen throughout our research. To avoid
confusion, in Table 2.2 we associate the ones presented by Atzei et al. [1] to a category presented in the
DASP Top 10 and when describing/explaining them we will provide more than one name. Although the
association can be said to be subjective, as one may argue that one of the vulnerabilities defined by Atzei
et al. can fit in more than one category in DASP Top 10, we decided to do a single association based on
the main focus of the vulnerability.
14
DASP Top 10 Atzei et al. Risk
1 ReentrancyCall to unknown
Reentrancy3
2 Access control - 33 Arithmetic - 1
4 Unchecked low level callsGasless send
Exception disorders3
5 Denial of Service - 36 Bad randomness Generating randomness 27 Front running Unpredictable state 28 Time manipulation Time constraints 29 Short addresses - 110 Unknown unknowns - -
Table 2.2: DASP Top 10 vulnerabilities
Ether lost in transfer, Immutable bugs, Type casts and Keeping secrets are vulnerabilities
defined in Atzei et al. work that do not fit our association. These vulnerabilities are relatively sim-
ple concepts and are already briefly explained in Table 2.1. We will now overview the DASP Top 10
vulnerabilities.
2.4.2 DASP 10
In this subsection we discuss each vulnerability category of the taxonomy previously defined.
2.4.2.1 Reentrancy
It is considered to be one of the most severe vulnerabilities found in smart contracts so far, resulting on
the biggest attack ever made on Ethereum – The DAO [12]. Reentrancy bugs refer to reentrant function
calls which can make a contract to behave in an unexpected way.
Definition 1. Reentrancy “Any interaction from a contract (A) with another contract (B) and any
transfer of Ether, hands over control to that contract (B). This makes it possible for B to call back into
A before this interaction is completed.” [13]
Exploiting this bug, a malicious contract B is able to withdraw multiple times and empty the balance
of a contract A making reentrant calls that take advantage of the intermediate state.
A reentrancy attack is carried out by manipulating the control flow in a way that was not intended by
the smart contract developer. Consider the function withdraw() seen in Listing 2.1 as part of an arbitrary
contract. accounts maps how much Ether is owned by each user. The function withdraw() allows users
to withdraw an amount of Ether. The function checks if the amount is equal or inferior to the caller’s
balance, sends the Ether and then updates the balance of the account. withdraw() is vulnerable to a
reentrant call on line three, where the accounts map as not yet been updated.
15
Listing 2.1: Vulnerable - accounts is updated after message call.
1 function withdraw(uint amount) public {2 require(accounts[msg.sender] >= amount);
3 require(msg.sender.call.value(amount)());
4 accounts[msg.sender] -= amount;5 }
Attackers can implement a malicious contract containing a special fallback function3 to exploit with-
draw(). This fallback function would be triggered by the Ether transfer in line 3 and take over control
flow. It would be then possible to issue a new call of withdraw() in the fallback function, before the
balance has been updated in line 4. This would trigger the malicious fallback function once again. This
iterative process (seen in Figure. 2.5) would continue until a point specified by the attacker or until the
transaction runs out of gas.
Figure 2.5: The recursive loop of a reentrancy attack.
Call to the unknown, described by Atzei et al [1], is related to reentrancy as it also refers to the
side effect of invoking the fallback function of the callee/recipient.
A possible solution to avoid the reentrancy problems is to use Checks-Effects-Interactions: first check
the invariants, then update the internal state, then communicate with external entities (as shown in
Listing 2.2).
Listing 2.2: Safe - accounts is updated before message call.
1 function withdraw(uint amount) public {2 require(accounts[msg.sender] >= amount);
3 accounts[msg.sender] -= amount;
4 require(msg.sender.call.value(amount)());
5 }
3A function with no name and no arguments, which is called in case no function identifier matches the called function.
16
Table 2.3 shows the three methods available in Solidity to send Ether, along with important character-
istics that should be taken into account when developing smart contracts. Avoiding the use of call.value()
whenever possible is also recommended, as addr.call.value(x)() transfers x Ether and forwards all gas to
addr and returns false in case of failure, potentially leading to vulnerabilities like reentrancy. The method
send() should also be used with caution as it also returns false on failure and does not throw an excep-
tion, so the execution, if not carefully checked the return value, continues. Instead the use of transfer
is encouraged to prevent reentrancy vulnerabilities because it only provides the callee with a stipend of
2300 gas and throws an exception in case of failure, stopping the code execution. Introducing a mutex is
also an alternative technique, i.e., adding a state variable which locks the contract during code execution,
preventing reentrancy calls.
Method Edit Gas Limit Gas Limit Return Value on Failureaddress.send() No 2300 False
address.transfer() No 2300 Throws Exceptionaddress.call.value()() Yes Editable False
Table 2.3: Solidity methods to transfer Ether
The DAO was a contract designed to implement a crowd-funding platform, where participants would
receive DAO tokens and then would be able to vote for which projects to fund [12]. It raised more than
$150M before being attacked on June 18th, 2016 (the attacker was able to take control of $60M). Later
a hard-fork of Ethereum network nullified the effects of the hack. To get a better understanding and a
basic notion of how the attack occurred consider the simplified example of The DAO shown in Listing 2.3.
Listing 2.3: Simplified example of The DAO.
1 contract SimpleDAO {2
3 mapping (address => uint) public credit;4
5 function donate(address to) public {6 credit[to] += msg.value;7 }8
9 function withdraw(uint amount) public {10 if (credit[msg.sender]>= amount) {11 msg.sender.call.value(amount)();
12 credit[msg.sender]-=amount;13 }14 }15
16 function queryCredit(address to) public view returns (uint){17 return credit[to];18 }19 }
17
SimpleDAO allows participants to donate ether to fund contracts at their choice. Contracts can then
use withdraw to retrieve their funds. To be able to perform an attack and steal ether from SimpleDAO
we need to publish the malicious contract, we will use Mallory contract as an example - shown below in
Listing 2.4.
Listing 2.4: Malicious contract.
1 contract Mallory {2
3 SimpleDAO public dao;4 address owner;5
6 function Mallory(address simpleDaoAddress) public{7 owner = msg.sender;8 dao = SimpleDAO(simpleDaoAddress);9 }
10
11 function getJackpot() public {12 owner.send(this.balance);13 }14
15 function() external payable {16 dao.withdraw(dao.queryCredit(this));17 }18 }
To go through the attack, an adversary would donate some ether to Mallory which would invoke
Mallory’s fallback function (line 15). This function invokes withdraw, which transfers the ether to Mallory
and invokes again Mallory ’s fallback function. Doing this invoke again, withdraw is maliciously called
back and so the credit was not updated - the check at line 10 succeeds. As a consequence SimpleDAO
sends the credit to Mallory for the second time, invoking again the fallback function. This loop will
continue until the balance of SimpleDAO becomes zero, the call stack is full or until the transaction runs
out of gas. Further there is no gas limit specified in the withdraw function at line 11 so the adversary can
delay the out-of-gas exception by providing more gas in the originating transaction. getJackpot() allows
the attacker to get the funds from Mallory. An attack like this would allow the a malicious user to steal
all ether from the contract SimpleDAO.
2.4.2.2 Access control
Access Control problems are not only related to smart contracts but are common in all programs. In
smart contracts these vulnerabilities can occur when tx.origin is used for authorization, when a contract
handles large authorization logic with lengthy require or makes reckless use of delegatecall (special variant
of a message call, the code at the target address is executed in the context of the calling contract) in
proxy libraries or proxy contracts. Failure to use function modifiers to restrict access allows an attacker
18
to manipulate contracts. All sensitive functions on a smart contracts must be carefully protected.
Definition 2. Access Control “Access control enforces a policy such that users cannot act outside of
their intended permissions. Failures typically lead to unauthorized information disclosure, modification
or destruction of all data, or performing a business function outside of the limits of the user.” [14]
Restricting access is a common and crucial pattern for smart contracts. Restrict the view of the
source code of a smart contract, transactions or contract’s state is not feasible on a blockchain. Restrict
modifications to a contract’s state or functions on the other hand is useful and of paramount importance.
Modifiers are an easy and readable way of doing it.
“Modifiers can be used to easily change the behaviour of functions. For example, they can
automatically check a condition prior to executing the function. Modifiers are inheritable
properties of contracts and may be overridden by derived contracts.” - as explained in [13]
In Listing 2.5 a modifier is defined. The function body is inserted where the special symbol “ ;” in
the definition of a modifier appears. This means that if the owner calls this function, the function is
executed and otherwise, an exception is thrown and the code execution is stopped.
Listing 2.5: Modifier defined.
1 modifier onlyOwner {2 require(msg.sender == owner);3 ;4 }
Now imagine that we want to change the owner of that contract, creating a changeOwner method.
If changeOwner does not use the modifier and the access is not restricted to the current owner it allows
anyone to become the contract owner, opening a possible attack window - as seen in Listing 2.6. To
correctly change the owner we should use the modifier previously defined, as shown in Listing 2.7
Listing 2.6: Vulnerable - changeOwner is not protected.
1 function changeOwner(address newOwner) public {2 owner = newOwner;3 }
Listing 2.7: Safe - modifier is used correctly.
1 function changeOwner(address newOwner) public onlyOwner {2 owner = newOwner;3 }
19
In conclusion a modifier should always be specified for functions to restrict access. Also tx.origin
should never be used to validate callers, instead the use of msg.sender is recommended as tx.origin refers
to the origin of the transaction, the user who originally sent the transaction, and msg.sender to the
immediate sender.
The two Parity wallet hacks [15] and Rubixi are real world examples of this vulnerability.
2.4.2.3 Arithmetic Issues
Usually referred as integer over/underflows, arithmetic issues are not new types of vulnerabilities and are
common in many programming languages.
Definition 3. Arithmetic “An over/under flow occurs when an operation is performed that requires a
fixed size variable to store a number (or piece of data) that is outside the range of the variable’s data
type.” [16]
Looking at Listings 2.8 and 2.9 we can see a simple example where an overflow may occur and how
to mitigate it, respectively. The developer must always be aware of data manipulation and decide if a
over/underflow check is necessary. Using a trusted mathematical libraries, as SafeMath, is also a possible
solution, as seen in Listing 2.10. Using trusted mathematical libraries is encouraged as it abstracts the
developer from validating all arithmetic operations by simply using the library to perform arithmetic
operations.
Listing 2.8: Vulnerable - does not check for overflows.
1 function add(uint value) public returns (bool) {2 sellerBalance += value;3 }
Listing 2.9: Safe - checks for overflows
1 function safe add(uint value) returns (bool) {2 require(value + sellerBalance >= sellerBalance);
3 sellerBalance += value;4 }
20
Listing 2.10: Safe - using SafeMath library.
1 import "./SafeMath.sol"
2
3 contract SafeArithmeticContract {4
5 using SafeMath for uint256;
6 uint256 result;7
8 function SafeAdd(uint256 a, uint256 b) {9 result = 0;
10 result = a.add(b);11 }12 }
Validation of all arithmetic data and the use of trusted mathematical libraries, as SafeMath library,
are thus encouraged as a preventive method. BatchOverflow and ProxyOverflow show us the real impact
arithmetic issues can have, in particular integer overflow.
2.4.2.4 Unchecked Low Level Calls
Related to the use of low level functions, as call(), callcode(), delegatecall() and send(). The use of low
level calls should be avoided whenever possible, as if they fail they will not lead to a total reversion of
the current execution but return a boolean value set to false, while the code will continue to run. When
return values are not handled properly it can lead to unexpected behavior.
Definition 4. Unchecked Low Level Calls “If an external call fails, but is not checked, the contract will
continue execution as if the call succeeded. This will likely result in buggy and potentially exploitable
behavior from the contract.” [17]
Gassless send is a vulnerabilty defined by Atzei et al. that occurs when using the function send to
transfer ether to a contract, because it will then be possible to incur in an out-of-gas exception. As it
also relates to the use of the low level call send() we include this vulnerability also in this section.
