Authors:
(1) ZHIYUAN WEI, Beijing Institute of Technology, China;
(2) JING SUN, University of Auckland, New Zealand);
(3) ZIJIAN ZHANG, XIANHAO ZHANG, XIAOXUAN YANG, and LIEHUANG ZHU, Beijing Institute of Technology, China;
(4) XIANHAO ZHANG, Beijing Institute of Technology, China;
(5) XIAOXUAN YANG, Beijing Institute of Technology, China;
(6) LIEHUANG ZHU, Beijing Institute of Technology, China.
Table of Links
Overview of Smart Contracts and Survey Methodology
Vulnerability in Smart Contracts
Conclusions, Acknowledgement and References
7 CONCLUSIONS
The adoption of smart contract technology is rapidly increasing, leading to significant research efforts focused on enhancing smart contract security. In this survey, we have conducted a comprehensive study on smart contract security, encompassing vulnerabilities, attacks, defenses, and tool support. Our analysis has contributed to novel classifications of common vulnerability types and attack patterns, with a specific focus on the connection between them. Additionally, we have investigated defense methodologies aimed at mitigating the risks associated with these vulnerabilities. Moreover, we have conducted experiments using 12 open-source vulnerability-detecting tools and applied weighting-based assessment criteria to evaluate their accuracy, performance, and overall effectiveness. This evaluation provides valuable insights into the capabilities and limitations of the representative tools in the field, helping researchers and practitioners in selecting the most suitable options. Additionally, we have created an annotated dataset comprising 110 smart contracts, serving as a standardized benchmark for conducting thorough evaluations of smart contract analysis tools. This dataset facilitates comparative studies and enables researchers to assess the performance of different tools in detecting vulnerabilities and improving overall security. These findings emphasize the critical importance of continuous research and development in the field of smart contract security.
However, the smart contract landscape is evolving rapidly, with new functionalities and protocols leading to the emergence of new security vulnerabilities. To make smart contract languages more robust, it is crucial to continue investing in research and development. For instance, there has been a growing interest in using programming languages other than Solidity for smart contract development. Languages like Go and Rust have gained attention due to their stronger syntax and logical soundness, offering potential solutions to address some of the security issues associated with Solidity. Furthermore, there is a need for more powerful analysis tools capable of identifying dynamic or logic errors within smart contracts. Existing tools primarily focus on known vulnerabilities and attacks, while effective methodologies for dealing with unknown attacks are still limited. Thus, protecting smart contracts from unknown attacks poses a significant challenge for future research. Additionally, developing automated approaches for repairing vulnerable smart contracts after deployment could prove to be a fruitful direction. In conclusion, the security of smart contracts remains an ongoing concern that demands continuous attention and innovation to address evolving threats.
ACKNOWLEDGMENTS
This work is supported by National Key Research and Development Program of China under the grant No.2021YFB2701202, and National Natural Science Foundation of China (NSFC) under the grant No.62172040, and Anhui Provincial Natural Science Foundation under the grant No.2008085MF196.
REFERENCES
[1] 2017. ivy lang.org. https://docs.ivylang.org/bitcoin/
[2] 2018. A disastrous vulnerability found in smart contracts of BeautyChain (BEC). https://medium.com/secbit-media/a-disastrous-vulnerabilityfound-in-smart-contracts-of-beautychain-bec-dbf24ddbc30e
[3] 2018. Ethereum Daily Transactions Chart. https://etherscan.io/chart/tx
[4] 2018. Etherscan. https://etherscan.io/
[5] 2018. OpenZeppelin SafeMath. https://docs.openzeppelin.com/contracts/2.x/api/math
[6] 2018. PeckShield com. https://peckshield.com/
[7] 2022. EOSIO network monitor. https://eosnetworkmonitor.io/
[8] 2022. What was The DAO? https://www.gemini.com/cryptopedia/the-dao-hack-makerdao
[9] Tesnim Abdellatif and Kei-Léo Brousmiche. 2018. Formal Verification of Smart Contracts Based on Users and Blockchain Behaviors Models. In 9th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2018, Paris, France, February 26-28, 2018. IEEE, 1–5.
[10] Wolfgang Ahrendt, Richard Bubel, Joshua Ellul, Gordon J. Pace, Raúl Pardo, Vincent Rebiscoul, and Gerardo Schneider. 2019. Verification of Smart Contract Business Logic - Exploiting a Java Source Code Verifier. In Fundamentals of Software Engineering - 8th International Conference, FSEN 2019, Tehran, Iran, May 1-3, 2019, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 11761). Springer, 228–243.
