Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Vulnerabilities of smart contracts and mitigation schemes: A Comprehensive Survey (2403.19805v2)

Published 28 Mar 2024 in cs.CR

Abstract: Ethereum smart contracts are highly powerful, immutable, and able to retain massive amounts of tokens. However, smart contracts keep attracting attackers to benefit from smart contract flaws and Ethereum unexpected behavior. Thus, methodologies and tools have been proposed to help implement secure smart contracts and to evaluate the security of smart contracts already deployed. Most related surveys focus on tools without discussing the logic behind them. in addition, they assess the tools based on papers rather than testing the tools and collecting community feedback. Other surveys lack guidelines on how to use tools specific to smart contract functionalities. This paper presents a literature review combined with an experimental report that aims to assist developers in developing secure smarts, with a novel emphasis on the challenges and vulnerabilities introduced by NFT fractionalization by addressing the unique risks of dividing NFT ownership into tradeable units called fractions. It provides a list of frequent vulnerabilities and corresponding mitigation solutions. In addition, it evaluates the community most widely used tools by executing and testing them on sample smart contracts. Finally, a comprehensive guide on implementing secure smart contracts is presented.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (107)
  1. “Ethereum charts and statistics — etherscan.” https://etherscan.io/stat/supply, 2022. Accessed: 2023-05-31.
  2. B. Buterin, “Ethereum white papee,” https://ethereum.org/en/whitepaper/, 2014.
  3. S. Team, “Solidity official website .” https://soliditylang.org/, 2022. Accessed: 2022-10-02.
  4. J. Aki, “Blockchain attack: Level finance announces loss of $1m from smart contract security breach.” https://insidebitcoins.com/news/blockchain-attack-level-finance-announces-loss-of-1m-from-smart-contract-security-breach. Accessed: 2023-05-10.
  5. L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making smart contracts smarter,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, (New York, NY, USA), Association for Computing Machinery, 2016.
  6. J. Feist, G. Grieco, and A. Groce, “Slither: A static analysis framework for smart contracts,” in 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), IEEE, may 2019.
  7. B. Mueller, “Smashing ethereum smart contracts for fun and real profit.” https://conference.hitb.org/hitbsecconf2018ams/materials/WHITEPAPERS/WHITEPAPER%20-%20Bernhard%20Mueller%20-%20Smashing%20Ethereum%20Smart%20Contracts%20for%20Fun%20and%20ACTUAL%20Profit.pdf, 2018.
  8. M. Mossberg, F. Manzano, E. Hennenfent, A. Groce, G. Grieco, J. Feist, T. Brunson, and A. Dinaburg, “Manticore: A user-friendly symbolic execution framework for binaries and smart contracts,” in Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering, pp. 1186–1189, 11 2019.
  9. G. Grieco, W. Song, A. Cygan, J. Feist, and A. Groce, “Echidna: Effective, usable, and fast fuzzing for smart contracts,” in Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2020, (New York, NY, USA), p. 557–560, Association for Computing Machinery, 2020.
  10. V. Garousi, M. Felderer, and M. V. Mäntylä, “The need for multivocal literature reviews in software engineering: Complementing systematic literature reviews with grey literature,” in Proceedings of the 20th International Conference on Evaluation and Assessment in Software Engineering, EASE ’16, (New York, NY, USA), Association for Computing Machinery, 2016.
  11. B. Kitchenham, O. Pearl Brereton, D. Budgen, M. Turner, J. Bailey, and S. Linkman, “Systematic literature reviews in software engineering – a systematic literature review,” Information and Software Technology, vol. 51, no. 1, pp. 7–15, 2009.
  12. anonymous authors, “Dforce network - rekt.” https://rekt.news/dforce-network-rekt/. Accessed: 2023-10-05.
  13. T. Claburn, “Thief milks cream finance for $18m+ in cryptocurrency after spotting security bug.” https://www.theregister.com/2021/08/31/cream_finance_theft/. Accessed: 2022-04-24.