Consider the example in Listing 2.11. The execution of send may fail in which case the winner will
not get the money, but prizePaidOut will be set to true. The condition in line 1 is always false and the
real winner can never claim the prize.
Listing 2.11: Vulnerable - send() can fail and prizePaidOut will be sent to true regardless.
1 if (gameHasEnded && !(prizePaidOut)) {2 winner.send(1000);3 prizePaidOut = true;4 }
21
Checking the return value of send to see if the operation is successfully and throwing an exception so
all the state is rolled back otherwise mitigates this issue, as seen in Listing 2.12.
Listing 2.12: Safe - prizePaidOut will be sent to true if send() is true.
1 if (gameHasEnded && !(prizePaidOut)) {2 if (winner.send(1000)){3 prizePaidOut = True;4 }5 else {6 throw;7 }8 }
In conclusion to mitigate this type of vulnerability the developer should manually perform validation
when making external calls and is encouraged the use of address.transfer() instead of address.send().
King of Ether [18] is a real world example of the impact of such vulnerabilities.
2.4.2.5 Denial of Service
There are many variants of DoS and they can be deadly to smart contracts while other types of appli-
cations may be able to recover. This type of attack consists in overwhelming the network with time-
consuming computations where users can leave the contract inoperable for a small period of time or
permanently.
Definition 5. Denial of Service “A conditional statement (if , for , while) should not depend on an
external call: the callee may permanently fail (throw or revert), preventing the caller from completing the
execution.” [6]
A Denial of Service attack can have multiple scenarios. Imagine an auction contract where bid(), seen
in Listing 2.13, refunds the frontrunner if he is outbid. When it tries to refund the old leader (line 3), it
reverts if the refund fails. This would allow a malicious bidder to become the leader while making sure
that any refunds to his address will always fail. The auction is then stalled which allows the attacker to
become the winner.
Listing 2.13: Vulnerable - send may fail and no one else will be able to bid.
1 function bid() public payable {2 require(msg.value > highestBid);
3 require(currentLeader.send(highestBid));
4 currentLeader = msg.sender;5 highestBid = msg.value;6 }
22
A recommendation is to set up a pull payment system instead, as shown in Listing 2.14. In this
example refunds are stored in a mapping to fight DoS, avoiding pushing balance to users favoring a pull
architecture. Execution fees can also protect against DoS attacks.
Listing 2.14: Safe - the refund is recorded safely.
1 function bid() payable external {2 require(msg.value >= highestBid);3 if (currentLeader != address(0)) {4 refunds[currentLeader] += highestBid;5 }6 currentLeader = msg.sender;7 highestBid = msg.value;8 }9
10 function withdrawRefund() external {11 uint refund = refunds[msg.sender];12 refunds[msg.sender] = 0;13 msg.sender.send(refund);14 }
As explained in [19]: “External calls can fail accidentally or deliberately. To minimize the damage
caused by such failures, it is often better to isolate each external call into its own transaction that can be
initiated by the recipient of the call.”. Pull over push should be favored for external calls and multiple
send() calls should be avoided in a single transaction. GovernMental [16], and old Ponzi scheme, was
susceptible to a DoS attack.
2.4.2.6 Bad Randomness
Also known as Nothing is Secret or Entropy Illusion. Pseudorandom number generation (PRNG) on the
blockchain is generally unsafe. The blockchain does not provide any cryptographically secure source of
randomness, everything in a contract is publicly visible and computers will always be faster than the
blockchain. While there are a variety of functions and variables that can access at first sight hard-to-
predict values, usually they are not that straightforward and can be more public than they seem or can
be subject to miners influence.
Definition 6. Bad Randomness “All transactions on the Ethereum blockchain are deterministic state
transition operations. This ultimately means that inside the blockchain ecosystem there is no source of
entropy or randomness.” [16]
In Listing 2.15 a private seed is used in combination with an iteration number and a keccak256 hash
function to determine if the caller wins. Even though the seed is private, it must have been set via a
transaction at some point in time and thus is visible on the blockchain.
23
Listing 2.15: Vulnerable to bad randomness.
1 uint256 private seed;2
3 function play() public payable {4 require(msg.value >= 1 ether);5 iteration++;
6 uint randomNumber = uint(keccak256(seed + iteration));7 if (randomNumber % 2 == 0) {8 msg.sender.transfer(this.balance);9 }
10 }
Currently there are not any straight forward recommended mitigations for this issue, although the
problem may be solved using on timed commitment protocols or external oracles [16]. SmartBillions [20],
a fully decentralized lottery system, got hacked exploiting this vulnerability.
2.4.2.7 Front Running
Also known as time-of-check vs time-of-use (TOCTOU), race condition or transaction ordering depen-
dence (TOD). Front running problems arise when two dependent transactions that invoke the same
contract are included in one block. The order of executing transactions relies on the miner. A malicious
user can launch an attack if those transitions were not executed in the right order. Unpredictable
state, defined by Atzei et al., also suits this category.
Definition 7. Front Running “There is a gap between the creation of a transaction and the moment it
is accepted in the blockchain. Therefore, an attacker can take advantage of this gap to put a contract in
a state that advantages them.” [17]
Transactions are only considered valid once a miner validates them. The miner who solves the block
also chooses which transactions from the pool will be included in the block. Imagine the contract in
Listing 2.16 contains 1000 Ether. The user who submits the solution, the pre-image of the hash (some
sha3 hash), wins the 1000 Ether. Lets say that a user discovers the solution and passes it as a parameter
in solve(). If an attacker is watching the transaction pool for anyone submitting a solution he is able
to see the solution and submit an equivalent transaction with a much higher gasPrice than the original
transaction. The miner who solves the block will likely give preference to the attacker transaction due to
its higher gasPrice and accept this transaction before the original one, allowing the attacker to win the
1000 Ether.
24
Listing 2.16: Vulnerable to Front Running.
1 contract FindThisHash {2
3 bytes32 constant public hash = somesha3hash;4 constructor() public payable {}5
6 function solve(string solution) public {7 require(hash == sha3(solution));8 msg.sender.transfer(1000 ether);9 }
10 }
Protecting against this is difficult, as it would come down to the specific contract itself. A robust
method is to use a commit-reveal scheme, whenever possible. ERC20 [21] and Bancor [22] are two real
world examples.
2.4.2.8 Time manipulation
Also referred as Timestamp Dependence or Time Constraints. The timestamp of the block can be
manipulated by the miner, and all direct and indirect uses of the timestamp should be considered.
Definition 8. Time Manipulation “Contracts can retrieve the timestamp in which the block was mined;
all the transactions within a block share the same timestamp. This guarantees the coherence with the
state of the contract after the execution, but it may also expose a contract to attacks, since the miner who
creates the new block can choose the timestamp with a certain degree of arbitrariness.” [1]
The function shown is Listing 2.17 only accepts calls that come after a specific date. As described
above, miners are able to influence their block’s timestamp and so attempt to mine a block containing
their transaction with a block timestamp set in the future. If accepted on the network the transaction will
give the miner ether before any other player could have attempted to win the game. Each block is sealed
by a miner at a precise time, and the current time can be displayed in Solidity with block.timestamp or
now.
Listing 2.17: Vulnerable to time manipulation.
1 function play() public {2 require(now > 1521763200 && neverPlayed == true);3 neverPlayed = false;4 msg.sender.transfer(1500 ether);5 }
The developer should be aware that the timestamp of the block can be manipulated by a miner and
should not be used for entropy or generating random numbers. The 15-second Rule - “If the contract
25
function can tolerate a 15-second drift in time, it is safe to use block.timestamp” [19] should be considered
and the use of block.number as a timestamp avoided.
GovernMental [16], referred before as susceptible to DoS attacks, is also vulnerable to a timestamp-
based attack.
2.4.2.9 Short Addresses
Short address attacks are possible due to the EVM itself accepting incorrectly padded arguments. It can
be exploited using specially-crafted addresses to make poorly coded clients encode arguments incorrectly
before including them in transactions.
Definition 9. Short Addresses “When passing parameters to a smart contract, the parameters are encoded
according to the ABI specification. It is possible to send encoded parameters that are shorter than the
expected parameter length.” [16]
Validating all inputs before sending them to the blockchain is thus crucial and will prevent these kinds
of attacks.
The GNT transfer bug [23], was a real world impact example of these type of vulnerabilities.
2.4.2.10 Unknown Unknowns
Smart contracts development is still in embryonic phase, its implementation and use are still very recent.
As well as the platforms themselves and the programming languages used to write smart contracts. New
classes of vulnerabilities will continue to be found and developers should be informed and up to date.
Best practices and documentation will need to be developed to ensure a better implementation.
26
2.5 Static Analysis Tools
In this section we present an overview of the state of the art in static analysis tools aimed at discovering
security issues in Ethereum smart contracts. First we briefly overview some of the methods used to
perform static analysis, then we overview of the state-of-the-art in smart contracts analysis tools. Later
we present a inclusion criteria that characterize the tools that we investigate further.
2.5.1 Methods
Static analysis refers to a set of techniques used to examine source code or bytecode without executing
it. The ultimate goal of static analysis in smart contracts is to automatically inspect the source code of
the contracts and find possible security issues. Static analysis techniques are potentially able to cover all
the execution paths of a smart contract and additionally can prove formally the absence or presence of a
bug. We briefly overview some of the techniques used in static analysis below.
Abstract Interpretation is a static analysis method used to prove behavioural properties of a
program. Certain instructions or certain effects of instructions are ignored while the bytecode is executing,
abstracting them away. Usually this process is done by translating instructions to another formalism and
then exploring all possible execution paths. Abstract interpretation was formalized by Patrick Cousot
as: “A program denotes computations in some universe of objects. Abstract interpretation of programs
consists in using that denotation to describe computations in another universe of abstract objects, so
that the results of abstract execution give some informations on the actual computations.” [24].
Constraint Solving aims to determine the solvability of constraints and tries to compute a concrete
solution. The goal is to find a solution to a set of constraints that impose conditions that the variables
must satisfy. Static analysis based on constraint solving consists in transforming a program and the
properties of interest into a set of constraints that are subsequently solved by a constraint solver.
Lexical Analysis groups source code syntax into sets of units that represent a meaningful syntax,
usually referred as ‘tokens’. It attempts to abstract the source code and make it easier to manipulate.
Static analysis performed using lexical analysis usually consists in the detection of certain syntactic
patterns.
Model Checking is a technique to verify the correctness of properties of finite-state systems. It
consists in checking exhaustively and automatically if the model meets a given specification, and thus if
correctness is verified.
Symbolic Execution refers to the execution of code using symbols instead of concrete values for
the variables. The goal is to determine what inputs cause each part of a program to execute. Symbolic
execution executes a program abstractly and can simultaneously explore multiple paths that a program
could take under different inputs. It is often the case that tools mix symbolic execution with other
techniques, such as abstract interpretation.
27
2.5.2 State Of The Art
The list of smart contract automated analysers presented below was collected in the context of the study
presented in the Chapter 4, where the selected tools in this Chapter are reviewed. We enumerate the
tools available and briefly discuss some of the tools that meet the criteria presented.
The survey of Angelo et al. [25] was used as a research starting point and we extended their list of
tools by searching academic literature and the internet for other tools. Through our research we were
able to find more eight tools that suited our discussion. We ended up with the 35 static analysis tools
that are listed below in Table 2.4.
