Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? (2404.18186v3)

Published 28 Apr 2024 in cs.SE

Abstract: In recent years, the importance of smart contract security has been heightened by the increasing number of attacks against them. To address this issue, a multitude of static application security testing (SAST) tools have been proposed for detecting vulnerabilities in smart contracts. However, objectively comparing these tools to determine their effectiveness remains challenging. Existing studies often fall short due to the taxonomies and benchmarks only covering a coarse and potentially outdated set of vulnerability types, which leads to evaluations that are not entirely comprehensive and may display bias. In this paper, we fill this gap by proposing an up-to-date and fine-grained taxonomy that includes 45 unique vulnerability types for smart contracts. Taking it as a baseline, we develop an extensive benchmark that covers 40 distinct types and includes a diverse range of code characteristics, vulnerability patterns, and application scenarios. Based on them, we evaluated 8 SAST tools using this benchmark, which comprises 788 smart contract files and 10,394 vulnerabilities. Our results reveal that the existing SAST tools fail to detect around 50% of vulnerabilities in our benchmark and suffer from high false positives, with precision not surpassing 10%. We also discover that by combining the results of multiple tools, the false negative rate can be reduced effectively, at the expense of flagging 36.77 percentage points more functions. Nevertheless, many vulnerabilities, especially those beyond Access Control and Reentrancy vulnerabilities, remain undetected. We finally highlight the valuable insights from our study, hoping to provide guidance on tool development, enhancement, evaluation, and selection for developers, researchers, and practitioners.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (76)
  1. Testing Smart Contracts: Which Technique Performs Best?. In Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (Bari, Italy) (ESEM ’21). Association for Computing Machinery, New York, NY, USA, Article 21, 11 pages. https://doi.org/10.1145/3475716.3475779
  2. Detecting equality of variables in programs. In Proceedings of the 15th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 1–11.
  3. Hyperledger fabric: a distributed operating system for permissioned blockchains. In Proceedings of the thirteenth EuroSys conference. 1–15.
  4. Clark Barrett and Cesare Tinelli. 2018. Satisfiability Modulo Theories. Springer International Publishing, Cham, 305–343. https://doi.org/10.1007/978-3-319-10575-8_11
  5. Computability and logic. Cambridge university press.
  6. Sailfish: Vetting smart contract state-inconsistency bugs in seconds. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 161–178.
  7. BSCScan. 2024. Pesabase: PESA Token — Address 0x4adc604A0261E3D340745533964FFf6bB130f3c3 — BscScan. https://bscscan.com/address/0x4adc604A0261E3D340745533964FFf6bB130f3c3#code. (Accessed on 02/24/2024).
  8. BNB Beacon Chain. 2023. Binance (BNB) Blockchain Explorer. https://bscscan.com/. (Accessed on 05/02/2024).
  9. ChainSecurity. 2018. eth-sri/securify: [DEPRECATED] Security Scanner for Ethereum Smart Contracts. https://github.com/eth-sri/securify. (Accessed on 05/02/2024).
  10. ChainSecurity. 2020. eth-sri/securify2: Securify v2.0. https://github.com/eth-sri/securify2. (Accessed on 05/02/2024).
  11. Smart Contract and DeFi Security: Insights from Tool Evaluations and Practitioner Surveys. arXiv preprint arXiv:2304.02981 (2023).
  12. Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners?. In 2024 IEEE/ACM 46th International Conference on Software Engineering (ICSE). IEEE Computer Society, 705–717.
  13. Defining Smart Contract Defects on Ethereum. IEEE Transactions on Software Engineering 48, 1 (2022), 327–345. https://doi.org/10.1109/TSE.2020.2989002
  14. Smartian: Enhancing smart contract fuzzing with static and dynamic data-flow analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 227–239.
  15. ConsenSys. 2018. ConsenSys/mythril: Security analysis tool for EVM bytecode. https://github.com/ConsenSys/mythril. (Accessed on 05/02/2024).
  16. Contractlogix. 2022. Smart Contract Security in 2023: A Simple Checklist. https://www.contractlogix.com/contract-management/smart-contract-security/. (Accessed on 05/02/2024).
  17. An efficient method of computing static single assignment form. In Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 25–35.
  18. Ardit Dika and Mariusz Nowostawski. 2018. Security Vulnerabilities in Ethereum Smart Contracts. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 955–962. https://doi.org/10.1109/Cybermatics_2018.2018.00182
  19. Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (Seoul, South Korea) (ICSE ’20). Association for Computing Machinery, New York, NY, USA, 530–541. https://doi.org/10.1145/3377811.3380364
  20. Ethlint. 2024. duaraghav8/Ethlint. https://github.com/duaraghav8/Ethlint. (Accessed on 05/02/2024).
  21. Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts. (2023).