[11] Elvira Albert, Puri Arenas, Antonio Flores-Montoya, Samir Genaim, Miguel Gómez-Zamalloa, Enrique Martin-Martin, German Puebla, and Guillermo Román-Díez. 2014. SACO: Static Analyzer for Concurrent Objects. In Tools and Algorithms for the Construction and Analysis of Systems - 20th International Conference, TACAS 2014, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2014, Grenoble, France, April 5-13, 2014. Proceedings (Lecture Notes in Computer Science, Vol. 8413). Springer, 562–567.
[12] Elvira Albert, Puri Arenas, Samir Genaim, and Germán Puebla. 2008. Automatic Inference of Upper Bounds for Recurrence Relations in Cost Analysis. In Static Analysis, 15th International Symposium, SAS 2008, Valencia, Spain, July 16-18, 2008. Proceedings (Lecture Notes in Computer Science, Vol. 5079). Springer, 221–237.
[13] Elvira Albert, Jesús Correas, Pablo Gordillo, Guillermo Román-Díez, and Albert Rubio. 2020. GASOL: Gas Analysis and Optimization for Ethereum Smart Contracts. In Tools and Algorithms for the Construction and Analysis of Systems - 26th International Conference, TACAS 2020, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020, Dublin, Ireland, April 25-30, 2020, Proceedings, Part II (Lecture Notes in Computer Science, Vol. 12079). Springer, 118–125.
[14] Elvira Albert, Pablo Gordillo, Benjamin Livshits, Albert Rubio, and Ilya Sergey. 2018. EthIR: A Framework for High-Level Analysis of Ethereum Bytecode. In Automated Technology for Verification and Analysis - 16th International Symposium, ATVA 2018, Los Angeles, CA, USA, October 7-10, 2018, Proceedings (Lecture Notes in Computer Science, Vol. 11138). Springer, 513–520.
[15] Elvira Albert, Pablo Gordillo, Albert Rubio, and Ilya Sergey. 2019. Running on Fumes - Preventing Out-of-Gas Vulnerabilities in Ethereum Smart Contracts Using Static Resource Analysis. In Verification and Evaluation of Computer and Communication Systems - 13th International Conference, VECoS 2019, Porto, Portugal, October 9, 2019, Proceedings (Lecture Notes in Computer Science, Vol. 11847). Springer, 63–78.
[16] Elli Androulaki, Artem Barger, Vita Bortnikov, Christian Cachin, Konstantinos Christidis, Angelo De Caro, David Enyeart, Christopher Ferris, Gennady Laventman, Yacov Manevich, Srinivasan Muralidharan, Chet Murthy, Binh Nguyen, Manish Sethi, Gari Singh, Keith Smith, Alessandro Sorniotti, Chrysoula Stathakopoulou, Marko Vukolic, Sharon Weed Cocco, and Jason Yellick. 2018. Hyperledger fabric: a distributed operating system for permissioned blockchains. In Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, Porto, Portugal, April 23-26, 2018. ACM, 30:1–30:15.
[17] Monika Di Angelo and Gernot Salzer. 2019. A Survey of Tools for Analyzing Ethereum Smart Contracts. In IEEE International Conference on Decentralized Applications and Infrastructures, DAPPCON 2019, Newark, CA, USA, April 4-9, 2019. IEEE, 69–78. https://doi.org/10.1109/DAPPCON. 2019.00018
[18] Imran Ashraf, Xiaoxue Ma, Bo Jiang, and Wing Kwong Chan. 2020. GasFuzzer: Fuzzing ethereum smart contract binaries to expose gas-oriented exception security vulnerabilities. IEEE Access 8 (2020), 99552–99564.
[19] Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2016. A survey of attacks on Ethereum smart contracts. IACR Cryptol. ePrint Arch. (2016), 1007.
[20] Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A Survey of Attacks on Ethereum Smart Contracts (SoK). In Principles of Security and Trust - 6th International Conference, POST 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10204). Springer, 164–186.
[21] Nicola Atzei, Massimo Bartoletti, Tiziana Cimoli, Stefano Lande, and Roberto Zunino. 2018. SoK: Unraveling Bitcoin Smart Contracts. In Principles of Security and Trust - 7th International Conference, POST 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings (Lecture Notes in Computer Science, Vol. 10804). Springer, 217–242.
[22] Nicola Atzei, Massimo Bartoletti, Stefano Lande, Nobuko Yoshida, and Roberto Zunino. 2019. Developing secure bitcoin contracts with BitML. In Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2019, Tallinn, Estonia, August 26-30, 2019. ACM, 1124–1128.
