Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis

Abstract: Codes with specific characteristics are more exposed to security vulnerabilities. Studies have revealed that codes that do not adhere to best practices are more challenging to verify and maintain, increasing the likelihood of unnoticed or unintentionally introduced vulnerabilities. Given the crucial role of smart contracts in blockchain systems, ensuring their security and conducting thorough vulnerability analysis is critical. This study investigates the use of code complexity metrics as indicators of vulnerable code in Solidity smart contracts. We highlight the significance of complexity metrics as valuable complementary features for vulnerability assessment and provide insights into the individual power of each metric. By analyzing 21 complexity metrics, we explored their interrelation, association with vulnerability, discriminative power, and mean values in vulnerable versus neutral codes. The results revealed some high correlations and potential redundancies among certain metrics, but weak correlations between each independent metric and vulnerability. Nevertheless, we found that all metrics can effectively discriminate between vulnerable and neutral codes, and most complexity metrics, except for three, exhibited higher values in vulnerable codes.