Abstract
An important problem in smart contract security is understanding the likelihood and criticality of discovered, or potential, weaknesses in contracts. In this paper we provide a summary of Ethereum smart contract audits performed for 23 professional stakeholders, avoiding the common problem of reporting issues mostly prevalent in low-quality contracts. These audits were performed at a leading company in blockchain security, using both open-source and proprietary tools, as well as human code analysis performed by professional security engineers. We categorize 246 individual defects, making it possible to compare the severity and frequency of different vulnerability types, compare smart contract and non-smart contract flaws, and to estimate the efficacy of automated vulnerability detection approaches.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Bragagnolo, S.: On contract popularity analysis. https://github.com/smartanvil/smartanvil.github.io/blob/master/_posts/2018-03-14-on-contract-popularity-analysis.md
Brent, L., et al.: Vandal: a scalable security analysis framework for smart contracts. CoRR, abs/1809.03981 (2018)
Buterin, V.: Ethereum: a next-generation smart contract and decentralized application platform (2013). https://github.com/ethereum/wiki/wiki/White-Paper
Claessen, K., Hughes, J.: QuickCheck: a lightweight tool for random testing of Haskell programs. In: International Conference on Functional Programming (ICFP), pp. 268–279 (2000)
ConsenSys. Mythril: a security analysis tool for Ethereum smart contracts (2017). https://github.com/ConsenSys/mythril-classic
Dika, A.: Ethereum smart contracts: security vulnerabilities and security tools. Master’s thesis, NTNU (2017)
Ducasse, S., Rocha, H., Bragagnolo, S., Denker, M., Francomme, C.: Smartanvil: open-source tool suite for smart contract analysis. Technical report hal-01940287, HAL (2019)
Feist, J., Greico, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: International Workshop on Emerging Trends in Software Engineering for Blockchain (2019)
Grishchenko, I., Maffei, M., Schneidewind, C.: Ethertrust: sound static analysis of Ethereum bytecode (2018)
Grishchenko, I., Maffei, M., Schneidewind, C.: A semantic framework for the security analysis of Ethereum smart contracts (2018). arXiv:1802.08660. Accessed 12 Mar 2018
Holmes, J., et al.: TSTL: the template scripting testing language. Int. J. Softw. Tools Technol. Transfer 20(1), 57–78 (2016). https://doi.org/10.1007/s10009-016-0445-y
Krupp, J., Rossow, C.: teEther: gnawing at Ethereum to automatically exploit smart contracts. In: USENIX Security (2018)
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: CCS 2016 (2016)
MacIver, D.R.: Hypothesis: test faster, fix more, March 2013. http://hypothesis.works/
Mense, A., Flatscher, M.: Security vulnerabilities in Ethereum smart contracts. In: Proceedings of the 20th International Conference on Information Integration and Web-Based Applications & Services, iiWAS2018, pp. 375–380. ACM, New York (2018)
Mossberg, M., et al.: Manticore: a user-friendly symbolic execution framework for binaries and smart contracts. In: IEEE/ACM International Conference on Automated Software Engineering, accepted for publication
Nikolic, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: ACSAC (2018)
Perez, D., Livshits, B.: Smart contract vulnerabilities: does anyone care? (2019)
Daian, P.: Analysis of the DAO exploit, 18 June 2016. http://hackingdistributed.com/2016/06/18/analysis-of-the- dao-exploit/. Acceded 10 Jan 2019
Rubio-González, C., Gunawi, H.S., Liblit, B., Arpaci-Dusseau, R.H., Arpaci-Dusseau, A.C.: Error propagation analysis for file systems. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 270–280 (2009)
Tikhomirov, S., et al.: Smartcheck: static analysis of Ethereum smart contracts. In: WETSEB (2018)
Saad, M., et al.: Exploring the attack surface of blockchain: a systematic overview. arXiv preprint arXiv:1904.03487 (2019)
SpankChain. We got spanked: What we know so far, 8 October 2018. https://medium.com/spankchain/we-got-spanked-what-we-know -so-far-d5ed3a0f38fe. Acceded 10 Jan 2019
Trail of Bits. Manticore: Symbolic execution for humans (2017). https://github.com/trailofbits/manticore
Trail of Bits. Echidna: Ethereum fuzz testing framework (2018). https://github.com/trailofbits/echidna
Trail of Bits. Analysis of external audits (2019). https://github.com/trailofbits/publications/tree/master/datasets/smart_contract_audit_findings/other_audit_sources
Trail of Bits. Smart contract audit findings (2019). https://github.com/trailofbits/publications/tree/master/datasets/smart_contract_audit_findings
Trail of Bits. Trail of bits security reviews (2019). https://github.com/trailofbits/publications#security-reviews
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bünzli, F., Vechev, M.: Securify: practical security analysis of smart contracts. In: CCS 2018 (2018)
GitHub user: 3sGgpQ8H. Attack vector on ERC20 API. https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger (2014). http://gavwood.com/paper.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A: Raw Counts for Finding Categories
This table provides exact counts for categories, and severities within categories.
Appendix B: ChainSecurity and ConsenSys Audits
The process for analyzing findings in other companies’ audits involved 1) mapping the category of the finding to our set, and 2) translating a different formulation of worst-case impact and probability estimation into our high-low severity and difficulty classes. For more details see the full data set [27]. The first two tables show severity and difficulty distributions. The first table in each pair of tables is for ChainSecurity, and the second is for ConsenSys Diligence.
The next two tables show absolute severity and difficulty counts for finding categories for other company audits, as in Appendix A.
The final two tables report the estimated automated dynamic and static analysis detection potential for the categories in the other companies’ audits.
Rights and permissions
Copyright information
© 2020 International Financial Cryptography Association
About this paper
Cite this paper
Groce, A., Feist, J., Grieco, G., Colburn, M. (2020). What are the Actual Flaws in Important Smart Contracts (And How Can We Find Them)?. In: Bonneau, J., Heninger, N. (eds) Financial Cryptography and Data Security. FC 2020. Lecture Notes in Computer Science(), vol 12059. Springer, Cham. https://doi.org/10.1007/978-3-030-51280-4_34
Download citation
DOI: https://doi.org/10.1007/978-3-030-51280-4_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-51279-8
Online ISBN: 978-3-030-51280-4
eBook Packages: Computer ScienceComputer Science (R0)