[23] Nicola Atzei, Massimo Bartoletti, Stefano Lande, and Roberto Zunino. 2018. A Formal Model of Bitcoin Transactions. In Financial Cryptography and Data Security - 22nd International Conference, FC 2018, Nieuwpoort, Curaçao, February 26 - March 2, 2018, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 10957). Springer, 541–560.
[24] Augur. 2018. Deployment Details & REP Migration. https://medium.com/@AugurProject/deployment-details-rep-migration-e5413ff9fb65
[25] Xiaomin Bai, Zijing Cheng, Zhangbo Duan, and Kai Hu. 2018. Formal Modeling and Verification of Smart Contracts. In Proceedings of the 7th International Conference on Software and Computer Applications, ICSCA 2018, Kuantan, Malaysia, February 08-10, 2018. ACM, 322–326.
[26] Massimo Bartoletti and Roberto Zunino. 2019. Formal Models of Bitcoin Contracts: A Survey. Frontiers Blockchain 2 (2019), 8.
[27] Bruno Bernardo, Raphaël Cauderlier, Guillaume Claret, Arvid Jakobsson, Basile Pesin, and Julien Tesson. 2020. Making Tezos Smart Contracts More Reliable with Coq. In Leveraging Applications of Formal Methods, Verification and Validation: Applications - 9th International Symposium on Leveraging Applications of Formal Methods, ISoLA 2020, Rhodes, Greece, October 20-30, 2020, Proceedings, Part III (Lecture Notes in Computer Science, Vol. 12478). Springer, 60–72.
[28] Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, François Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. CoRR abs/1809.03981 (2018). arXiv:1809.03981 http://arxiv.org/abs/1809.03981
[29] Fran Casino, Thomas K Dasaklis, and Constantinos Patsakis. 2019. A systematic literature review of blockchain-based applications: Current status, classification and open issues. Telematics and informatics 36 (2019), 55–81.
[30] Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. 2022. Deep Learning Based Vulnerability Detection: Are We There Yet? IEEE Trans. Software Eng. 48, 9 (2022), 3280–3296.
[31] Huashan Chen, Marcus Pendleton, Laurent Njilla, and Shouhuai Xu. 2021. A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses. ACM Comput. Surv. 53, 3 (2021), 67:1–67:43.
[32] Ting Chen, Rong Cao, Ting Li, Xiapu Luo, Guofei Gu, Yufei Zhang, Zhou Liao, Hang Zhu, Gang Chen, Zheyuan He, Yuxing Tang, Xiaodong Lin, and Xiaosong Zhang. 2020. SODA: A Generic Online Detection Framework for Smart Contracts. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society.
[33] Ting Chen, Youzheng Feng, Zihao Li, Hao Zhou, Xiapu Luo, Xiaoqi Li, Xiuzhuo Xiao, Jiachi Chen, and Xiaosong Zhang. 2021. GasChecker: Scalable Analysis for Discovering Gas-Inefficient Smart Contracts. IEEE Trans. Emerg. Top. Comput. 9, 3 (2021), 1433–1448.
[34] Ting Chen, Xiaoqi Li, Ying Wang, Jiachi Chen, Zihao Li, Xiapu Luo, Man Ho Au, and Xiaosong Zhang. 2017. An Adaptive Gas Cost Mechanism for Ethereum to Defend Against Under-Priced DoS Attacks. In Information Security Practice and Experience - 13th International Conference, ISPEC 2017, Melbourne, VIC, Australia, December 13-15, 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10701). Springer, 3–24.
[35] Raymond Cheng, Fan Zhang, Jernej Kos, Warren He, Nicholas Hynes, Noah M. Johnson, Ari Juels, Andrew Miller, and Dawn Song. 2019. Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contracts. In IEEE European Symposium on Security and Privacy, EuroS&P 2019, Stockholm, Sweden, June 17-19, 2019. IEEE, 185–200.
[36] christoftorres. 2018. Osiris. https://github.com/christoftorres/Osiris
[37] christoftorres. 2021. ConFuzzius. https://github.com/christoftorres/ConFuzzius
[38] Giuseppe Crincoli, Giacomo Iadarola, Piera Elena La Rocca, Fabio Martinelli, Francesco Mercaldo, and Antonella Santone. 2022. Vulnerable smart contract detection by means of model checking. In Proceedings of the Fourth ACM International Symposium on Blockchain and Secure Critical Infrastructure. 3–10.
