Abstract
Blockchain has attracted widespread attention since its inception and one of the special technologies is smart contracts. Smart contracts are programs on blockchain that act as trusted intermediary between the users and are widely used in variety of industry (e.g., IoT, supply chain management). Smart contracts can store or manipulate valuable assets which may cause huge economic losses. Unlike traditional computer programs, the code of a smart contract cannot be modified after it is deployed on the blockchain. Hence, the security analysis and vulnerability detection of the smart contract must be performed before its deployment. In this survey, we considered 15 security vulnerabilities in smart contracts and introduced the vulnerable areas and the causes of vulnerabilities. According to the methods used, we introduced the existing smart contract analysis methods and vulnerability detection tools from three aspects of static analysis, dynamic analysis and formal verification. Finally, by considering the analysis tools and security vulnerabilities, we found that a new attack cannot be detected by existing detection tools if the vulnerability without pre-defined. We recommend using machine learning methods to analyze smart contracts in combination with traditional program vulnerabilities, and find vulnerabilities that have not yet been discovered in smart contracts. In addition, many detection tools require too much resources or are too complex, so it is necessary to introduce new detection methods.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Nakamoto S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf
Ahram, T., Sargolzaei, A., Sargolzaei, S., Daniels, J., Amaba, B.: Blockchain technology innovations. In: 2017 Conference Proceedings Technology and Engineering Management Conference (TEMSCON), pp. 137–141. IEEE (2017)
Xu, X., et al.: A taxonomy of blockchain-based systems for architecture design. In: 2017 IEEE International Conference on Software Architecture (ICSA), pp. 243–252. IEEE (2017)
Peters, G., Panayi, E.: Understanding modern banking ledgers through blockchain technologies: Future of transaction processing and smart contracts on the internet of money. In: Tasca, P., Aste, T., Pelizzon, L., Perony, N. (eds.) Banking beyond banks and money, pp. 239–278. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-42448-4_13
Christidis, K., Devetsikiotis, M.: Blockchains and smart contracts for the internet of things. IEEE Access 4, 2292–2303 (2016)
Bahga, A., Madisetti, V.K.: Blockchain platform for industrial internet of things. J. Softw. Eng. Appl. 9(10), 533 (2016)
Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: Medrec: using blockchain for medical data access and permission management. In: 2016 2nd International Conference on Open and Big Data (OBD), pp. 25–30. IEEE (2016)
Mettler, M.: Blockchain technology in healthcare: the revolution starts here. In: 2016 IEEE 18th International Conference on e-Health Networking, Applications and Services (Healthcom), pp.1–3. IEEE (2016)
Ølnes, S., Ubacht, J., Janssen, M.: Blockchain in government: benefits and implications of distributed ledger technology for information sharing. Gov. Inf. Q. 34(3), 355–364 (2017)
Staples, M., et al.: Risks and opportunities for systems using blockchain and smart contracts. data61 (2017)
Abeyratne, S.A., Monfared, R.P.: Blockchain ready manufacturing supply chain using distributed ledger. Int. J. Res. Eng. Technol. 5, 1–10 (2016)
Chen, S., Shi, R., Ren, Z., Yan, J., Shi, Y., Zhang, J.: A blockchain based supply chain quality management framework. In: 2017 IEEE 14th International Conference on e-Business Engineering (ICEBE), pp. 172–176. IEEE (2017)
Bussmann, O.: The future of finance: fintech, tech disruption, and orchestrating innovation. In: Francioni, R., Schwartz, R.A. (eds.) Equity Markets in Transition, pp. 473–486. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-45848-9_19
Eyal, I.: Blockchain technology: transforming libertarian cryptocurrency dreams to finance and banking realities. Computer 50(9), 38–49 (2017)
Knirsch, F., Unterweger, A., Eibl, G., Engel, D.: Privacy-preserving smart grid tariff decisions with blockchain-based smart contracts. In: Rivera, Wilson (ed.) Sustainable Cloud and Energy Services, pp. 85–116. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-62238-5_4
Mylrea, M., Gourisetti, S.N.G.: Blockchain for smart grid resilience: exchanging distributed energy at speed, scale and security. In: 2017 Resilience Week (RWS), pp. 18–23. IEEE (2017)
Sergey, I., Hobor, A.: A concurrent perspective on smart contracts. In: Brenner, M., et al. (eds.) Financial Cryptography and Data Security, pp. 478–493. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_30
Bocek, T., Stiller, B.: Smart contracts – blockchains in the wings. In: Linnhoff-Popien, C., Schneider, R., Zaddach, M. (eds.) Digital Marketplaces Unleashed, pp. 169–184. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-49275-8_19
Michaell, Y.: Building a safer crypto token (2018). https://medium.com/cybermiles/building-a-safer-crypto-token-27c96a7e78fd
Marc, P.: Blockchain technology: principles and applications (2016, Post-Print)
Tapscott, D., Tapscott, A.: Blockchain Revolution: How the technology Behind Bitcoin is Changing Money, Business, and the World. Penguin, New York (2016)
Smart Contracts Alliance—In collaboration with Deloitte. Smart Contracts: 12 Use Cases for Business & Beyond (2016). http://upyun-assets.ethfans.org/uploads/doc/file/1428a9bb86a140598ec7cb38424de632.pdf?_upd=Smart-contracts-12-use-cases-for-business-and-beyond.pdf
Tsankov, P., Dan, A., Drachsler-Cohen, D., et al.: Securify: practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 67–82. Association for Computing Machinery, USA (2018)
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151, 1–32 (2014)