# Tools Tool URLs1 contractLarva [26] https://github.com/gordonpace/contractLarva
2 E-EVM [27] https://github.com/pisocrob/E-EVM
3 Echidna https://github.com/crytic/echidna
4 Erays [28] https://github.com/teamnsrg/erays
5 Ether [29] N/A6 Ethersplay https://github.com/crytic/ethersplay
7 EtherTrust [30] https://www.netidee.at/ethertrust
8 EthIR [31] https://github.com/costa-group/EthIR
9 FSolidM [32] https://github.com/anmavrid/smart-contracts
10 Gasper [33] N/A11 HoneyBadger [34] https://github.com/christoftorres/HoneyBadger
12 KEVM [35] https://github.com/kframework/evm-semantics
13 MadMax [36] https://github.com/nevillegrech/MadMax
14 Maian [4] https://github.com/MAIAN-tool/MAIAN
15 Manticore [37] https://github.com/trailofbits/manticore/
16 Mythril [38] https://github.com/ConsenSys/mythril-classic
17 Octopus https://github.com/quoscient/octopus
18 Osiris [39] https://github.com/christoftorres/Osiris
19 Oyente [5] https://github.com/melonproject/oyente
20 Porosity [40] https://github.com/comaeio/porosity
21 rattle https://github.com/crytic/rattle
22 ReGuard [41] N/A23 Remix https://github.com/ethereum/remix
24 SASC [42] N/A25 sCompile [43] N/A26 Securify [44] https://github.com/eth-sri/securify
27 Slither [45] https://github.com/crytic/slither
28 Smartcheck [6] https://github.com/smartdec/smartcheck
29 Solgraph https://github.com/raineorshine/solgraph
30 Solhint https://github.com/protofire/solhint
31 SolMet [46] https://github.com/chicxurug/SolMet-Solidity-parser
32 teEther [47] https://github.com/nescio007/teether
33 Vandal [48] https://github.com/usyd-blockchain/vandal
34 VeriSol [49] https://github.com/microsoft/verisol
35 Zeus [50] N/A
Table 2.4: Tools identified and their URLs
28
Not all the identified tools are well suited for our discussion. Only the tools that met the following
five inclusion criteria are relevant to be discussed:
• Criterion #1. [Available and CLI] The tool is publicly available and supports a command-line interface
(CLI). The CLI facilitates the scalability of the analyses, discussed in Chapter 4
• Criterion #2. [Compatible Input] The tool takes as input a Solidity contract. This excludes tools that
only consider EVM bytecode.
• Criterion #3. [Only Source] The tool requires only the source code of the contract to be able to run
the analysis. This excludes tools that require a test suite or contracts annotated with assertions.
• Criterion #4. [Vulnerability Finding] The tool identifies vulnerabilities or bad practices in contracts.
This excludes tools that are described as analysis tools, but only construct artifacts such as control
flow graphs.
• Criterion #5. [Static Analysis] The tool only executes static analysis techniques to find security issues.
After inspecting all 35 analysis tools presented in Table 2.4, Table 2.6 defines the 7 tools that meet the
inclusion criteria outlined. Table 2.5 presents the excluded tools and which criteria they did not meet.
Inclusion criteria Tools that violate criteriaAvailable and CLI (C1) Ether, Gasper, ReGuard, Remix, SASC, sCompile, teEther,
ZeusCompatible Input (C2) MadMax, VandalOnly Source (C3) Echidna, VeriSolVulnerability Finding (C4) contractLarva, E-EVM, Erays, Ethersplay, EtherTrust, EthIR,
FSolidM, KEVM, Octopus, Porosity, rattle, Solgraph, SolMet,Solhint
Static Analysis (C5) contractLarva, Echidna, MAIAN, Manticore, ReGuard
Table 2.5: Excluded analysis tools based on our inclusion criteria.
Tools that meet criteria HoneyBadger, Mythril, Osiris, Oyente, Securify, Slither,Smartcheck
Table 2.6: Included analysis tools based on our inclusion criteria.
HoneyBadger [34] is an Oyente-based (see below) tool that employs symbolic execution and a set
of heuristics to pinpoint honeypots in smart contracts. Honeypots are smart contracts that appear to
have an obvious flaw in their design, which allows an arbitrary user to drain Ether from the contract,
given that the user transfers a priori a certain amount of Ether to the contract. When HoneyBadger
29
detects that a contract appears to be vulnerable, it means that the developer of the contract wanted to
make the contract look vulnerable, but is not vulnerable.
Mythril [38] analyses EVM bytecode and relies on concolic analysis, which is a hybrid analysis
technique that performs symbolic execution along a concrete execution path, to find several types of
security issues. Like Oyente, it uses Z3 Theorem prover in conjunction with the symbolic execution
engine laser-ethereum.
Osiris [39] extends Oyente to improve the detection of integer bugs. It combines symbolic execution
and taint analysis, in order to accurately find integer bugs in Ethereum smart contract.
Oyente [5] is one of the first static analysis tool for Ethereum smart contracts and has been forked by
several other projects, including HoneyBadger and Osiris. It runs symbolic execution on EVM bytecode
to identify vulnerabilities. Determines which inputs cause which program branches to execute to find
potential security vulnerabilities and it uses Z3 Theorem prover to decide satisfiability of the explored
paths. Oyente works directly with EVM bytecode without access high level representation.
Securify [44] statically analyses EVM bytecode to infer relevant and precise semantic information
about the contract using the Souffle Datalog solver. It then checks compliance and violation patterns
that capture sufficient conditions for proving if a property holds or not.
Slither [45] is a static analysis framework that converts Solidity smart contracts into an intermediate
representation called SlithIR and applies known program analysis techniques such as dataflow and taint
tracking to extract and refine information.
Smartcheck [6] is a static analysis tool that looks for vulnerability patterns and bad coding practices.
It runs lexical and syntactical analysis on Solidity source code.
30
3SmartBugs: An Execution
Framework
Contents
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4 Framework Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5 Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
31
In this chapter we introduce SmartBugs, a new extendable execution framework created to facilitate
the integration and comparison between multiple analysis tools and the analysis of Ethereum smart
contracts. We also present sbcurated, a curated dataset of vulnerable smart contracts written in Solidity,
easily reproducible and constructed to facilitate comparison of research that comes built in SmartBugs.
We briefly discuss our objectives and the methodologies used to choose contracts, filter bugs, and add
tools.
3.1 Motivation
There has been some effort from the research community to develop automated analysis tools that locate
and eliminate vulnerabilities in smart contracts [5, 6, 44, 51]. However, it is not easy to compare and
reproduce that research: even though several of the tools are publicly available, the datasets used are
not. If a developer of a new tool wants to compare the new tool with existing work, the current approach
is to contact the authors of alternative tools and hope that they give access to their datasets (as done in,
e.g., [52]). Furthermore, most of smart contracts static analysers are required to be installed, and some
even require you to install dependencies they rely on. Others are not available for all OS’s. Executing
smart contract analysis with multiple tools, running and installing each one individually can be an
excruciating process and consume unnecessary time. There is a need to ease the execution of static
analysers and provide a simple interface where the user could analyse multiple contracts with multiple
tools without requiring installation of any of the tools.
We present SmartBugs to address these problems. SmartBugs is an extensible, and easy to use
execution framework that simplifies research on automated analysis techniques for smart contracts and
executes these tools on the same execution environment. To be able to execute and compare automated
analysis tools, hence setting the ground for fair comparisons, we provide sbcurated: a dataset of 143
manually annotated Solidity smart contracts that can be used to evaluate the precision of analysis tools.
Developers can use it to evaluate their automated analysis tools, create benchmarks and easily compare
them with state of the art, alternative tools. SmartBugs provides the possibility to easily integrate analysis
tools, thus enabling reproducibility of the results for these tools. Once tools are added to SmartBugs, it
is easy to compare their performance and accuracy.
SmartBugs has the following features:
• A plugin system to easily add new analysis tools, based on Docker images;
• A plugin system to easily add new named datasets;
• Bulk analysis with any number of tools available;
• CLI and WUI Dashboard;
33
• Parallel execution of the tools to speed up the execution time; [Contribution]
• A parser mechanism that normalizes the way the tools are outputting the results; [Contribution]
The last two items marked with [Contribution] resulted in external contributions done to SmartBugs
by co-authors of Durieux et al. [7] to automate results in the ambit of the analysis discussed in Chapter
4.
SmartBugs comes with 10 tools ready to be executed:
1. HoneyBadger
2. Maian
3. Manticore
4. Mythril
5. Osiris
6. Oyente
7. Securify
8. Slither
9. SmartCheck
10. Solhint
However, throughout this work we only focus on the seven tools that met the criteria presented in
Section 2.5. We excluded Maian, Manticore and Solhint.
3.2 Availability
The framework and sbcurated are available in GitHub as repositories of SmartBugs 12. The dataset
sbcurated is divided into 10 folders named with the DASP categories, and the folders contain the contracts
of that category. Moreover, the dataset contains the file vulnerabilities.json which contains the
details of each vulnerable contract. It details the name, the origin URL, the path, and the lines and the
category of the vulnerabilities.
3.3 Data Collection
All contracts and tools present in SmartBugs are publicly available. The collection methodology to create
sbcurated is explained in this section.
1SmartBugs (including sbcurated): https://github.com/smartbugs/smartbugs2SmartBugs WUI: https://github.com/smartbugs/smartbugs-dashboard
34
3.3.1 sbcurated: A Dataset of 143 Vulnerable Smart Contracts
As referenced in the beginning of this chapter, our goal in constructing sbcurated was to provide a
reliable dataset with a collection of vulnerabilities designed to be reproducible, follow a known taxonomy
(as presented in Section 2.4) and to serve as a reference dataset to the research community. The last
category presented in DASP 10 is Unknown Unknowns, which, as discussed in Section 2.4 represents
future and undiscovered vulnerabilities. This category is not useful in the context of mapping existent
vulnerabilities, so we opted to map vulnerabilities that did not fit any other of the nine categories, i.e.
categories that are not identified in DASP 10, in this category. For example, vulnerabilities such as
uninitialized data and the possibility of locking down Ether are mapped to this category. This category,
Unknown Unknowns, will be referred as Other to avoid confusion and simplify the description.
sbcurated design was driven by the following objectives:
1. Reproducibility: One of our main objectives is to contribute to the reproducibility of research in
automated analysis of smart contracts and, in particular, of smart contracts written in Solidity. By
collecting, organizing, and maintaining a diverse set of vulnerable contracts, we already contribute
towards that objective.
2. Real-world relevance: The contracts included in sbcurated were all taken from public sources.
Some were specifically crafted to demonstrate certain vulnerabilities, but a considerable number
were taken from Etherscan (i.e., they were deployed).
3. Diversity: The contracts in sbcurated were collected from multiple public sources aimed at demon-
strating different types of vulnerabilities. It includes multiple representatives from the categories
listed by the DASP.
4. Custom filtering: Named sets are useful for debugging and for specific experiments that a devel-
oper or researcher may want to run. It can ease and automate the execution process and facilitate
benchmarks results.
sbcurated was created by collecting smart contracts from three different sources: GitHub repositories, Blog
posts that analyse contracts and the Ethereum network. Most of contracts were collected from GitHub
repositories and the Ethereum network. We identified GitHub repositories that match relevant search
queries (‘vulnerable smart contracts’, ‘smart contracts security’, ‘solidity vulnerabilities’ ) and contain
vulnerable smart contracts. We searched Google using the same queries. We found several repositories
with vulnerable smart contracts such as not-so-smart-contracts3 and SWC Registry4. The latter is a
classification scheme for security weaknesses in Ethereum smart contracts. We also extracted vulnerabil-
ities that come from trusted entities in blog posts where smart contracts are audited, tested or discussed
3not-so-smart-contracts: https://github.com/crytic/not-so-smart-contracts4SWC Registry: https://smartcontractsecurity.github.io/SWC-registry
35
such as Positive.com5 and Blockchain.unica6. And finally, we used Etherscan7 to collect smart contracts
that are deployed on the Ethereum network and are known to contain vulnerabilities (e.g. the original
SmartBillions contract). Note that all the contracts were collected from trusted entities in the field. We
also ensure the traceability of each contract by providing the URL from which they were taken and its
author, where possible.