  22. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15.
  23. Matthew Fluet. 2021. MLton. http://www.mlton.org/. (Accessed on 10/09/2023).
  24. Asem Ghaleb and Karthik Pattabiraman. 2020. How Effective Are Smart Contract Analysis Tools? Evaluating Smart Contract Static Analysis Tools Using Bug Injection. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual Event, USA) (ISSTA 2020). Association for Computing Machinery, New York, NY, USA, 415–427. https://doi.org/10.1145/3395363.3397385
  25. AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities. ([n. d.]).
  26. ETainter: Detecting Gas-Related Vulnerabilities in Smart Contracts. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual, South Korea) (ISSTA 2022). Association for Computing Machinery, New York, NY, USA, 728–739. https://doi.org/10.1145/3533767.3534378
  27. Learning to classify software defects from crowds: a novel approach. Applied Soft Computing 62 (2018), 579–591.
  28. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. 259–269.
  29. Zeus: analyzing safety of smart contracts.. In Ndss. 1–12.
  30. Johannes Krupp and Christian Rossow. 2018. teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association. https://publications.cispa.saarland/2612/
  31. SmartDagger: A Bytecode-Based Static Analysis Approach for Detecting Cross-Contract Vulnerability. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual, South Korea) (ISSTA 2022). Association for Computing Machinery, New York, NY, USA, 752–764. https://doi.org/10.1145/3533767.3534222
  32. Reguard: finding reentrancy bugs in smart contracts. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings. 65–68.
  33. Towards automated verification of smart contract fairness. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 666–677.
  34. António Pedro Cruz Monteiro. 2019. A study of static analysis tools for ethereum smart contracts. (2019).
  35. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 1186–1189. https://doi.org/10.1109/ASE.2019.00133
  36. MythX. 2023. MythX: Smart contract security service for Ethereum. https://mythx.io/. (Accessed on 05/02/2024).
  37. NCC Group. 2016. DASP - TOP 10. https://dasp.co/. (Accessed on 05/02/2024).
  38. Trail of Bits. 2023. Trail of Bits. https://www.trailofbits.com/. (Accessed on 05/02/2024).
  39. Terence J. Parr and Russell W. Quong. 1995. ANTLR: A predicated-LL (k) parser generator. Software: Practice and Experience 25, 7 (1995), 789–810.
  40. Verx: Safety verification of smart contracts. In 2020 IEEE symposium on security and privacy (SP). IEEE, 1661–1677.
  41. Heidelinde Rameder. 2021. Systematic review of ethereum smart contract security vulnerabilities, analysis methods and tools. (2021).
  42. Empirical Evaluation of Smart Contract Testing: What is the Best Choice?. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual, Denmark) (ISSTA 2021). Association for Computing Machinery, New York, NY, USA, 566–579. https://doi.org/10.1145/3460319.3464837
  43. Microsoft Research. 2023. The Z3 Theorem Prover. https://github.com/Z3Prover/z3. (Accessed on 05/02/2024).
  44. Sereum: Protecting existing smart contracts against re-entrancy attacks. arXiv preprint arXiv:1812.05934 (2018).
  45. BK RWZ88 and MN Rosen. 1988. Wegman, and FK Zadeck. Global value numbers and redundant computations. In Conference Record of the Fifteenth ACM Symposium on the Principles of Programming Languages.
  46. Securify2. 2020a. securify2/securify/ir. https://github.com/eth-sri/securify2/tree/master/securify/ir. (Accessed on 10/09/2023).
  47. Securify2. 2020b. securify2/securify/staticanalysis/souffle_analysis/patterns/mul-after-div.dl. https://github.com/eth-sri/securify2/blob/def1e30ba9198828d048fbba5fbb6cd27f7e1b04/securify/staticanalysis/souffle_analysis/patterns/mul-after-div.dl. (Accessed on 10/09/2023).
  48. Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning.. In NDSS.
  49. Slither. 2023. slither/slither/slithir. https://github.com/crytic/slither/tree/e5f2a86f0906fd62c6c4eccb9dbfa5ab30671a78/slither/slithir. (Accessed on 10/09/2023).
  50. Slither. 2024a. crytic/slither. https://github.com/crytic/slither/tree/e3dcf1ecd3e9de60da046de471c5663ab637993a/slither/detectors/reentrancy. (Accessed on 01/03/2024).