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Min, T., Cai, W.: A security case study for blockchain games. arXiv preprint arXiv:1906.05538 (2019)
Arias, L., Spagnuolo, F., Giordano, F., et al.: OpenZeppeli (2016). https://github.com/OpenZeppelin/openzeppelin-contracts
Nikolic, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding ´the greedy, prodigal, and suicidal contracts at scale. arXiv preprint arXiv:1802.06038 (2018)
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Conference Proceedings, pp. 254–269. ACM (2016)
Li, X., Jiang, P., Chen, T., Luo, X., Wen, Q.: A survey on the security of blockchain systems. Future Gener. Comput. Syst. 107, 841–853 (2017)
Ethereum Foundation. Block validation algorithm. https://github.com/ethereum/wiki/wiki#block-validation-algorithm
Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: Proceedings of the 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2019, Montreal, QC, Canada, 27 May 2019, pp. 8–15 (2019)
Chen, T., Li, X., Luo, X., Zhang, X.: Under-optimized smart contracts devour your money. In: 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), Conference Proceedings, pp. 442–446. IEEE (2017)
Torres, C.F., Schütte, J., State, R.: Osiris: hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 664–676 (2018)
Pomonis, M., Petsios, T., Jee, K., Polychronakis, M., Keromytis, A.D.: IntFlow: improving the accuracy of arithmetic error detection using information flow tracking. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 416–425 (2014)
Brent, L., et al.: Vandal: a scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981 (2018)
Albert, E., Gordillo, P., Livshits, B., Rubio, A., Sergey, I.: Ethir: a framework for high-level analysis of ethereum bytecode. In: Lahiri, S.K., Wang, C. (eds.) Automated Technology for Verification and Analysis: 16th International Symposium, ATVA 2018, Los Angeles, CA, USA, October 7-10, 2018, Proceedings, pp. 513–520. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01090-4_30
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: Smartcheck: static analysis of ethereum smart contracts. In: 1st IEEE/ACM International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2018, Gothenburg, Sweden, May 27–June 3, 2018, pp. 9–16 (2018)
Jiang, B., Liu, Y., Chan, W.: Contractfuzzer: fuzzing smart contracts for vulnerability detection. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 259–269 (2018)
Nikolic, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 653–663 (2018)
Gao, J., Liu, H., Liu, C., et al.: Easyflow: keep ethereum away from overflow. In: Proceedings of the 41st International Conference on Software Engineering: Companion Proceedings, pp. 23–26. IEEE Press (2019)
Mavridou, A., Laszka, A.: Tool demonstration: fSolidM for designing secure ethereum smart contracts. In: Bauer, L., Küsters, R. (eds.) Principles of Security and Trust, pp. 270–277. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_11
Breidenbach, L., Daian, P., Er, F., Juels, A.: Enter the hydra: towards principled bug bounties and exploit-resistant smart contracts. In: The Initiative for Cryptocurrencies and Contracts (IC3), vol. 2017 (2017)
Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, pp. 91–96 (2016)
Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858 (2016)
Cerezo Sánchez, D.: Raziel: private and verifiable smart contracts on blockchains. IACR Cryptol. ePrint Arch, pp. 1–56 (2017)
Zhang, F., Cecchetti, E., Croman, K., Juels, A., Shi, E.: Town crier: an authenticated data feed for smart contracts. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 270–282 (2016)
Kalra, S., Goel, S., Dhawan, M., Sharma, S.: ZEUS: analyzing safety of smart contracts. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018
Hildenbrandt, E., et al.: KEVM: a complete formal semantics of the ethereum virtual machine. In: 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 204–217 (2018)
Ellul, J., Pace, G.J.: Runtime verification of ethereum smart contracts. In: 2018 14th European Dependable Computing Conference (EDCC), pp. 158–163 (2018)
Sinnema, R., Wilde, E.: Extensible access control markup language (XACML) XML media type, Internet Eng. Task Force (IETF), pp. 1–8 ((2013))
Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: International Symposium on Code Generation and Optimization, CGO 2004, pp. 75–86. IEEE (2004)
Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.: The seahorn verification framework. In: Kroening, D., Păsăreanu, C.S. (eds.) Computer Aided Verification: 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I, pp. 343–361. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_20
Acknowledgements
This work was supported by the Hainan Provincial Natural Science Foundation of China (Grant No. 2019RC041 and 2019RC098), Research and Application Project of Key Technologies for Blockchain Cross-chain Collaborative Monitoring and Traceability for Large-scale Distributed Denial of Service Attacks, National Natural Science Foundation of China (Grant No. 61762033), Opening Project of Shanghai Trusted Industrial Control Platform (Grant No. TICPSH202003005-ZC), and Education and Teaching Reform Research Project of Hainan University (Grant No. hdjy1970).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Tang, X., Zhou, K., Cheng, J., Li, H., Yuan, Y. (2021). The Vulnerabilities in Smart Contracts: A Survey. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Advances in Artificial Intelligence and Security. ICAIS 2021. Communications in Computer and Information Science, vol 1424. Springer, Cham. https://doi.org/10.1007/978-3-030-78621-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-78621-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78620-5
Online ISBN: 978-3-030-78621-2
eBook Packages: Computer ScienceComputer Science (R0)