3.3.1.1 sbcurated Statistics
The dataset contains 143 contracts and 191 manually tagged vulnerabilities, divided into 10 categories of
vulnerabilities. Table 3.1 presents information about the 143 contracts. Each line contains a category of
vulnerability. For each category, we provide the number of contracts available within that category and
the total number of vulnerabilities and number of lines of code in the contracts of that category.
Category Contracts Vulns LoC
Access Control 17 19 899Arithmetic 14 24 304Bad Randomness 8 31 1,079Denial of service 6 7 177Front running 4 7 137Reentrancy 31 32 2,164Short addresses 1 1 18Time manipulation 5 7 100Unchecked low level calls 53 60 4055Other 3 3 115
Total 143 191 9,048
Table 3.1: Categories of vulnerabilities available in the dataset. (computed using cloc 1.82).
3.4 Framework Architecture
SmartBugs is written Python3 and relies on docker images to execute the tools. SmartBugs works with
docker images available on the Docker Hub or locally. In order to be able to add a tool to SmartBugs, a
docker image of the tool must be available.
The choice to use docker images was made to ease the addition of tools, allow the execution to
be reproducible and keep the same execution environment for all tools, allowing the user to execute
SmartBugs in every environment where python3 and docker is installed.
5Positive.com: https://blog.positive.com6Blockchain.unica: http://blockchain.unica.it/projects/ethereum-survey/7Etherscan: https://etherscan.io
36
Figure 3.1: SmartBugs Architecture
SmartBugs is composed of five main parts plus a web-based user interface, that is integrated to interact
with SmartBugs, as seen in Figure 3.1. SmartBugs can then be separated and divided in the following
components:
• The command-line interface;
• The web-based user interface;
• The tool plugins;
• The Docker images that are stored on Docker Hub;
• The datasets of smart contracts, where sbcurated is included;
• The SmartBugs’ runner. The component that puts all the parts of SmartBugs together to execute
the analysis tools on the smart contracts.
3.4.1 System Requirements
SmartBugs requires Docker and Python3 with the modules PyYAML, solidity parser, and docker.
Since Solidity versions are not always retro-compatible, the tools currently available might have prob-
lems processing some contracts depending on the solidity compiler used. For example, Solidity v0.5.0
introduced breaking changes8 and this creates compatibility issues with some versions of the Mythril tool.
Indeed, Mythril and Securify have compatibility issues with specific Solidity versions since they analyse
directly the EVM bytecode. However, tools such as SmartCheck that analyse the source code are less
impacted by the changes between versions.
To mitigate this problem, SmartBugs provides the possibility of having two different versions of the
same tool by adding a property in the configuration file. The configuration file supports a default tool
version to compile and analyse contracts above Solidity v0.5.0 (or all contracts if no other tool version is
8Solidity v0.5.0 introduced breaking changes: https://solidity.readthedocs.io/en/v0.5.0/050-breaking-changes.
html
37
provided). It is also possible to specify a different tool version to compile and analyse contracts below
Solidity v0.5.0. For example, tools such as Mythril and Securify, have two distinct versions configured:
one for contracts with Solidity below v0.5.0 and other for contracts written with Solidity above v0.5.0.
The design decision that we took was to put the users in control, allowing them to adapt the dataset
to their own needs.
3.4.2 Methodology for adding tools
Addition of tools in SmartBugs is designed to be simple and practical, allowing the user to control the
execution of the tools according to their needs. Currently, all the 10 tools in SmartBugs use Docker
images pulled from the Docker Hub. Some images were already publicly available others were created to
be added to SmartBugs.
Each tool plugin contains the configuration of the tools. The configuration contains the name of the
Docker image, the name of the tool, the command line to run the tool, and, optionally, the description
of the tool and the location of the output of results. Once a docker image providing the tool is available,
adding the tool to SmartBugs consists of adding a new configuration (an .YAML file) file such as the
following:
docker_image:
default: qspprotocol/mythril-usolc
solc<5: qspprotocol/mythril-0.4.25
cmd: -x
info: Mythril analyses EVM bytecode using symbolic analysis, taint analysis and control flow \
checking to detect a variety of security vulnerabilities.
SmartBugs extracts the results from the output printed by tool by default. If instead a tool stores
the result of the analysis in a file on the docker images, the path of that file should be defined in the
configuration file by adding an extra field, as shown below:
docker_image:
default: qspprotocol/securify-usolc
solc<5: qspprotocol/securify-0.4.25
cmd: --livestatusfile /results/output.json -fs
output_in_files:
folder: /results/output.json
info: Securify uses formal verification, also relying on static analysis checks. Securify’s \
analysis consists of two steps. First, it symbolically analyses the contract’s dependency \
38
graph to extract precise semantic information from the code. Then, it checks compliance and \
violation patterns that capture sufficient conditions for proving if a property holds or not.
3.4.3 Methodology for filtering bugs
SmartBugs supports the definition of named datasets, which is intended to represent subsets of contracts
that share a common property. For example, a named dataset already provided by default is reentrancy : it
corresponds to contracts that are identified as being vulnerable to reentrancy attacks. Named datasets can
be specified in a configuration file (config/dataset/dataset.yaml). The default configuration file provides
the named sets shown in Table 3.1.
To add a custom named dataset, the user simply has to alter the configuration file by adding a name
and the correspondent list of paths. The path can be a directory, a file, or a list of both. An example is
shown below.
reentrancy: dataset/reentrancy
arithmetic:
- dataset/arithmetic
- dataset/reentrancy/reentrance.sol
The dataset configuration file defines the name of the datasets and the path to the correspondent
directories or files.
3.4.4 CLI
SmartBugs provides a command line interface that allows users to query the datasets defined and run
different analysis tools on sets of contracts. The user can also get information about the tools, if provided,
skip an execution that already has results, specify the number of processes to use during the analysis (by
default 1) and list the named datasets and tools available.
SmartBugs command-line interface can be invoked as:
smartBugs.py [-h, --help]
(--file FILES | --dataset DATASETS)
--tool TOOLS
--info TOOLS
--skip-existing
--processes PROCESSES
--list tools datasets
39
Usage Example The following example shows how we can use the CLI of SmartBugs to run the tools
Oyente and Mythril against the contracts in the named dateset reentrancy :
smartBugs.py --tool oyente mythril \
--dataset reentrancy
This command creates an output folder with the results of the analysis for each tool executed. By
inspecting the output files, we can determine very quickly that both tools found problems in exactly the
same three contracts, further increasing confidence that the analyses performed by these tools are correct.
Since all 10 tools added to SmartBugs come with a parser mechanism to normalize the output, a json
file, with all vulnerabilities detected by the tool is created. A file containing the raw output of the tool
executed is also generated in the same folder. Also, the SmartBugs logs are stored in a folder called logs
composed of files named after the date and hour of the execution.
3.4.5 WUI Dashboard
SmartBugs offers a Web-based UI (WUI) built on top of SmartBugs itself. This dashboard provides the
user easy access to the list of tools, named datasets available and the vulnerabilities detected by each
tool available mapped to a category of DASP 10.
SmartBugs WUI is not dynamically updated, meaning that if new tools or datasets are added to
SmartBugs, they will not be automatically available on the WUI (unlike CLI). The reason for this is that
there is a need to compute the outputs and thus a parser mechanism must be defined in order to present
results to the user. Instead, to add a tool or dataset, first the user should follow the procedure explained
in 3.4.2 and 3.4.3 and then manually update the WUI by adding the name of the tool or the dataset. It
should also be defined a way to parse the output. The dashboard currently supports 10 tools, includes
sbcurated and provides a detailed mapping of all vulnerabilities identified by the 10 tools to a DASP 10
category.
The user has three options to analyse a smart contract, as seen in Figure 3.2:
1. The user can paste or write a smart contract in a text box;
2. The user can import a smart contract by uploading it to SmartBugs;
3. The user can run tools on defined datasets;
After the execution of the analysis the dashboard will present a graph with the number of security
issues found by each tool, and for each tool present the issues found.
40
Figure 3.2: SmartBugs Dashboard
Usage Example The following figures show how we can use the WUI of SmartBugs to run the tools
Oyente, Slither and SmartCheck against the contract inputted and how the results are shown:
Figure 3.3: Input panel for smart contracts and tool’s choice (Oyente, Slither and SmartCheck are selected)
41
Figure 3.4: Number of issues found by each tool
Figure 3.5: Issues found by Oyente
For each tool executed, a similar output to Figure 3.5 is presented.
3.5 Use Case
SmartBugs was used to perform an empirical review of automated analysis tools on 47,587 Ethereum
smart contracts further discussed in Chapter 4.
42
4Analysis: An Empirical Review
Contents
4.1 Analysis of 47,587 Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . 45
4.2 Precision of the Static Analysis Tools . . . . . . . . . . . . . . . . . . . . . . 53
43
In this Chapter we discuss and analyse the static analysis tools introduced in Section 2.5 using two
distinct datasets, sbcurated and sbwild.
The first section of this chapter (Section 4.1) is part of a paper submitted to ICSE 2020 1 [7]. This
paper is authored by the author of this Dissertation and three researchers from INESC-ID. The content
of the first section is credited to all for the authors. (Note: In the paper were also included two tools
that do not rely solely on static analysis, which are not taken into account in this Dissertation).
4.1 Analysis of 47,587 Smart Contracts
We used SmartBugs to execute the 7 automated analysis tools on two datasets. The first dataset is
sbcurated, introduced in the previous chapter. At the time of the execution of this study sbcurated was
composed of 69 Solidity smart contracts with 115 manually annotated vulnerabilities (as described in
Table 4.2), not 143 smart contracts as presented in Chapter 3. The first part of the study was then
be executed on 69 vulnerable smart contracts and throughout this chapter all sbcurated mentions are
referring to this version. The second dataset, coined sbwild, contains all available smart contracts in the
Ethereum Blockchain that have Solidity source code available on Etherscan2 (a total of 47,518 contracts).
We have executed 7 state-of-the-art automated static analysis tools on the two datasets and analysed
the results in order to provide a fair point of comparison for future smart contract analysis tools. In
total, the execution of all the tools required approximately 330 days and 15 hours to complete 333,109
analyses.
In this section, we describe the setup of the tools (Section 4.1.2), their execution (Section 4.1.3) and
discuss the results of the analysis of both datasets (Section 4.1.4 and 4.1.5).
4.1.1 Data Collection: sbwild
The dataset sbwild was collected by the co-authors of [7], and is further detailed in the paper. It collected
all the different contracts from the Ethereum blockchain, since Etherscan allows downloading the source
code of a contract, if available, if you know its address. All the duplicates were removed as we observed
that 95% of the available Solidity contracts are duplicates. We consider that two contracts are duplicates
when the MD5 checksums of the two source files are identical after removing all the spaces and tabulations.
1ICSE 2020: https://conf.researchr.org/home/icse-20202Etherscan: https://etherscan.io
45
Solidity source not available 1,290,074Solidity source available 972,975Unaccessible 47
Total 2,263,096
Unique Solidity Contracts 47,518LOC 9,693,457
Table 4.1: Statistics on the collection of Solidity smart contracts from the Ethereum blockchain.
Table 4.1 presents the statistics of this dataset. We use Google BigQuery 3 to collect the Ethereum
contract addresses that have at least one transaction. The query on Google BigQuery retrieved 2,263,096
smart contract addresses. We then requested Etherscan for the Solidity source code of those contracts,
and we obtained 972,975 Solidity files. This means that 1,290,074 of the contracts do not have an
associated source file in Etherscan. The filtering process of removing duplicate contracts resulted in
47,518 unique contracts (a total of 9,693,457 lines). The dataset sbwild is available in GitHub as a
repository of SmartBugs 4.