  51. Slither. 2024b. slither/slither/detectors/operations/bad_prng.py at efed98327a7553badfd1c56720136637885b9207 · crytic/slither · GitHub. https://github.com/crytic/slither/blob/efed98327a7553badfd1c56720136637885b9207/slither/detectors/operations/bad_prng.py. (Accessed on 25/02/2024).
  52. Smartbugs. 2020. SmartBugs: A Framework to Analyze Ethereum Smart Contracts. https://github.com/smartbugs/smartbugs. (Accessed on 05/02/2024).
  53. SmartBugs. 2020. smartbugs-wild. https://github.com/smartbugs/smartbugs-wild. (Accessed on 05/02/2024).
  54. SmartBugs. 2022. smartbugs-curated. https://github.com/smartbugs/smartbugs-curated. (Accessed on 31/03/2023).
  55. SmartDec. 2023. SmartDec. https://smartdec.net/. (Accessed on 05/02/2024).
  56. {{\{{SmarTest}}\}}: Effectively hunting vulnerable transaction sequences in smart contracts through language {{\{{Model-Guided}}\}} symbolic execution. In 30th USENIX Security Symposium (USENIX Security 21). 1361–1378.
  57. VeriSmart: A highly precise safety verifier for Ethereum smart contracts. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1678–1694.
  58. Solhint. 2024. protofire/solhint. https://github.com/protofire/solhint. (Accessed on 05/02/2024).
  59. Solidity. 2024. Solidity v0.8.0 Breaking Changes — Solidity 0.8.25 documentation. https://docs.soliditylang.org/en/latest/080-breaking-changes.html. (Accessed on 29/02/2024).
  60. SmartPulse: automated checking of temporal properties in smart contracts. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 555–571.
  61. Demystifying the Composition and Code Reuse in Solidity Smart Contracts. In Proceedings of the 31th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (San Francisco, CA, USA) (ESEC/FSE 2023). Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3611643.3616270
  62. SWC-114. 2024. SWC-114 - Smart Contract Weakness Classification (SWC). https://swcregistry.io/docs/SWC-114/. (Accessed on 29/02/2024).
  63. SWC Registry. 2018. Overview · Smart Contract Weakness Classification and Test Cases. https://swcregistry.io/. (Accessed on 05/02/2024).
  64. SmartCheck: Static Analysis of Ethereum Smart Contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (Gothenburg, Sweden) (WETSEB ’18). Association for Computing Machinery, New York, NY, USA, 9–16. https://doi.org/10.1145/3194113.3194115
  65. Osiris: Hunting for integer bugs in ethereum smart contracts. In Proceedings of the 34th Annual Computer Security Applications Conference. 664–676.
  66. Trail of Bits. 2017. crytic/not-so-smart-contracts: Examples of Solidity security issues. https://github.com/crytic/not-so-smart-contracts. (Accessed on 05/02/2024).
  67. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 67–82.
  68. Detecting nondeterministic payment bugs in ethereum smart contracts. Proceedings of the ACM on Programming Languages 3, OOPSLA (2019), 1–29.
  69. Website. 2024. FSE 2024 - RQ2. https://sites.google.com/view/sc-sast-study-fse2024/rq2. (Accessed on 01/03/2024).
  70. Website of Our Study. 2023a. Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? https://sites.google.com/view/sc-sast-study-fse2024/home. (Accessed on 05/02/2024).
  71. Website of Our Study. 2023b. Tool Selection. https://sites.google.com/view/sc-sast-study-fse2024/tool-selection. (Accessed on 05/02/2024).
  72. Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 1029–1040.
  73. yxliang01. 2020. oyente/oyente.py at enzymefinance/oyente GitHub. https://github.com/enzymefinance/oyente/blob/69dc0a905d37ae27e9055ccae930e30752b398fb/oyente/oyente.py#L63. (Accessed on 05/02/2024).
  74. Front-Running Attack Benchmark Construction and Vulnerability Detection Technique Evaluation. arXiv preprint arXiv:2212.12110 (2022).
  75. Demystifying Exploitable Bugs in Smart Contracts. (May 2023).
  76. SoK: Decentralized Finance (DeFi) Attacks. Cryptology ePrint Archive, Paper 2022/1773. https://eprint.iacr.org/2022/1773 https://eprint.iacr.org/2022/1773.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (9)
  1. Kaixuan Li (10 papers)
  2. Yue Xue (9 papers)
  3. Sen Chen (49 papers)
  4. Han Liu (340 papers)
  5. Kairan Sun (4 papers)
  6. Ming Hu (110 papers)
  7. Haijun Wang (19 papers)
  8. Yang Liu (2253 papers)
  9. Yixiang Chen (19 papers)
Citations (4)
View on Semantic Scholar