[39] crytic. 2017. american fuzzy lop. https://lcamtuf.coredump.cx/afl/
[40] crytic. 2019. echidna. https://github.com/crytic/echidna
[41] crytic. 2019. slither. https://github.com/crytic/slither
[42] Siwei Cui, Gang Zhao, Yifei Gao, Tien Tavu, and Jeff Huang. 2022. VRust: Automated Vulnerability Detection for Solana Smart Contracts. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022. ACM, 639–652.
[43] Paulius Danielius, Piotr Stolarski, and Saulius Masteika. 2020. Vulnerabilities and excess gas consumption analysis within ethereum-based smart contracts for electricity market. In Business Information Systems Workshops: BIS 2020 International Workshops, Colorado Springs, CO, USA, June 8–10, 2020, Revised Selected Papers 23. Springer, 99–110.
[44] MythX development team. 2019. Mythril. https://github.com/ConsenSys/mythril
[45] Thomas Durieux, João F. Ferreira, Rui Abreu, and Pedro Cruz. 2020. Empirical review of automated analysis tools on 47, 587 Ethereum smart contracts. In ICSE ’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020. ACM, 530–541.
[46] Ehtereum. 2023. Ehtereum. https://ethereum.org/
[47] Joshua Ellul and Gordon J Pace. 2018. Runtime verification of ethereum smart contracts. In 2018 14th European Dependable Computing Conference (EDCC). IEEE, 158–163.
[48] enzymefinance. 2018. oyente. https://github.com/enzymefinance/oyente
[49] Shayan Eskandari, Seyedehmahsa Moosavi, and Jeremy Clark. 2019. SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain. In Financial Cryptography and Data Security - FC 2019 International Workshops, VOTING and WTSC, St. Kitts, St. Kitts and Nevis, February 18-22, 2019, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 11599). Springer, 170–189.
[50] eth sri. 2018. securify2. https://github.com/eth-sri/securify2
[51] Samuel Falkon. 2017. The Story of the DAO — Its History and Consequences. https://medium.com/swlh/the-story-of-the-dao-its-history-andconsequences-71e6a8a551ee
[52] Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In Proceedings of the 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2019, Montreal, QC, Canada, May 27, 2019. IEEE / ACM, 8–15.
[53] flashbots. 2023. MVE-Explore v1. https://explore.flashbots.net/
[54] Ikram Garfatta, Kais Klai, Walid Gaaloul, and Mohamed Graiet. 2021. A survey on formal verification for solidity smart contracts. In 2021 Australasian Computer Science Week Multiconference. 1–10.
[55] Asem Ghaleb and Karthik Pattabiraman. 2020. How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection. In ISSTA ’20: 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, USA, July 18-22, 2020. ACM, 415–427.
[56] google. 2019. oss-fuzz. https://github.com/google/oss-fuzz
[57] Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2018. MadMax: surviving out-of-gas conditions in Ethereum smart contracts. Proc. ACM Program. Lang. 2, OOPSLA (2018), 116:1–116:27.
[58] Shelly Grossman, Ittai Abraham, Guy Golan-Gueta, Yan Michalevsky, Noam Rinetzky, Mooly Sagiv, and Yoni Zohar. 2018. Online detection of effectively callback free objects with applications to smart contracts. Proc. ACM Program. Lang. 2, POPL (2018), 48:1–48:28.
[59] Sunil Gupta, Hitesh Kumar Sharma, and Monit Kapoor. 2023. Blockchain for Secure Healthcare Using Internet of Medical Things (IoMT). Springer.
[60] Hazim Hanif, Mohd Hairul Nizam Md Nasir, Mohd Faizal Ab Razak, Ahmad Firdaus, and Nor Badrul Anuar. 2021. The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches. Journal of Network and Computer Applications 179 (2021), 103009.
[61] Charles Harrison. 2023. How Can a Smart Contract Get Hacked? https://coinfomania.com/how-can-a-smart-contract-get-hacked/
[62] Dominik Harz and William Knottenbelt. 2018. Towards safer smart contracts: A survey of languages and verification methods. arXiv preprint arXiv:1809.09805 (2018).
[63] Jingxuan He, Mislav Balunovic, Nodar Ambroladze, Petar Tsankov, and Martin T. Vechev. 2019. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019. ACM, 531–548.
[64] Ningyu He, Ruiyi Zhang, Haoyu Wang, Lei Wu, Xiapu Luo, Yao Guo, Ting Yu, and Xuxian Jiang. 2021. EOSAFE: Security Analysis of EOSIO Smart Contracts. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021. USENIX Association, 1271–1288.
[65] Bin Hu, Zongyang Zhang, Jianwei Liu, Yizhong Liu, Jiayuan Yin, Rongxing Lu, and Xiaodong Lin. 2021. A comprehensive survey on smart contract construction and execution: paradigms, tools, and systems. Patterns 2, 2 (2021), 100179.
[66] Teng Hu, Xiaolei Liu, Ting Chen, Xiaosong Zhang, Xiaoming Huang, Weina Niu, Jiazhong Lu, Kun Zhou, and Yuan Liu. 2021. Transaction-based classification and detection approach for Ethereum smart contract. Information Processing & Management 58, 2 (2021), 102462.
[67] Laurie Hughes, Yogesh K Dwivedi, Santosh K Misra, Nripendra P Rana, Vishnupriya Raghavan, and Viswanadh Akella. 2019. Blockchain research, practice and policy: Applications, benefits, limitations, emerging research themes and research agenda. International Journal of Information Management 49 (2019), 114–129.
[68] ivicanikolicsg. 2018. MAIAN. https://github.com/ivicanikolicsg/MAIAN
[69] Bo Jiang, Ye Liu, and W. K. Chan. 2018. ContractFuzzer: fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, September 3-7, 2018. ACM, 259–269.
[70] Jiao Jiao, Shuanglong Kan, Shang-Wei Lin, David Sanan, Yang Liu, and Jun Sun. 2020. Semantic understanding of smart contracts: Executable operational semantics of solidity. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1695–1712.
[71] josselinfeist. 2018. Contract upgrade anti-patterns. https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/
[72] josselinfeist. 2018. How contract migration works. https://blog.trailofbits.com/2018/10/29/how-contract-migration-works/
[73] Harry A. Kalodner, Steven Goldfeder, Xiaoqi Chen, S. Matthew Weinberg, and Edward W. Felten. 2018. Arbitrum: Scalable, private smart contracts. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018. USENIX Association, 1353–1370.
[74] Shafaq Naheed Khan, Faiza Loukil, Chirine Ghedira Guegan, Elhadj Benkhelifa, and Anoud Bani-Hani. 2021. Blockchain smart contracts: Applications, challenges, and future trends. Peer-to-Peer Netw. Appl. 14, 5 (2021), 2901–2925.
[75] Ahmed E. Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. 2016. Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. IEEE Computer Society, 839–858.
[76] Ao Li, Jemin Andrew Choi, and Fan Long. 2020. Securing smart contract with runtime validation. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020. ACM, 438–453.
[77] Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, and Zhenjiang Hu. 2020. Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts. IEEE Open J. Comput. Soc. 1 (2020), 295–306.
[78] Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, Kangjie Lu, and Ting Wang. 2021. UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021. USENIX Association, 2777–2794.
[79] Jian-Wei Liao, Tsung-Ta Tsai, Chia-Kang He, and Chin-Wei Tien. 2019. SoliAudit: Smart Contract Vulnerability Assessment Based on Machine Learning and Fuzz Testing. In Sixth International Conference on Internet of Things: Systems, Management and Security, IOTSMS 2019, Granada, Spain, October 22-25, 2019. IEEE, 458–465.
[80] Jingwei Liu, Xiaolu Li, Lin Ye, Hongli Zhang, Xiaojiang Du, and Mohsen Guizani. 2018. BPDS: A Blockchain Based Privacy-Preserving Data Sharing for Electronic Medical Records. In IEEE Global Communications Conference, GLOBECOM 2018, Abu Dhabi, United Arab Emirates, December 9-13, 2018. IEEE, 1–6.
[81] Ning Lu, Bin Wang, Yongxin Zhang, Wenbo Shi, and Christian Esposito. 2021. NeuCheck: A more practical Ethereum smart contract security analysis tool. Softw. Pract. Exp. 51, 10 (2021), 2065–2084.
[82] Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. ACM, 254–269.
[83] Penghui Lv, Yu Wang, Yazhe Wang, and Qihui Zhou. 2021. Potential Risk Detection System of Hyperledger Fabric Smart Contract based on Static Analysis. In IEEE Symposium on Computers and Communications, ISCC 2021, Athens, Greece, September 5-8, 2021. IEEE, 1–7.
[84] Patrick McCorry, Siamak F. Shahandashti, and Feng Hao. 2017. A Smart Contract for Boardroom Voting with Maximum Voter Privacy. In Financial Cryptography and Data Security - 21st International Conference, FC 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 10322). Springer, 357–375.
[85] METAMASK. 2023. A crypto wallet & gateway to blockchain apps. https://metamask.io/
[86] Miscrosoft. 2019. onefuzz. https://github.com/microsoft/onefuzz
[87] Behkish Nassirzadeh, Huaiying Sun, Sebastian Banescu, and Vijay Ganesh. 2021. Gas Gauge: A Security Analysis Tool for Smart Contract Out-of-Gas Vulnerabilities. CoRR abs/2112.14771 (2021). arXiv:2112.14771 https://arxiv.org/abs/2112.14771 [88] Zeinab Nehai, Pierre-Yves Piriou, and Frédéric F. Daumas. 2018. Model-Checking of Smart Contracts. In IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), iThings/GreenCom/CPSCom/SmartData 2018, Halifax, NS, Canada, July 30 - August 3, 2018. IEEE, 980–987.
[89] Tai D. Nguyen, Long H. Pham, Jun Sun, Yun Lin, and Quang Tran Minh. 2020. sFuzz: an efficient adaptive fuzzer for solidity smart contracts. In ICSE ’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020. ACM, 778–788.
[90] T. Q. Nguyen, A. K. Das, and Tran L. T. 2019. NEO Smart Contract for Drought-Based Insurance. In 2019 IEEE Canadian Conference of Electrical and Computer Engineering, CCECE 2019, Edmonton, AB, Canada, May 5-8, 2019. IEEE, 1–4.
[91] Ivica Nikolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018. ACM, 653–663.
[92] nveloso. 2020. conkas. https://github.com/nveloso/conkas
[93] Russell O’Connor. 2017. Simplicity: A New Language for Blockchains. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2017, Dallas, TX, USA, October 30, 2017. ACM, 107–120.
[94] King of the Ether Throne. 2016. KotET – Post-Mortem Investigation. https://www.kingoftheether.com/postmortem.html
[95] OpenZeppelin. 2018. Proxy Patterns. https://blog.openzeppelin.com/proxy-patterns/
[96] Santiago Palladino. 2017. The Parity Wallet Hack Explained. https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/
[97] Daniel Palmer. 2018. SpankChain Loses $40K in Hack Due to Smart Contract Bug. https://www.coindesk.com/markets/2018/10/09/spankchain-loses40k-in-hack-due-to-smart-contract-bug/
[98] Alfredo J. Perez and Sherali Zeadally. 2022. Secure and privacy-preserving crowdsensing using smart contracts: Issues and solutions. Comput. Sci. Rev. 43 (2022), 100450.
[99] Daniel Perez and Benjamin Livshits. 2021. Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited. In USENIX Security Symposium. 1325–1341.
[100] Sergey Petrov. 2017. Another Parity Wallet hack explained. https://medium.com/@Pr0Ger/another-parity-wallet-hack-explained-847ca46a2e1c
[101] Joshua R Polanin, Terri D Pigott, Dorothy L Espelage, and Jennifer K Grotpeter. 2019. Best practice guidelines for abstract screening large-evidence systematic reviews and meta-analyses. Research Synthesis Methods 10, 3 (2019), 330–342.
[102] protofire. 2019. solhint. https://github.com/protofire/solhint
[103] Sarah Qahtan, Khaironi Yatim Sharif, Hazura Zulzalil, Mohd Hafeez Osman, A. A. Zaidan, and Hassan A. Alsattar. 2023. Review of healthcare industry 4.0 application-based blockchain in terms of security and privacy development attributes: Comprehensive taxonomy, open issues and challenges and recommended solution. J. Netw. Comput. Appl. 209 (2023), 103529.
[104] Peng Qian, Zhenguang Liu, Qinming He, Roger Zimmermann, and Xun Wang. 2020. Towards Automated Reentrancy Detection for Smart Contracts Based on Sequential Models. IEEE Access 8 (2020), 19685–19695.
[105] Meixun Qu, Xin Huang, Xu Chen, Yi Wang, Xiaofeng Ma, and Dawei Liu. 2018. Formal Verification of Smart Contracts from the Perspective of Concurrency. In Smart Blockchain - First International Conference, SmartBlock 2018, Tokyo, Japan, December 10-12, 2018, Proceedings (Lecture Notes in Computer Science, Vol. 11373). Springer, 32–43.
[106] Heidelinde Rameder, Monika Di Angelo, and Gernot Salzer. 2022. Review of automated vulnerability analysis of smart contracts on Ethereum. Front. Blockchain 5 (2022).