  14. quadrigainitiative, “Description of events.” https://www.quadrigainitiative.com/casestudy/sirenmarketreentrancybug.php. Accessed: 2022-04-24.
  15. M. Wohrer and U. Zdun, “Smart contracts: security patterns in the ethereum ecosystem and solidity,” in 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), pp. 2–8, 2018.
  16. openzeppelin, “openzeppelin security.” https://docs.openzeppelin.com/contracts/4.x/api/security#ReentrancyGuard. Accessed: 2022-04-20.
  17. P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels, “Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability,” in 2020 IEEE Symposium on Security and Privacy (SP), pp. 910–927, 2020.
  18. S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov, “Smartcheck: Static analysis of ethereum smart contracts,” in Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB ’18, (New York, NY, USA), p. 9–16, Association for Computing Machinery, 2018.
  19. nist, “Cve-2018-10299 detail.” https://nvd.nist.gov/vuln/detail/CVE-2018-10299. Accessed: 2022-04-20.
  20. W. Chen, Z. Zheng, E. C.-H. Ngai, P. Zheng, and Y. Zhou, “Exploiting blockchain data to detect smart ponzi schemes on ethereum,” IEEE Access, vol. 7, pp. 37575–37586, 2019.
  21. S. S. Kushwaha, S. Joshi, D. Singh, M. Kaur, and H.-N. Lee, “Systematic review of security vulnerabilities in ethereum blockchain smart contract,” IEEE Access, vol. 10, pp. 6605–6621, 2022.
  22. kingoftheether, “Post-mortem investigation (feb 2016).” https://www.kingoftheether.com/postmortem.html. Accessed: 2022-04-20.
  23. openzeppelin, “openzeppelin the parity wallet hack explained.” https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/. Accessed: 2022-04-20.
  24. N. Atzei, M. Bartoletti, and T. Cimoli, “A survey of attacks on ethereum smart contracts (sok),” in Principles of Security and Trust (M. Maffei and M. Ryan, eds.), (Berlin, Heidelberg), pp. 164–186, Springer Berlin Heidelberg, 2017.
  25. X. Liu, R. Chen, Y.-W. Chen, and S.-M. Yuan, “Off-chain data fetching architecture for ethereum smart contract,” in 2018 International Conference on Cloud Computing, Big Data and Blockchain (ICCBB), pp. 1–4, 2018.
  26. D. Boneh and M. Naor, “Timed commitments,” in Advances in Cryptology — CRYPTO 2000, CRYPTO ’00, (Berlin, Heidelberg), p. 236–254, Springer-Verlag, 2000.
  27. randao, “randao github.” https://github.com/randao/randao. Accessed: 2022-04-20.
  28. Chainlink, “Chainlink vrf.” https://docs.chain.link/vrf, 2023. Accessed: 2024-01-02.
  29. N. Fatima Samreen and M. H. Alalfi, “Reentrancy vulnerability identification in ethereum smart contracts,” in 2020 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE), pp. 22–29, 2020.
  30. M. Kaleem, A. Mavridou, and A. Laszka, “Vyper: A security comparison with solidity based on common vulnerabilities,” in 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS), pp. 107–111, 2020.
  31. B. Jiang, Y. Liu, and W. Chan, “Contractfuzzer: Fuzzing smart contracts for vulnerability detection,” in 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 259–269, 2018.
  32. S. Kalra, S. Goel, M. Dhawan, and S. Sharma, “Zeus: Analyzing safety of smart contracts,” in 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018, 01 2018.
  33. C. Liu, H. Liu, Z. Cao, Z. Chen, B. Chen, and B. Roscoe, “Reguard: Finding reentrancy bugs in smart contracts,” in Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, ICSE ’18, (New York, NY, USA), p. 65–68, Association for Computing Machinery, 2018.
  34. A. López Vivar, A. L. Sandoval Orozco, and L. J. García Villalba, “A security framework for ethereum smart contracts,” Computer Communications, vol. 172, pp. 119–129, 2021.