4.1.2 Tools’ Setup
For this experiment, we set the time budget to 30 minutes per analysis. In order to identify a suitable time
budget for one execution of one tool over one contract, we first executed all the tools on sbcurated dataset.
We then selected a time budget that is higher than the average execution time. If the time budget is
spent, we stop the execution and collect the partial results of the execution. During the execution of our
experiment, no tool faced timeouts.
4.1.3 Large-scale Execution
To our knowledge, the experimental setup presented in [7] is the largest one on smart contract analysis,
both in the number of tools and in execution time.
Regarding the study presented in this section, where two tools were excluded from the original study,
7 tools were executed and 333,109 analyses were performed, which took approximately 330 days and 15
hours of combined execution, almost a year of continuous execution.
All the logs and the raw results of the analysis are available in GitHub as a repository of SmartBugs 5.
4.1.4 sbcurated: Analysis of 69 Smart Contracts
Each contract of sbcurated is categorized in one of the ten DASP categories, where Unknown Unknowns,
referenced as Other in this section, represents vulnerabilities that did not suited any of the other nine
3Ethereum in BigQuery - a Public Dataset for smart contract analytics:https://cloud.google.com/blog/products/data-analytics/ethereum-bigquery-public-dataset-smart-contract-analytics
4Analysis results: https://github.com/smartbugs/smartbugs-wild5Analysis results: https://github.com/smartbugs/smartbugs-results
46
categories in the DASP 10, as established in the previous Chapter. The version of sbcurated used is
described in Table 4.2. Our goal is to compute the ability of the 7 tools in detecting the vulnerabilities
present in the 69 contracts. The methodology that we followed to extract results was the following:
1. We executed the 7 tools on the 69 contracts. The result of this execution is available on GitHub.
2. We extracted all the vulnerabilities that were detected by the tools into a JSON file.
3. We mapped the detected vulnerabilities by the tools to a category of vulnerabilities (see Table
3.1). To achieve this task, we used all the annotated vulnerability types that sbcurated provides.
For example, Oyente detects a vulnerability called Integer Overflow that we link to the category
Arithmetic. In total, we identify 141 vulnerability types, and 97 of them have been tagged in one
of the ten categories. The remaining 44 do not fit the DASP taxonomy (for example, some tools
warn about the use of inline assembly, which is considered a bad practice but does not necessarily
lead to vulnerable contracts). The mapping that we created is publicly available6 and can be also
consulted in SmartBugs Dashboard.
4. At this point, we were able to identify which vulnerabilities the tools detect. Unfortunately, we found
out that none of the 7 tools were able to detect vulnerabilities of the categories Bad Randomness
and Short Addresses.
Category Contracts Vulns LoC
Access Control 17 19 899Arithmetic 14 22 295Bad Randomness 8 31 1,079Denial of service 6 7 177Front running 4 7 137Reentrancy 7 8 778Short addresses 1 1 18Time manipulation 4 5 76Unchecked low level calls 5 12 225Other 3 3 115
Total 69 115 3,799
Table 4.2: Categories of vulnerabilities available in the dataset sbcurated used in the study. (computed usingcloc 1.82).
6Vulnerabilities mapping: https://tinyurl.com/smartbugs-mapping
47
Category HoneyBadger Mythril Osiris Oyente Securify Slither SmartCheck Total
Access Control 0/19 0% 4/19 21% 0/19 0% 0/19 0% 0/19 0% 4/19 21% 2/19 11% 5/19 26%Arithmetic 0/22 0% 15/22 68% 11/22 50% 12/22 55% 0/22 0% 0/22 0% 1/22 5% 19/22 86%Denial of Service 0/7 0% 0/7 0% 0/7 0% 0/7 0% 0/7 0% 0/7 0% 0/7 0% 0/ 7 0%Front Running 0/7 0% 2/7 29% 0/7 0% 0/7 0% 2/7 29% 0/7 0% 0/7 0% 2/ 7 29%Reentrancy 0/8 0% 5/8 62% 5/8 62% 5/8 62% 5/8 62% 7/8 88% 5/8 62% 7/ 8 88%Time Manipulation 0/5 0% 0/5 0% 0/5 0% 0/5 0% 0/5 0% 2/5 40% 1/5 20% 3/ 5 60%Unchecked Low Level Calls 0/12 0% 5/12 42% 0/12 0% 0/12 0% 3/12 25% 4/12 33% 4/12 33% 9/12 75%Other 2/3 67% 0/3 0% 0/3 0% 0/3 0% 0/3 0% 3/3 100% 0/3 0% 3/ 3 100%
Total 2/115 2% 31/115 27% 16/115 14% 17/115 15% 10/115 9% 20/115 17% 13/115 11% 48/115 42%
Table 4.3: Vulnerabilities identified per category by each tool.
Category HoneyBadger Mythril Osiris Oyente Securify Slither SmartCheck Total
Access Control 0 24 0 0 6 20 3 53Arithmetic 0 92 62 69 0 0 23 246Denial of Service 0 0 27 11 0 2 19 59Front Running 0 21 0 0 55 0 0 76Reentrancy 0 16 5 5 32 15 7 80Time Manipulation 0 0 4 5 0 5 2 16Unchecked Low Level Calls 0 30 0 0 21 13 14 78Other 5 32 0 0 0 28 8 73
Total 5 215 98 90 114 83 76 681
Table 4.4: Total number of detected vulnerabilities by each tool, including vulnerabilities not tagged in thedataset.
The results of the analysis of sbcurated are presented in Table 4.3 and Table 4.4. The first table
presents the number of known vulnerabilities that have been identified. A vulnerability is considered as
identified when a tool detects a vulnerability of a specific category at a specific line, and it matches the
vulnerability that has been annotated in the dataset. Each row of Table 4.3 represents a vulnerability
category, and each cell presents the number of vulnerabilities where the tool detects a vulnerability of this
category. This table summarizes the strengths and weaknesses of the current state of the art of smart
contract analysis tools. It shows that the tools can accurately detect vulnerabilities of the categories
Arithmetic, Reentrancy, Time Manipulation, Unchecked Low Level Calls and Other. However, they were
not accurate in detecting vulnerabilities of the categories Access Control, Denial of Service, and Front
Running. The categories Bad Randomness and Short Addresses are not listed, since none of the tools
are able to detect vulnerabilities of these types. This shows that there is still room for improvement and,
potentially, for new approaches to detect vulnerabilities of the ten DASP categories.
Table 4.4 also shows that the tools offer distinct accuracies. Indeed, the tool Mythril has the best
accuracy among the 7 tools. Mythril detects 27% of all the vulnerabilities when the average of all tools
is 12%. The ranking of the tools is comparable to the one observed by Parizi et al. [53]. However, the
average accuracy is lower on our benchmark sbcurated. Moreover, Mythril, Slither, and SmartCheck are
the tools that detect the largest number of different categories (5 categories). Despite its good results,
Mythril is not powerful enough to replace all the tools: by combining the detection abilities of all the
tools, we succeed to detect 42% of all the vulnerabilities. However, depending on the available computing
power, it might not be realistic to combine all the tools.
48
HoneyBadger Mythril Osiris Oyente Securify Slither SmartCheck
HoneyBadger 33/115 29% 18/115 16% 19/115 17% 12/115 10% 20/115 17% 15/115 13%Mythril 33/115 29% 33/115 29% 31/115 27% 42/115 37% 33/115 29%Osiris 22/115 19% 21/115 18% 31/115 27% 23/115 20%Oyente 22/115 19% 32/115 28% 25/115 22%Securify 25/115 22% 16/115 14%Slither 25/115 22%SmartCheck
Table 4.5: Combined tools
Therefore, we suggest the combination of Mythril and Slither, since it detects 42 (37%) of all the
vulnerabilities (see Table 4.5). This combination offers a good balance between performance and execution
cost. This combination is the best possible combination by a considerable margin. The second best
combination, Mythrill and Oyente, only succeeds to detect 33 (29%) of all the vulnerabilities.
We now consider all the vulnerability detections and not only the ones that have been tagged in
sbcurated. Table 4.4 presents the total number of vulnerabilities detected by the tools. This table al-
lows the comparison of the total number of detected vulnerabilities with the number of detected known
vulnerabilities shown in Table 4.3. Unsurprisingly, the more accurate a tool is in detecting known vulner-
abilities, the more accurate it is at detecting unknown vulnerabilities. The output of the tools that are
performing the best are also producing much more warnings (i.e., their output is more noisy), making it
difficult for a developer to exploit the results.
4.1.5 sbwild: Vulnerabilities in Production Smart Contracts
The analysis of the contracts in sbwild followed the same methodology as in the previous analysis of
sbcurated, however, for sbwild, we do not have an oracle to identify the vulnerabilities.
Category HoneyBadger Mythril Osiris Oyente Securify Slither SmartCheck Total
Access Control 0 0% 1,076 2% 0 0% 2 0% 614 1% 2,356 4% 384 0% 3,758 7%Arithmetic 1 0% 18,515 39% 13,922 29% 34,306 72% 0 0% 0 0% 7,430 15% 37,590 79%Denial of Service 0 0% 0 0% 485 1% 880 1% 0 0% 2,555 5% 11,621 24% 12,419 26%Front Running 0 0% 2,015 4% 0 0% 0 0% 7,217 15% 0 0% 0 0% 8,161 17%Reentrancy 19 0% 8,454 17% 496 1% 308 0% 2,033 4% 8,764 18% 847 1% 14,747 31%Time Manipulation 0 0% 0 0% 1,470 3% 1,452 3% 0 0% 1,988 4% 68 0% 4,005 8%Unchecked Low Calls 0 0% 443 0% 0 0% 0 0% 592 1% 12,199 25% 2,867 6% 14,655 30%Other 26 0% 11,126 23% 0 0% 0 0% 561 1% 9,133 19% 14,113 29% 28,091 59%
Total 46 0% 22,994 48% 14,665 30% 34,764 73% 8,781 18% 22,269 46% 24,906 52% 44,549 93%
Table 4.6: The total number of contracts that have at least one vulnerability (analysis of 47,518 contracts).
Table 4.6 presents the results of executing the 7 tools on the 47,518 contracts. It shows that the 7
tools are able to detect eight different categories of vulnerabilities. In total, 44.549 contracts (93%) have
at least one vulnerability detected by one of the 7 tools.
Such a high number of vulnerable contracts suggests the presence of a considerable number of false
positives. Oyente is the approach that identifies the highest number of contracts as vulnerable (73%),
mostly due to vulnerabilities in the Arithmetic category. This observation is coherent with the observation
49
of Parizi et al. [53], since they determine that Oyente has the highest number of false positives when
compared to Mythril, Securify, and SmartCheck.
Figure 4.1: Proportion of vulnerabilities identified by exactly one (1), two (2) or three (3) tools, and by fourtools or more (4+)
Since we observed a potentially large number of false positives, we analysed to what extent the tools
agree in vulnerabilities they flag. The hypothesis is that if a vulnerability is identified exclusively by a
single tool, the probability of it being a false positive increases. Figure 4.1 presents the results of this
analysis. This figure shows the proportion of detected vulnerabilities that have been identified exclusively
by one tool alone, two tools, three tools, and finally by four or more tools.
It is clear from the figure that the large majority of the vulnerabilities have been detected by one tool
only. One can observe that there are 71.25% of the Arithmetic vulnerabilities to be found by more than
one tool.
We also observe that only a few number of vulnerabilities received a consensus of four or more tools:
937 for Arithmetic and 133 for Reentrancy. Unchecked Low Level Calls has consensus by four tools
or more in 52 vulnerabilities, Denial Of Service and Other in 50 and 41, respectively. These results
suggest that combining several of these tools may yield more accurate results, with less false positives
and negatives.