[107] Duncan Riley. 2020. $25M in cryptocurrency stolen in hack of Lendf.me and Uniswap. https://siliconangle.com/2020/04/19/25m-cryptocurrencystolen-hack-lendf-uniswap/
[108] Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2019. Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society.
[109] Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2021. EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021. USENIX Association, 1289–1306.
[110] Muhammad Saad, Jeffrey Spaulding, Laurent Njilla, Charles A. Kamhoua, Sachin Shetty, DaeHun Nyang, and David Mohaisen. 2020. Exploring the Attack Surface of Blockchain: A Comprehensive Survey. IEEE Commun. Surv. Tutorials 22, 3 (2020), 1977–2008.
[111] Md. Nazmus Saadat, Syed Abdul Halim Syed Abdul Rahman, Rasheed Mohammad Nassr, and Megat F. Zuhiri. 2019. Blockchain based crowdfunding systems in Malaysian Perspective. In Proceedings of the 2019 11th International Conference on Computer and Automation Engineering, ICCAE 2019, Perth, WN, Australia, February 23-25, 2019. ACM, 57–61.
[112] sfuzz. 2020. sfuzz. https://github.com/duytai/sFuzz
[113] Supriya Shakya, Arnab Mukherjee, Raju Halder, Abyayananda Maiti, and Amrita Chaturvedi. 2022. SmartMixModel: Machine Learning-based Vulnerability Detection of Solidity Smart Contracts. In IEEE International Conference on Blockchain, Blockchain 2022, Espoo, Finland, August 22-25, 2022. IEEE, 37–44.
[114] Rajesh Kumar Singh, Ruchi Mishra, Shivam Gupta, and Archana A. Mukherjee. 2023. Blockchain applications for secured and resilient supply chains: A systematic literature review and future research agenda. Comput. Ind. Eng. 175 (2023), 108854.
[115] smartdec. 2018. smartcheck. https://github.com/smartdec/smartcheck
[116] Sunbeom So, Seongjoon Hong, and Hakjoo Oh. 2021. SmarTest: Effectively Hunting Vulnerable Transaction Sequences in Smart Contracts through Language Model-Guided Symbolic Execution. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021. USENIX Association, 1361–1378. https://www.usenix.org/conference/usenixsecurity21/presentation/so
[117] Samuel Steffen, Benjamin Bichsel, Mario Gersbach, Noa Melchior, Petar Tsankov, and Martin T. Vechev. 2019. zkay: Specifying and Enforcing Data Privacy in Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019. ACM, 1759–1776.
[118] Samuel Steffen, Benjamin Bichsel, and Martin T. Vechev. 2022. Zapper: Smart Contracts with Data and Identity Privacy. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022. ACM, 2735–2749.
[119] Jakia Sultana, Say Yen Teoh, and Stan Karanasios. 2022. The Impact of Blockchain on Supply Chains: A systematic Review. Australas. J. Inf. Syst. 26 (2022). https://doi.org/10.3127/ajis.v26i0.3755
[120] Nick Szabo. 1996. Smart Contracts : Building Blocks for Digital Markets. https://nakamotoinstitute.org/the-idea-of-smart-contracts/
[121] Wesley Joon-Wie Tann, Xing Jie Han, Sourav Sen Gupta, and Yew-Soon Ong. 2018. Towards Safer Smart Contracts: A Sequence Learning Approach to Detecting Vulnerabilities. CoRR abs/1811.06632 (2018). arXiv:1811.06632 http://arxiv.org/abs/1811.06632
[122] Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. SmartCheck: Static Analysis of Ethereum Smart Contracts. In 1st IEEE/ACM International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2018, Gothenburg, Sweden, May 27 - June 3, 2018. ACM, 9–16.
[123] Palina Tolmach, Yi Li, Shangwei Lin, Yang Liu, and Zengxiang Li. 2022. A Survey of Smart Contract Formal Specification and Verification. ACM Comput. Surv. 54, 7 (2022), 148:1–148:38.
[124] Christof Ferreira Torres, Mathis Baden, Robert Norvill, and Hugo Jonker. 2019. ÆGIS: Smart Shielding of Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019. ACM, 2589–2591.
[125] Christof Ferreira Torres, Mathis Baden, Robert Norvill, Beltran Borja Fiz Pontiveros, Hugo Jonker, and Sjouke Mauw. 2020. ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks. In ASIA CCS ’20: The 15th ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, October 5-9, 2020. ACM, 584–597.
[126] Christof Ferreira Torres, Ramiro Camino, and Radu State. 2021. Frontrunner Jones and the Raiders of the Dark Forest: An Empirical Study of Frontrunning on the Ethereum Blockchain. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021. USENIX Association, 1343–1359.