  35. A. Dika and M. Nowostawski, “Security vulnerabilities in ethereum smart contracts,” in 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 955–962, 2018.
  36. T. Krupa, M. Ries, I. Kotuliak, K. Košťál, and R. Bencel, “Security issues of smart contracts in ethereum platforms,” in 2021 28th Conference of Open Innovations Association (FRUCT), pp. 208–214, 2021.
  37. A. Mense and M. Flatscher, “Security vulnerabilities in ethereum smart contracts,” in Proceedings of the 20th International Conference on Information Integration and Web-Based Applications & Services, iiWAS2018, (New York, NY, USA), p. 375–380, Association for Computing Machinery, 2018.
  38. F. Contro, M. Crosara, M. Ceccato, and M. D. Preda, “Ethersolve: Computing an accurate control-flow graph from ethereum bytecode,” 2021.
  39. P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Bünzli, and M. Vechev, “Securify: Practical security analysis of smart contracts,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, (New York, NY, USA), Association for Computing Machinery, 2018.
  40. M. Wöhrer and U. Zdun, “Design patterns for smart contracts in the ethereum ecosystem,” in 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1513–1520, 2018.
  41. C. F. Torres, J. Schütte, and R. State, “Osiris: Hunting for integer bugs in ethereum smart contracts,” in Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18, (New York, NY, USA), p. 664–676, Association for Computing Machinery, 2018.
  42. N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis, “Madmax: Surviving out-of-gas conditions in ethereum smart contracts,” Proc. ACM Program. Lang., vol. 2, no. OOPSLA, 2018.
  43. L. Brent, N. Grech, S. Lagouvardos, B. Scholz, and Y. Smaragdakis, “Ethainter: A smart contract security analyzer for composite vulnerabilities,” in Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2020, (New York, NY, USA), p. 454–469, Association for Computing Machinery, 2020.
  44. swcregistry, “Smart contract weakness classification and test cases.” https://swcregistry.io/. Accessed: 2022-04-02.
  45. securing, “Smart contract security verification standard.” https://github.com/securing/SCSVS. Accessed: 2022-04-02.
  46. W. Wögerer and T. U. Wien, “A survey of static program analysis techniques,” 2005.
  47. owasp, “Static code analysis.” https://owasp.org/www-community/controls/Static_Code_Analysis. Accessed: 2022-04-02.
  48. nist, “Opcodes for the evm.” https://ethereum.org/en/developers/docs/evm/opcodes/. Accessed: 2023-05-09.
  49. G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,” Ethereum project yellow paper, vol. 151, no. 2014, pp. 1–32, 2014.
  50. F. Contro, M. Crosara, M. Ceccato, and M. D. Preda, “Ethersolve: Computing an accurate control-flow graph from ethereum bytecode,” CoRR, vol. abs/2103.09113, 2021.
  51. J. C. King, “Symbolic execution and program testing,” Commun. ACM, vol. 19, p. 385–394, jul 1976.
  52. C. Barrett and C. Tinelli, “Satisfiability modulo theories,” in Handbook of model checking, pp. 305–343, Springer, 2018.
  53. H. Wang, Y. Li, S.-W. Lin, C. Artho, L. Ma, and Y. Liu, “Oracle-supported dynamic exploit generation for smart contracts,” 2019.
  54. S. Amani, M. Bégel, M. Bortin, and M. Staples, “Towards verifying ethereum smart contract bytecode in isabelle/hol,” in Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, CPP 2018, (New York, NY, USA), p. 66–77, Association for Computing Machinery, 2018.
  55. D. Annenkov, J. B. Nielsen, and B. Spitters, “ConCert: a smart contract certification framework in coq,” in Proceedings of the 9th ACM SIGPLAN International Conference on Certified Programs and Proofs, ACM, jan 2020.
  56. A. Permenev, D. Dimitrov, P. Tsankov, D. Drachsler-Cohen, and M. Vechev, “Verx: Safety verification of smart contracts,” in 2020 IEEE Symposium on Security and Privacy (SP), pp. 1661–1677, 2020.