The tool HoneyBadger is different: instead of detecting vulnerabilities, it detects malicious contracts
that try to imitate vulnerable contracts in order to attract transactions to their honeypots. HoneyBad-
ger has a peculiar, but useful role: if HoneyBadger detects a vulnerability, it actually means that the
vulnerability does not exist. So, consensus with HoneyBadger suggests the presence of false positives.
Figura 4.1 shows that 15 contracts identified by HoneyBadger with vulnerabilities of type Reentrancy
have been detected by three other tools as Reentrancy vulnerable.
We also analysed the evolution of the vulnerabilities over time. Figure 4.2 presents the evolution of
the number of vulnerabilities by category. It firstly shows the total number of unique contracts started
50
Figure 4.2: Evolution of number of vulnerabilities over time.
to increase exponentially at the end of 2017 when Ether was at its highest value. Secondly, we can
observe two main groups of curves. The first one contains the categories Arithmetic and Other. These
two categories follow the curve of the total number of contracts. The growing number of vulnerable
contracts seems to slow down from July 2018. Finally, this figure shows that the evolution of categories
Reentrancy and Unchecked Low Level Calls is extremely similar (the green line of Reentrancy is also
hidden by the blue line of Unchecked Low Level Calls). This indicates that there is a strong correlation
between vulnerabilities in these two categories.
Figure 4.3: Correlation between the number of vulnerabilities and balance in Wei (one Ether is 1018 Wei)
And lastly, Figure 4.3 presents the correlation between the number of vulnerabilities and the balance
of the contracts. It shows that the contracts that have a balance between 1014 Wei and 1020 Wei have
more vulnerabilities than other contracts. Hence, the richest and the middle class seem to be most
51
impacted. Per category, we have not observed any significant differences worth reporting.
4.1.6 Execution Time of the Analysis Tools
In order to measure the time of the execution, we recorded for each individual analysis when it started
and when it ended. The duration of the analysis is the difference between the starting time and the
ending time. An individual execution is composed of the following steps:
1. Start the Docker image and bind the contract to the Docker instance;
2. Clean the Docker container;
3. Parse and output the logs to the results folder.
Table 4.7 presents the average and total times used by each tool. In the table, we can observe two
different groups of execution time: the tools that take a few seconds to execute and the tools that take
a few minutes. Oyente, Osiris, Slither, SmartCheck are much faster tools that take between 5 and 34
seconds on average to analyse a smart contract. HoneyBadger, Mythril, and Securify are slower and take
between 1m24s and 6m37s to execute. The difference in execution time between the tools is dependent
on the technique that each tool uses. Pure static analysis tools such as SmartCheck and Slither are really
fast since they only parse the AST of the contract to identify vulnerabilities and bad practices.
# Tools Average Total
1 Honeybadger 0:01:38 23 days, 13:40:002 Mythril 0:01:24 46 days, 07:46:553 Osiris 0:00:34 18 days, 10:19:014 Oyente 0:00:30 16 days, 04:50:115 Securify 0:06:37 217 days, 22:46:266 Slither 0:00:05 2 days, 15:09:367 SmartCheck 0:00:10 5 days, 12:33:14
Total 0:01:40 330 days and 15 hours
Table 4.7: Average execution time for each tool
Securify and Mythril analyse the EVM bytecode of the contracts. It means that those tools require
the contract to be compiled before doing the analysis. The additional compilation step slows down the
analysis.
The average execution time does not reflect the complete picture of the performance of a tool. Mythril,
for example, which has the best accuracy according to our evaluation, takes on average of 1m24s to analyse
a contract. It is faster than Securify that only has an accuracy of 9% compared to the 27% of Mythril.
52
4.2 Precision of the Static Analysis Tools
In this section we will extend the analysis regarding sbcurated done in Section 4.1.4. We manually analysed
each contract and each tool execution output to be able to compute precision metrics.
4.2.1 Testing Environment and Evaluation Criteria
For each tool output and contract analysed in Section 4.1.4, we manually verified the issues identified
by each tool on each contract and labeled them as either true positive (TP) or false positive (FP) after
performing a manual audit on the targeted contract to check the results. If the tool failed to detect a
vulnerability, it is flagged as a false negative (FN). The following metrics are used to evaluate the tools:
• True Positive (TP): Number of true positives, i.e. pieces of code which are indeed vulnerable and
the vulnerability is identified by the tool;
• False Positive (FP): Number of false positives, i.e. a vulnerability identified where it does not exist;
• False Negative (FN): Number of false negatives, i.e. the tool failed to identify a vulnerability.
Since the notions above defined do not apply equally to HoneyBadger, as it is a special case where a
true positive represents that the vulnerability does not exist (it detects honeypots) and their sample of
positives is not relevant (HoneyBadger had a total of five positives), we decided to not include it in this
discussion to avoid confusion.
Applying the defined notions we can introduce other useful measures to assess the performance of the
static analysis tools:
• False Negative Rate (FNR): FNR = FN / (FN + TP)
• False Discovery Rate (FDR): FDR = FP / (TP + FP)
• Sensitivity = 1 - FNR
• Precision = 1 - FDR
After carefully analysing all contracts for vulnerabilities, we identified a total of 167 vulnerabilities
in the 69 contracts of sbcurated. Table 4.8 reflects all the metrics of each tool regarding the execution of
the analysis discussed in Section 4.1.4. All informational outputs were not considered in the collection of
metrics. The same methodology followed in the analysis presented in the previous section was followed.
53
Mythril Osiris Oyente Securify Slither SmartCheck
TP 88 59 46 31 61 49FP 78 39 44 35 22 27FN 79 108 121 136 106 118FDR 47% 39,8% 48,9% 53,0% 26,5% 35,5%FNR 47,3% 64,7% 72,5% 81,4% 63,5% 70,7%Precision 53% 60,2% 51,1% 47% 73,5% 64,5%Sensitivity 52,7% 35,3% 27,5% 18,6% 36,5% 29,3%
Table 4.8: Metrics of the tools
It is possible to verify that the amount of positives (TP + FP) of Mythril and Securify are not
in line with the ones presented in Table 4.4. The reason is that Mythril usually outputs the same
vulnerability more than once, making the amount of positives in Table 4.4 bigger, as the analysis discussed
in Section 4.1.4 was automated and counts all the execution output. Table 4.8 does not take in account
repeated outputs, as it resulted from a manual analysis. For example, Mythril sometimes flagged a
vulnerable line and also flagged the function which that line was part of, repeating the vulnerability
without introducing new data. Regarding Securify, it usually repeats the same output in different types
of the same vulnerability. For example, it detects three types of Front Running (a.k.a Transaction
Order Dependence): TODReceiver, TODTransfer and TODAmount. In this context our goal is not to
distinguish the several types of Front Running and most Front Running positives given by Securify were
repeated three times through out this different types, i.e., most of the times Securify flags the same piece
of code vulnerable indicating the same line(s) in the three types of Front Running.
4.2.2 Summary
Mythril shows the best sensitivity, having the most number of true positives. As previously indicated by
Table 4.3, it is the one that flags more positives. It also seems to have the most number of false positives.
Slither is the tool that presents best precision (73,5%), followed by SmartCheck.
54
5SmartCheck Extension
Contents
5.1 SmartCheck Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2 Patterns Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.4 Availabity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
55
The analysis presented in the previous Chapter showed us that there is room for improvement for
static analysis to detect more vulnerabilities. Bad Randomness was one of the categories that all of the
tools failed to detect. In this section, we propose to extended the tool SmartCheck [6] to enable the
detection of vulnerabilities related to Bad Randomness and improve detection of Time Manipulation and
Access Control.
5.1 SmartCheck Patterns
SmartCheck runs lexical and syntactical analysis on Solidity source code. It uses a custom Solidity gram-
mar to generate a XML parse tree as an intermediate representation (IR). SmartCheck detects vulnera-
bility patterns by using XPath patterns on the IR. Our approach to improve SmartCheck vulnerabilities
detection is to investigate new rules and add them, in the form of XPath patterns.
Let us consider as an example the balance equality issue (an adversary can manipulate contract logic
by forcibly sending it ether) shown below in Listing 5.1, and also presented in the SmartCheck [6] paper.
The parse tree of the example is shown in Figure 5.1.
Listing 5.1: Balance equality.
1 if (this.balance == 42 ether) {...}
Figure 5.1: Parse tree for the Balance equality code example (SmartCheck, 2018)
To easily identify patterns of balance equality, the XPath pattern constructed in Listing 5.2 is suffi-
cient. As this is a relatively simple and straightforward example, it’s easy to precisely define the pattern
57
in a way that does not generate false positives.
Listing 5.2: XPath pattern for the Balance equality issue.
1 //expression[expression//envVarDef
2 [matches(text()[1],"ˆthis.balance$")]]
3 [matches(text()[1],"ˆ==|!=$")]
One of the problems of the SmartCheck approach, using XPath patterns, is that more complex rules
can not be precisely described using XPath. So, when more complex cases are needed to be put in form
of XPath patterns they can easily lead to false positives.
5.2 Patterns Added
We propose to add three more rules to SmartCheck and improve an already established rule.
Our first approach, based on the analysis presented in Chapter 4, was to add a rule to detect Bad Ran-
domness issues called SOLIDITY BAD RANDOMNESS. To do that, we created a XPath pattern to de-
tect the use of environment variables such as: block.number, block.coinbase, block.difficulty, block.gaslimit,
blockhash and block.blockhash. The XPath pattern is shown is Listing 5.3. This rule is straightforward
and its goal is to simply detect the use of the referred environment variables and to flag their use, acting
as a warning.
Listing 5.3: SOLIDITY BAD RANDOMNESS : XPath pattern to detect bad randomness vulnerabilities.
1 // expr e s s i on
2 [ e xp r e s s i on / env i ronmenta lVar iab le
3 [ matches ( t ex t ( ) [ 1 ] , ” block.number | b l o c k . c o i n b a s e | b l o c k . d i f f i c u l t y
4 | b l o c k . g a s l i m i t | blockhash | b lock .b l ockhash ” ) ]
5 [ not ( ance s to r : : ∗ [ 4 ] [ s e l f : : f u n c t i o n C a l l ] ) ] ]
Regarding Access Control, SmartCheck only detects tx.origin issues. We added a pattern to search
for suicides (selfdestruct) and ownership transfers where the function misses proper protection. To do
that we constructed two rules patterns inside a single rule named SOLIDITY UNPROTECTED. To
detect unprotected ownership transfers we created a pattern to look for all functions defined, excluding
constructors, that do not have standard modifiers defined, as onlyOwner, or require statements protecting
a value assignment to a variable defined as owner. To detect unprotected selfdestructs the approach was
similar, but instead we look for functions that do not have neither modifiers nor require statements
defined to protect selfdestruct calls. Since this a more complex approach and looks for standard names
used in Solidity programming, such as the variable owner to save the owner address or the modifier named
58
onlyOwner to protect sensitive calls, it is prone to detect more false positives. Both XPath patterns are
shown is Listing 5.4 and Listing 5.5, respectively.
Listing 5.4: SOLIDITY UNPROTECTED : XPath pattern to detect unprotected ownership transfers.
1 // f u n c t i o n D e f i n i t i o n [ not ( t ex t ( ) [ 1 ]=” cons t ruc to r ” ) ]
2 [ parameterLi s t / parameter ]
3 [ not ( boolean ( i d e n t i f i e r [ p o s i t i o n () >1])
4 or i d e n t i f i e r [ p o s i t i o n ( ) >1 ] [ matches ( t ex t ( ) [ 1 ] , ”onlyOwner | onlyOwner ( )
5 | onlyWal let | onlyWal let ( ) ” ) ]
6 or descendant : : e xp r e s s i on [ comparison [ t ex t () [1 ]=”==”] ]
7 [ e xp r e s s i on / env i ronmenta lVar iab le [ matches ( t ex t ( ) [ 1 ] , ” msg.sender ” ) ] ]
8 [ e xp r e s s i on / pr imaryExpress ion / i d e n t i f i e r
9 [ t ex t ( ) [ 1 ] = ( ance s to r : : c o n t r a c t D e f i n i t i o n // s t a t e V a r i a b l e D e c l a r a t i o n
10 [ typeName/elementaryTypeName [ t ex t ( ) [ 1 ]=” address ” ] ] / i d e n t i f i e r ) ] ] )
11 and descendant : : pr imaryExpress ion / i d e n t i f i e r [ t ex t ( ) = ”owner ” ] ]
Listing 5.5: SOLIDITY UNPROTECTED : XPath pattern to detect unprotected suicides.
1 // f u n c t i o n D e f i n i t i o n
2 [ not ( boolean ( i d e n t i f i e r [ p o s i t i o n () >1])
3 or i d e n t i f i e r [ p o s i t i o n ( ) >1 ] [ matches ( t ex t ( ) [ 1 ] , ”onlyOwner | onlyOwner ( )
4 | onlyWal let | onlyWal let ( ) ” ) ]
5 or descendant : : e xp r e s s i on [ comparison [ t ex t () [1 ]=”==”] ]
6 [ e xp r e s s i on / env i ronmenta lVar iab le [ matches ( t ex t ( ) [ 1 ] , ” msg.sender ” ) ] ]
7 [ e xp r e s s i on / pr imaryExpress ion / i d e n t i f i e r
8 [ t ex t ( ) [ 1 ] = ( ance s to r : : c o n t r a c t D e f i n i t i o n // s t a t e V a r i a b l e D e c l a r a t i o n
9 [ typeName/elementaryTypeName [ t ex t ( ) [ 1 ]=” address ” ] ] / i d e n t i f i e r ) ] ] )
10 and descendant : : f u n c t i o n C a l l // i d e n t i f i e r [ t ex t ( ) [ 1 ]=” s e l f d e s t r u c t ” ] ]
Regarding Time Manipulation, SmartCheck already defines a rule named SOLIDITY EXACT TIME,
where the pattern is defined to look for expressions that contain comparisons using block.timestamp or
now, except for cases when timestamp is a function argument. Analysing Table 4.3 we can see that
SmartCheck only detects one out of five Time Manipulation issues. We decided to improve this rule by
following a similar approach to the one used when creating our pattern to find Bad Randomness issues.
We decided to update the pattern to look for expressions that contains block.timestamp or now, not only
when used in comparisons as previously defined. The XPath pattern is detailed in Listing 5.6. The design
approach was the same as in the rule constructed to detect Bad Randomness issues: to flag the use of
variables related to Time Manipulation, not only in comparisons, and thus act as a warning.
59
Listing 5.6: SOLIDITY EXACT TIME : XPath pattern to detect time manipulation vulnerabilities.
1 // expr e s s i on
2 [ e xp r e s s i on / env i ronmenta lVar iab le
3 [ matches ( t ex t ( ) [ 1 ] , ” ˆ block.t imestamp | now$ ” ) ]
4 [ not ( ance s to r : : ∗ [ 4 ] [ s e l f : : f u n c t i o n C a l l ] ) ] ]
5.3 Results
We analysed sbcurated with SmartCheck Extended, using the same version used in the study presented in
Chapter 4, to set a fair ground of comparison. Table 5.1 compares the results of SmartCheck, discussed
in Section 4.1.4, and the results obtained from executing SmartCheck Extended in the same dataset,
sbcurated. We can observe that our extension is capable of detecting a total of 15 more issues, with
regard of the annotated vulnerabilities in sbcurated, more than doubling the capability of detection of
SmartCheck without our extension. With our proposed extension we can detect 24% of the vulnerabilities
annotated in sbcurated, instead of the previous 11%.
Category SmartCheck SmartCheck Extended
Access Control 2/19 11% 4/19 21%Arithmetic 1/22 5% 1/22 5%Bad Randomness 0/31 5% 10/31 32%Denial of Service 0/7 0% 0/7 0%Front Running 0/7 0% 0/7 0%Reentrancy 5/8 62% 5/8 62%Short Addresses 0/1 0% 0/1 0%Time Manipulation 1/5 20% 4/ 5 80%Unchecked Low Level Calls 4/12 33% 4/12 33%Other 0/3 0% 0/3 0%
Total 13/115 11% . 28/115 24%
Table 5.1: Vulnerabilities identified per category by SmartCheck and SmartCheck Extended in sbcurated.
When taking in consideration the precision metrics presented in Section 4.2, where all 167 vulnera-
bilities present in sbcurated are taken into account, our solution improves 15,1% in sensitivity and 5,1%
in precision, as seen in Table 5.2. We can see, as previously indicated and suspected, that the Access
Control rule has a considerable amount of false positives, actually more than the double of true positives.
Regarding the rules introduced to detect Bad Randomness and Time Manipulation, their result is as
expected, since they act as warnings and detect the use of sensitive environment variables.
60
SmartCheck SmartCheck Extended
TP 49 74FP 27 32FN 118 93FDR 35,5% 30,2%FNR 70,7% 55,6%Precision 64,5% 69,6%Sensitivity 29,3% 44,4%
Table 5.2: SmartCheck and SmartCheck Extended metrics.
Access Control Bad Randomness Time Manipulation
TP 2 10 13FP 5 - -Warnings - 37 4
Table 5.3: Positives of SmartCheck Extended.
Table 5.3 divides all the vulnerabilities detected by our extension in TP, FP or warnings. True
positives map the positives flagged from the 167 vulnerabilities taken in consideration in Section 4.2.
False positives are the number of issues flagged that are not true. Warnings are the number of issues
detected that are not mapped in the 167 vulnerabilities, but also are not false positives. As previous
stated, SOLIDITY BAD RANDOMNESS and SOLIDITY EXACT TIME are meant to act as warnings
and simply flag the use of sensitive environment variables.
5.4 Availabity
SmartCheck Extended is available on GitHub1, as a fork of the original SmartCheck. It is also included
in SmartBugs and ready to be executed.
1SmartCheck Extended: https://github.com/pedrocrvz/smartcheck
61
6Conclusion
Contents
6.1 Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
63
In this chapter we describe the main contributions of this dissertation while assessing if our objectives
were met. We also discuss future work and improvements.
6.1 Achievements
As smart contracts use grows, more vulnerabilities are found and their impact becomes bigger. With
our work we contributed to improve the research on static analysis tools and introduced new tools to
facilitate research and automated analysis.
We described the most important vulnerabilities found in Ethereum smart contracts, using DASP 10
as taxonomy, and enumerated the state-of-the-art static analysis tools available to verify smart contracts.
After our literature review we introduced SmartBugs, an important contribution to automate and ease
the execution of smart contracts analysers. We also introduced sbcurated, a dataset of 143 annotated
vulnerable Solidity smart contracts with a defined vulnerability taxonomy that can serve as a reference
dataset to the research community. We referenced sbwild, used in [7] and discussed in Chapter 4.1. Both
datasets are publicly available for the community to use.
Using SmartBugs, we were able to organize and easily execute 7 state-of-the-art tools to perform
an empirical review on 47,587 Ethereum smart contracts. We discussed the results and obtained useful
remarks and insights. For example, we were able to detect that Bad Randomness is a category of
vulnerabilities overlooked by the 7 tools reviewed. This motivated us to contribute to the field by
extending SmartCheck to detect Bad Randomness vulnerabilities. Our extension improved SmartCheck
by 15,1% in sensitivity and 5,1% in precision.
With our work we accomplished the objectives proposed and all the topics mentioned in the research
questions were addressed. We are now able to provide a direct and succint answer to all the research
questions:
What are the state-of-the-art analysis tools for Ethereum smart contracts?
In our research we listed 35 state-of-the-art tools currently available to analyse Ethereum smart contracts.
Furthermore, we listed all their URLs and, where applicable, we identified the corresponding research
paper. We also reviewed in detail 7 state-of-the-art tools.
What is the precision of the state-of-the-art analysis tools in detecting vulnerabilities on
Ethereum smart contracts? In Table 4.8 we established the precision and sensitivity of six state-of-
the-art tools. Slither showed to be the most precise and Mythril seems to have the highest sensitivity.
Which categories of vulnerabilities are most detected? Table 4.3 shows vulnerabilities identified
per category by each tool. The categories Other, Reentrancy, Arithmetic and Unchecked Low Level Calls
65
are the most detected. Table 4.6 also reiterates that Other, Arithmetic, Reentrancy and Unchecked Low
Level Calls are the categories of vulnerabilities most detected. With this data we can also say that they
seem to be the most common type of vulnerabilities.
How many vulnerable contracts are present in the Ethereum blockchain? The seven tools
identified vulnerabilities in 93% of the contracts (in 44,589 contracts), which suggests a high number of
false positives. Oyente, alone, detects vulnerabilities in 73% of the contracts. By combining the tools to
create a consensus, we observe that only a few number of vulnerabilities received a consensus of four or
more tools: 937 for Arithmetic and 133 for Reentrancy. Unchecked Low Level Calls receives consensus in
52 vulnerabilities, Denial Of Service and Other in 50 and 41, respectively.
How long do the tools require to analyse the smart contracts? On average, the tools take 1m40s
to analyse one contract. Slither is the fastest tool and takes on average only 5 seconds to analyse a
contract. We also observe that the execution speed is not the only factor that impacts the performance of
the tools. Securify was the slowest tool on average, but Securify can easily be parallelized and therefore
analyse the 47,518 smart contracts faster. Finally, we have not observed a correlation between accuracy
and execution time.
How can we improve a state-of-the-art analysis tool? The results gathered in the empirical review
discussed in Chapter 4 showed us that Bad Randomness was one category of vulnerabilities overlooked
by the 7 tools studied. By presenting an extension of SmartCheck, introducing the capability to detect
Bad Randomness issues, in Chapter 5, we already contributed to improve a state-of-the-art analysis tool.
Further more, there is still room to improve the tools studied by increasing the scope of categories of
vulnerabilities detected and enrich the quality of the analysis, decreasing the number of false positives
and improving accuracy.
6.2 Future Work
As discussed throughout this work, static analysis of smart contracts has been receiving several contri-
butions in recent years. As blockchain and smart contracts have a fast pace of development, we should
aim to keep our work up to date. Some suggestions for future work include:
• Improve and keep SmartBugs updated: SmartBugs has room for improvements and more
tools should be added. SmartBugs WUI should have a better error handling mechanism and we
can still provide better insights about the vulnerabilities detected, adding a better way to show the
output to the user.
66
• Deploy SmartBugs: SmartBugs WUI can be deployed as a website to be easily accessible to
the community, providing a way for developers to have access to multiple tools to test their smart
contracts using SmartBugs to automate the process.
• Update sbcurated: The dataset can grow and should be constantly updated in future to have more
contracts or even support new types of vulnerabilities. Contracts with same vulnerabilities, flagged
by 4 or more tools in the analysis done in 4.1.5 using the dataset sbwild, hint consensus on the
vulnerability and thus suggest a true positive. For example, 937 Arithmetic vulnerabilities received
a consensus of four or more tools. A manual audit of these contracts can be performed to confirm it
and, if the vulnerability exists, the contract should be properly annotated in order to be added to
sbcurated. Some of this work is already in progress, some of the contracts were already added, and
our next goal, along with improving SmartBugs WUI, is to keep updating and improving sbcurated
by adding such contracts.