[127] Christof Ferreira Torres, Antonio Ken Iannillo, Arthur Gervais, and Radu State. 2021. ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts. In IEEE European Symposium on Security and Privacy, EuroS&P 2021, Vienna, Austria, September 6-10, 2021. IEEE, 103–119.
[128] Christof Ferreira Torres, Hugo Jonker, and Radu State. 2022. Elysium: Context-Aware Bytecode-Level Patching to Automatically Heal Vulnerable Smart Contracts. In 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022, Limassol, Cyprus, October 26-28, 2022. ACM, 115–128.
[129] Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018. ACM, 664–676.
[130] Christof Ferreira Torres, Mathis Steichen, and Radu State. 2019. The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019. USENIX Association, 1591–1607.
[131] trailofbits. 2019. manticore. https://github.com/trailofbits/manticore
[132] TRON. 2018. Guide to Independence: TRX Token Migration. https://medium.com/tron-foundation/guide-to-independence-trx-token-migration269302b6655c
[133] vechain. 2018. VeChainThor Wallet and VET Token Swap AMA. https://vechainofficial.medium.com/vechainthor-wallet-ama-5650dea84ccb
[134] Wei Wang, Jingjing Song, Guangquan Xu, Yidong Li, Hao Wang, and Chunhua Su. 2021. ContractWard: Automated Vulnerability Detection Models for Ethereum Smart Contracts. IEEE Trans. Netw. Sci. Eng. 8, 2 (2021), 1133–1144.
[135] Xinming Wang, Jiahao He, Zhijian Xie, Gansen Zhao, and Shing-Chi Cheung. 2020. ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion Detection. IEEE Trans. Serv. Comput. 13, 2 (2020), 314–328.
[136] Gavin Wood et al. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, 2014 (2014), 1–32.
[137] Valentin Wüstholz and Maria Christakis. 2020. Harvey: a greybox fuzzer for smart contracts. In ESEC/FSE ’20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8-13, 2020. ACM, 1398–1409.
[138] ZenGo. 2020. Bancor smart contracts vulnerability: It’s not over. https://zengo.com/bancor-smart-contracts-vulnerability-its-not-over/
[139] Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. 2016. Town crier: An authenticated data feed for smart contracts. In Proceedings of the 2016 aCM sIGSAC conference on computer and communications security. 270–282.
[140] Luyao Zhang, Tianyu Wu, Saad Lahrichi, Carlos-Gustavo Salas-Flores, and Jiayi Li. 2022. A Data Science Pipeline for Algorithmic Trading: A Comparative Study of Applications for Finance and Cryptoeconomics. In IEEE International Conference on Blockchain, Blockchain 2022, Espoo, Finland, August 22-25, 2022. IEEE, 298–303.
[141] Gavin Zheng, Longxiang Gao, Liqun Huang, and Jian Guan. 2021. Ethereum Smart Contract Development in Solidity. Springer.
[142] Wei Zheng, Jialiang Gao, Xiaoxue Wu, Fengyu Liu, Yuxing Xun, Guoliang Liu, and Xiang Chen. 2020. The impact factors on the performance of machine learning-based vulnerability detection: A comparative study. J. Syst. Softw. 168 (2020), 110659.
[143] Zibin Zheng, Shaoan Xie, Hong-Ning Dai, Weili Chen, Xiangping Chen, Jian Weng, and Muhammad Imran. 2020. An overview on smart contracts: Challenges, advances and platforms. Future Generation Computer Systems 105 (2020), 475–491.
[144] Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Duc Viet Le, and Arthur Gervais. 2021. High-Frequency Trading on Decentralized On-Chain Exchanges. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021. IEEE, 428–445.
[145] Shunfan Zhou, Malte Möser, Zhemin Yang, Ben Adida, Thorsten Holz, Jie Xiang, Steven Goldfeder, Yinzhi Cao, Martin Plattner, Xiaojun Qin, et al. 2020. An ever-evolving game: Evaluation of real-world attacks and defenses in ethereum ecosystem. In 29th USENIX Security Symposium (USENIX Security 20). 2793–2810.
[146] Yuan Zhuang, Zhenguang Liu, Peng Qian, Qi Liu, Xiang Wang, and Qinming He. 2020. Smart Contract Vulnerability Detection using Graph Neural Network. In Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence, IJCAI 2020. ijcai.org, 3283–3290.
This paper is available on arxiv under CC 4.0 license.