  57. ethereum, “Act formal specification.” https://ethereum.github.io/act/. Accessed: 2022-04-20.
  58. “Blockchain security & ethereum smart contract audits.” {https://consensys.net/diligence/}, note = Accessed: 2022-05-12, Year = 2022, author=consensys.
  59. L. Brent, N. Grech, S. Lagouvardos, B. Scholz, and Y. Smaragdakis, “Ethainter: A smart contract security analyzer for composite vulnerabilities,” in Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, p. 454–469, 2020.
  60. E. Hildenbrandt, M. Saxena, N. Rodrigues, X. Zhu, P. Daian, D. Guth, B. Moore, D. Park, Y. Zhang, A. Stefanescu, and G. Rosu, “Kevm: A complete formal semantics of the ethereum virtual machine,” in 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 204–217, 2018.
  61. Springer-Verlag, 09 2021.
  62. I. Nikolić, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor, “Finding the greedy, prodigal, and suicidal contracts at scale,” in Proceedings of the 34th Annual Computer Security Applications Conference, (New York, NY, USA), Association for Computing Machinery, 2018.
  63. J. Ellul and G. J. Pace, “Runtime verification of ethereum smart contracts,” in 2018 14th European Dependable Computing Conference (EDCC), pp. 158–163, 2018.
  64. V. Wüstholz and M. Christakis, “Harvey: A greybox fuzzer for smart contracts,” in Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, (New York, NY, USA), p. 1398–1409, Association for Computing Machinery, 2020.
  65. C. Liu, H. Liu, Z. Cao, Z. Chen, B. Chen, and A. W. Roscoe, “Reguard: Finding reentrancy bugs in smart contracts,” 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion), pp. 65–68, 2018.
  66. Springer International Publishing, 04 2018.
  67. crytic, “slither tool github.” https://github.com/crytic/slither. Accessed: 2023-05-31.
  68. CONSENSYS, “Mythx officil website.” https://mythx.io/. Accessed: 2022-03-28.
  69. ConsenSys, “mythril tool github.” https://github.com/ConsenSys/mythril. Accessed: 2023-05-31.
  70. crytic, “Echidna tool github.” https://github.com/crytic/echidna. Accessed: 2023-05-31.
  71. trailofbits, “manticore tool github.” https://github.com/trailofbits/manticore. Accessed: 2023-05-31.
  72. eth sri, “securify2 tool github.” https://github.com/eth-sri/securify2. Accessed: 2023-05-31.
  73. runtimeverification, “Kevm tool github.” https://github.com/runtimeverification/evm-semantics. Accessed: 2023-05-31.
  74. smartdec, “smartcheck tool github.” https://github.com/smartdec/smartcheck. Accessed: 2023-05-31.
  75. nevillegrech, “Madmax tool github.” https://github.com/nevillegrech/MadMax. Accessed: 2023-05-31.
  76. J. J. Honig, M. H. Everts, and M. Huisman, “Practical mutation testing for smart contracts,” in Data Privacy Management, Cryptocurrencies and Blockchain Technology, pp. 289–303, Springer International Publishing, 2019.
  77. JoranHonig, “vertigo tool github.” https://github.com/JoranHonig/vertigo. Accessed: 2023-05-31.
  78. SeUniVr, “Ethersolve tool github.” https://github.com/SeUniVr/EtherSolve. Accessed: 2022-03-28.
  79. pventuzelo, “octopus tool github.” https://github.com/pventuzelo/octopus. Accessed: 2023-05-31.
  80. enzymefinance, “Oyente tool github.” https://github.com/enzymefinance/oyente. Accessed: 2023-05-2023.
  81. openzeppelin, “erc20-verifier.” https://erc20-verifier.openzeppelin.com/. Accessed: 2022-04-11.
  82. raineorshine, “solgraph tool github.” https://github.com/raineorshine/solgraph. Accessed: 2023-05-31.
  83. christoftorres, “Osiris tool github.” https://github.com/christoftorres/Osiris. Accessed: 2023-05-23.