• Improve SmartCheck Extension: SmartCheck Extension can be further extended by adding
new XPtah patterns to improve its capability to detect vulnerabilities on Ethereum smart contracts.
For example, SmartCheck still overlooks Denial of Service and Front Running vulnerabilities and
as poor detection capability regarding Arithmetic issues.
67
Bibliography
[1] N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart contracts (sok),” in
Principles of Security and Trust. Springer, 2017, pp. 164–186.
[2] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” https:// bitcoin.org/ bitcoin.pdf ,
2008.
[3] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,” Ethereum project
yellow paper, vol. 151, no. 2014, pp. 1–32, 2014.
[4] I. Nikolic, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor, “Finding the greedy, prodigal, and suicidal
contracts at scale,” in Proceedings of the 34th Annual Computer Security Applications Conference.
New York, NY, USA: ACM, 2018, pp. 653–663.
[5] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making smart contracts smarter,” in
Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. New
York, NY, USA: ACM, 2016, pp. 254–269.
[6] S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov,
“Smartcheck: Static analysis of ethereum smart contracts,” in 2018 IEEE/ACM 1st International
Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). Gothenburg,
Sweden, Sweden: IEEE, 2018, pp. 9–16.
[7] T. Durieux, J. F. Ferreira, R. Abreu, and P. Cruz, “Empirical review of automated analysis tools on
47,587 ethereum smart contracts,” 2019, https://arxiv.org/pdf/1910.10601.
[8] M. Romiti, A. Judmayer, A. Zamyatin, and B. Haslhofer, “A deep dive into bitcoin mining pools:
An empirical analysis of mining shares,” arXiv preprint arXiv:1905.05999, 2019.
[9] N. Szabo, “Smart contracts: Building blocks for digital markets,” 1996.
[10] Ethereum, “Proof of stake,” https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQs, 2018.
[11] NCCGroup, “Decentralized application security project (or dasp) top 10,” https://dasp.co, 2018.
69
[12] P. Daian, “Analysis of the dao exploit,” http://hackingdistributed.com/2016/06/18/
analysis-of-the-dao-exploit/, 2016.
[13] Solidity, “Solidity documentation,” https://solidity.readthedocs.io/en/v0.5.1/, 2018.
[14] A. van der Stock, B. Glas, and T. Gigler, “Owasp top 10 2017,” The Ten Most Critical Web Appli-
cation Security Risks, 2017.
[15] M. Suiche, “The $280m ethereum’s parity bug.” 2017, https://blog.comae.io/
the-280m-ethereums-bug-f28e5de43513.
[16] D. A. Manning, “Solidity security: Comprehensive list of known attack vectors and common anti-
patterns,” https://blog.sigmaprime.io/solidity-security.html, 2018.
[17] Trailofbits, “(not so) smart contracts,” https://github.com/trailofbits/not-so-smart-contracts, 2018.
[18] KingOfEther, “Post-mortem investigation (feb 2016),” https://www.kingoftheether.com/
postmortem.html.
[19] ConsenSys, “Ethereum smart contract security best practices,” https://consensys.github.io/
smart-contract-best-practices/.
[20] F. Memoria, “Smartbillions challenges hackers with 1,500 ether re-
ward, gets hacked and pulls most of it out,” https://www.ccn.com/
smartbillions-challenges-hackers-1500-ether-reward-gets-hacked-pulls/.
[21] D. K. Mikhail Vladimirov, “Erc20 api: An attack vector on approve/transferfrom methods.”
[22] I. Bogatyy, “Implementing ethereum trading front-runs on the bancor exchange in python,” https:
//hackernoon.com/front-running-bancor-in-150-lines-of-python-with-ethereum-api-d5e2bfd0d798.
[23] P. Bylica, “How to find $10m just by reading the blockchain,” https://blog.golemproject.net/
how-to-find-10m-by-just-reading-blockchain-6ae9d39fcd95.
[24] P. Cousot and R. Cousot, “Abstract interpretation: a unified lattice model for static analysis of
programs by construction or approximation of fixpoints,” in Proceedings of the 4th ACM SIGACT-
SIGPLAN symposium on Principles of programming languages. ACM, 1977, pp. 238–252.
[25] M. di Angelo and G. Salzer, “A survey of tools for analyzing ethereum smart contracts,” in 2019 IEEE
International Conference on Decentralized Applications and Infrastructures (DAPPCON). Newark,
CA, USA, USA: IEEE, April 2019, pp. 69–78.
70
[26] S. Azzopardi, J. Ellul, and G. J. Pace, “Monitoring smart contracts: Contractlarva and open chal-
lenges beyond,” in Runtime Verification, C. Colombo and M. Leucker, Eds. Cham: Springer
International Publishing, 2018, pp. 113–137.
[27] R. Norvill, B. B. F. Pontiveros, R. State, and A. Cullen, “Visual emulation for ethereum’s vir-
tual machine,” in NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium.
Taipei, Taiwan: IEEE, 2018, pp. 1–4.
[28] Y. Zhou, D. Kumar, S. Bakshi, J. Mason, A. Miller, and M. Bailey, “Erays: Reverse engineering
ethereum’s opaque smart contracts,” in 27th USENIX Security Symposium (USENIX Security
18). Baltimore, MD: USENIX Association, Aug. 2018, pp. 1371–1385. [Online]. Available:
https://www.usenix.org/conference/usenixsecurity18/presentation/zhou
[29] H. Liu, C. Liu, W. Zhao, Y. Jiang, and J. Sun, “S-gram: towards semantic-aware security auditing
for ethereum smart contracts,” in Proceedings of the 33rd ACM/IEEE International Conference on
Automated Software Engineering. New York, NY, USA: ACM, 2018, pp. 814–819.
[30] I. Grishchenko, M. Maffei, and C. Schneidewind, “A semantic framework for the security analysis
of ethereum smart contracts,” in Principles of Security and Trust, L. Bauer and R. Kusters, Eds.
Cham: Springer International Publishing, 2018, pp. 243–269.
[31] E. Albert, P. Gordillo, B. Livshits, A. Rubio, and I. Sergey, “Ethir: A framework for high-level
analysis of ethereum bytecode,” in Automated Technology for Verification and Analysis, S. K. Lahiri
and C. Wang, Eds. Cham: Springer International Publishing, 2018, pp. 513–520.
[32] A. Mavridou and A. Laszka, “Tool demonstration: Fsolidm for designing secure ethereum smart
contracts,” in Principles of Security and Trust, L. Bauer and R. Kusters, Eds. Cham: Springer
International Publishing, 2018, pp. 270–277.
[33] T. Chen, X. Li, X. Luo, and X. Zhang, “Under-optimized smart contracts devour your money,”
in 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering
(SANER). Klagenfurt, Austria: IEEE, 2017, pp. 442–446.
[34] C. F. Torres, M. Steichen, and R. State, “The art of the scam: Demystifying honeypots
in ethereum smart contracts,” in 28th USENIX Security Symposium (USENIX Security
19). Santa Clara, CA: USENIX Association, Aug. 2019, pp. 1591–1607. [Online]. Available:
https://www.usenix.org/conference/usenixsecurity19/presentation/ferreira
[35] E. Hildenbrandt, M. Saxena, N. Rodrigues, X. Zhu, P. Daian, D. Guth, B. Moore, D. Park, Y. Zhang,
A. Stefanescu et al., “Kevm: A complete formal semantics of the ethereum virtual machine,” in 2018
71
IEEE 31st Computer Security Foundations Symposium (CSF). Oxford, UK: IEEE, 2018, pp. 204–
217.
[36] N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis, “Madmax: Surviving out-
of-gas conditions in ethereum smart contracts,” Proceedings of the ACM on Programming Languages,
vol. 2, no. OOPSLA, p. 116, 2018.
[37] M. Mossberg, F. Manzano, E. Hennenfent, A. Groce, G. Grieco, J. Feist, T. Brunson, and
A. Dinaburg, “Manticore: A user-friendly symbolic execution framework for binaries and smart
contracts,” 2019.
[38] B. Mueller, “Smashing ethereum smart contracts for fun and real profit,” in 9th Annual HITB
Security Conference (HITBSecConf). Amsterdam, Netherlands: HITB, 2018.
[39] C. F. Torres, J. Schutte et al., “Osiris: Hunting for integer bugs in ethereum smart contracts,” in
Proceedings of the 34th Annual Computer Security Applications Conference. New York, NY, USA:
ACM, 2018, pp. 664–676.
[40] M. Suiche, “Porosity: A decompiler for blockchain-based smart contracts bytecode,” DEF con,
vol. 25, p. 11, 2017.
[41] C. Liu, H. Liu, Z. Cao, Z. Chen, B. Chen, and B. Roscoe, “Reguard: finding reentrancy bugs
in smart contracts,” in Proceedings of the 40th International Conference on Software Engineering:
Companion Proceeedings. New York, NY, USA: ACM, 2018, pp. 65–68.
[42] E. Zhou, S. Hua, B. Pi, J. Sun, Y. Nomura, K. Yamashita, and H. Kurihara, “Security assurance
for smart contract,” in 2018 9th IFIP International Conference on New Technologies, Mobility and
Security (NTMS). Paris, France: IEEE, Feb 2018, pp. 1–5.
[43] J. Chang, B. Gao, H. Xiao, J. Sun, and Z. Yang, “scompile: Critical path identification and analysis
for smart contracts,” 2018.
[44] P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and M. Vechev, “Securify: Prac-
tical security analysis of smart contracts,” in Proceedings of the 2018 ACM SIGSAC Conference on
Computer and Communications Security. New York, NY, USA: ACM, 2018, pp. 67–82.
[45] J. Feist, G. Greico, and A. Groce, “Slither: A static analysis framework for smart contracts,”
in Proceedings of the 2Nd International Workshop on Emerging Trends in Software Engineering
for Blockchain, ser. WETSEB ’19. Piscataway, NJ, USA: IEEE Press, 2019, pp. 8–15. [Online].
Available: https://doi.org/10.1109/WETSEB.2019.00008
72
[46] P. Hegedus, “Towards analyzing the complexity landscape of solidity based ethereum smart con-
tracts,” Technologies, vol. 7, no. 1, p. 6, 2019.
[47] J. Krupp and C. Rossow, “teether: Gnawing at ethereum to automatically exploit smart
contracts,” in 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD: USENIX
Association, Aug. 2018, pp. 1317–1333. [Online]. Available: https://www.usenix.org/conference/
usenixsecurity18/presentation/krupp
[48] L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, R. Holz, and B. Scholz, “Vandal:
A scalable security analysis framework for smart contracts,” 2018.
[49] S. K. Lahiri, S. Chen, Y. Wang, and I. Dillig, “Formal specification and verification of smart contracts
for azure blockchain,” 2018.
[50] S. Kalra, S. Goel, M. Dhawan, and S. Sharma, “ZEUS: analyzing safety of smart contracts,” in 25th
Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California,
USA, February 18-21, 2018. San Diego, California, USA: NDSS, 2018, pp. 1–15.
[51] I. Grishchenko, M. Maffei, and C. Schneidewind, “A semantic framework for the security analysis
of ethereum smart contracts,” in Principles of Security and Trust, L. Bauer and R. Kusters, Eds.
Cham: Springer International Publishing, 2018, pp. 243–269.
[52] D. Perez and B. Livshits, “Smart contract vulnerabilities: Does anyone care?” 2019.
[53] R. M. Parizi, A. Dehghantanha, K.-K. R. Choo, and A. Singh, “Empirical vulnerability
analysis of automated smart contracts security testing on blockchains,” in Proceedings of
the 28th Annual International Conference on Computer Science and Software Engineering,
ser. CASCON ’18. Riverton, NJ, USA: IBM Corp., 2018, pp. 103–113. [Online]. Available:
http://dl.acm.org/citation.cfm?id=3291291.3291303
73