  84. “Programming z3.” http://theory.stanford.edu/~nikolaj/programmingz3.html, 2022. Accessed: 2022-04-17.
  85. SmartContractSecurity, “Swc-101 test case.” https://swcregistry.io/docs/SWC-101#integer-overflow-mapping-sym-1sol. Accessed: 2022-04-02.
  86. Springer-Verlag, 12 2020.
  87. crytic, “slither list of vulnerabilities.” https://github.com/crytic/slither#detectors. Accessed: 2022-04-02.
  88. crytic, “Slither erc conformance.” https://github.com/crytic/slither/wiki/ERC-Conformance. Accessed: 2022-04-20.
  89. crytic, “Crytic website.” https://www.crytic.io/. Accessed: 2022-03-30.
  90. ConsenSys, “mythril modules.” https://mythril-classic.readthedocs.io/en/master/module-list.html. Accessed: 2022-06-11.
  91. ConsenSys, “Mythx and continuous integration (part 1): Circleci.” https://blog.mythx.io/howto/mythx-and-continuous-integration-part-1-circleci/. Accessed: 2022-05-11.
  92. trailofbits, “Category archives: Manticore.” https://blog.trailofbits.com/category/manticore/. Accessed: 2022-04-22.
  93. trailofbits, “List of ethereum detectors.” https://github.com/trailofbits/manticore/wiki/Ethereum-Detectors. Accessed: 2022-06-11.
  94. “Quickcheck: Automatic testing of haskell programs.” https://hackage.haskell.org/package/QuickCheck. Accessed: 2023-05-31.
  95. trailofbits, “Echidna, a smart fuzzer for ethereum.” https://blog.trailofbits.com/2018/03/09/echidna-a-smart-fuzzer-for-ethereum/. Accessed: 2023-05-31.
  96. crytic, “Testing a property with echidna.” https://github.com/crytic/building-secure-contracts/blob/master/program-analysis/echidna/introduction/how-to-test-a-property.md. Accessed: 2023-05-31.
  97. ethereum, “Smart contract security checklist.” https://ethereum.org/fr/developers/tutorials/secure-development-workflow/. Accessed: 2022-04-22.
  98. vscode, “Solidity visual developer.” https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor. Accessed: 2022-04-22.
  99. manticore, “Property based symbolic executor: manticore-verifier.” https://manticore.readthedocs.io/en/latest/verifier.html. Accessed: 2022-04-22.
  100. S. S. Kushwaha, S. Joshi, D. Singh, M. Kaur, and H.-N. Lee, “Ethereum smart contract analysis tools: A systematic review,” IEEE Access, vol. 10, pp. 57037–57062, 2022.
  101. M. di Angelo and G. Salzer, “A survey of tools for analyzing ethereum smart contracts,” in 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), pp. 69–78, 2019.
  102. D. Harz and W. J. Knottenbelt, “Towards safer smart contracts: A survey of languages and verification methods,” CoRR, vol. abs/1809.09805, 2018.
  103. X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the security of blockchain systems,” Future Generation Computer Systems, vol. 107, pp. 841–853, 2020.
  104. M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and D. Mohaisen, “Exploring the attack surface of blockchain: A comprehensive survey,” IEEE Communications Surveys & Tutorials, vol. PP, pp. 1–1, 03 2020.
  105. H. Chen, M. Pendleton, L. Njilla, and S. Xu, “A survey on ethereum systems security: Vulnerabilities, attacks, and defenses,” ACM Comput. Surv., vol. 53, no. 3, 2020.
  106. L.-H. Zhu, B.-K. Zheng, M. Shen, F. Gao, H.-Y. Li, and K.-X. Shi, “Data security and privacy in bitcoin system: A survey,” Journal of Computer Science and Technology, vol. 35, pp. 843–862, jul 2018.
  107. T. Durieux, J. F. Ferreira, R. Abreu, and P. Cruz, “Empirical review of automated analysis tools on 47, 587 ethereum smart contracts,” CoRR, vol. abs/1910.10601, 2019.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets