Security Analysis of Smart Contracts

Blogs

Visualization Tools

  • ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
  • Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract
  • Solgraph - Generates DOT graphs with function control flow of a solidity contract

Verification Tools

  • KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
  • Manticore - Symbolic execution tool for EVM

Misc

Journal list

  • IEEE Transactions on Information Forensics and Security [web]
  • ACM Transactions on Information and System Security[web]
  • IEEE Security & Privacy[web]
  • IEEE Transactions on Dependable and Secure Computing [web]

Papers

[1]Rachit Agarwal, Tanmay Thapliyal, and Sandeep Kumar Shukla. 2022. Vulnerability and Transaction Behavior Based Detection of Malicious Smart Contracts. In Cyberspace Safety and Security (Lecture Notes in Computer Science), Springer International Publishing, Cham, 79–96. DOI:https://doi.org/10.1007/978-3-030-94029-4_6

[2]Elvira Albert, Jesús Correas, Pablo Gordillo, Guillermo Román-Díez, and Albert Rubio. 2019. SAFEVM: a safety verifier for Ethereum smart contracts. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, New York, NY, USA, 386–389. Retrieved February 26, 2022 from https://doi.org/10.1145/3293882.3338999

[3]Monika di Angelo and Gernot Salzer. 2019. A Survey of Tools for Analyzing Ethereum Smart Contracts. In 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), 69–78. DOI:https://doi.org/10.1109/DAPPCON.2019.00018

[4]Nami Ashizawa, Naoto Yanai, Jason Paul Cruz, and Shingo Okamura. 2021. Eth2Vec: Learning Contract-Wide Code Representations for Vulnerability Detection on Ethereum Smart Contracts. (January 2021). Retrieved February 28, 2022 from https://arxiv.org/abs/2101.02377v2

[5]Rabia Musheer Aziz, Mohammed Farhan Baluch, Sarthak Patel, and Abdul Hamid Ganie. 2022. LGBM: a machine learning approach for Ethereum fraud detection. Int. j. inf. tecnol. (January 2022). DOI:https://doi.org/10.1007/s41870-022-00864-6

[6]Chaïmaa Benabbou and Önder Gürcan. 2021. A Survey of Verification, Validation and Testing Solutions for Smart Contracts. In 2021 Third International Conference on Blockchain Computing and Applications (BCCA), 57–64. DOI:https://doi.org/10.1109/BCCA53669.2021.9657040

[7]Venkata Siva Vijayendra Bhamidipati, Michael Chan, Derek Chamorro, Arpit Jain, and Ashok Murthy. 2019. Adaptive Security for Smart Contracts using High Granularity Metrics. In Proceedings of the 3rd International Conference on Vision, Image and Signal Processing. Association for Computing Machinery, New York, NY, USA, 1–6. Retrieved February 26, 2022 from https://doi.org/10.1145/3387168.3387214

[8]Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, Francois Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. arXiv:1809.03981 [cs] (September 2018). Retrieved February 28, 2022 from http://arxiv.org/abs/1809.03981

[9]Weimin Chen, Xinran Li, Yuting Sui, Ningyu He, Haoyu Wang, Lei Wu, and Xiapu Luo. 2021. SADPonzi: Detecting and Characterizing Ponzi Schemes in Ethereum Smart Contracts. Proc. ACM Meas. Anal. Comput. Syst. 5, 2 (June 2021), 26:1-26:30. DOI:https://doi.org/10.1145/3460093

[10]Yuchiro Chinen, Naoto Yanai, Jason Paul Cruz, and Shingo Okamura. 2020. RA: Hunting for Re-Entrancy Attacks in Ethereum Smart Contracts via Static Analysis. In 2020 IEEE International Conference on Blockchain (Blockchain), 327–336. DOI:https://doi.org/10.1109/Blockchain50366.2020.00048

[11]Mojtaba Eshghie, Cyrille Artho, and Dilian Gurov. 2021. Dynamic Vulnerability Detection on Smart Contracts Using Machine Learning. In Evaluation and Assessment in Software Engineering (EASE 2021), Association for Computing Machinery, New York, NY, USA, 305–312. DOI:https://doi.org/10.1145/3463274.3463348

[12]Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: A Static Analysis Framework For Smart Contracts. 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB) (May 2019), 8–15. DOI:https://doi.org/10.1109/WETSEB.2019.00008

[13]João F. Ferreira, Pedro Cruz, Thomas Durieux, and Rui Abreu. 2020. SmartBugs: A Framework to Analyze Solidity Smart Contracts. In 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE), 1349–1352.

[14]Christof Ferreira Torres, Mathis Baden, Robert Norvill, Beltran Borja Fiz Pontiveros, Hugo Jonker, and Sjouke Mauw. 2020. ÆGIS: Shielding Vulnerable Smart Contracts Against Attacks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS ’20), Association for Computing Machinery, New York, NY, USA, 584–597. DOI:https://doi.org/10.1145/3320269.3384756

[15]Bo Gao, Ling Shi, Jiaying Li, Jialiang Chang, Jun Sun, and Zijiang Yang. 2021. sVerify: Verifying Smart Contracts Through Lazy Annotation and Learning. In Leveraging Applications of Formal Methods, Verification and Validation (Lecture Notes in Computer Science), Springer International Publishing, Cham, 453–469. DOI:https://doi.org/10.1007/978-3-030-89159-6_28

[16]Zhipeng Gao. 2020. When deep learning meets smart contracts. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. Association for Computing Machinery, New York, NY, USA, 1400–1402. Retrieved February 26, 2022 from https://doi.org/10.1145/3324884.3418918

[17]Zhipeng Gao, Vinoj Jayasundara, LingXiao Jiang, Xin Xia, David Lo, and John Grundy. 2019. SmartEmbed: A Tool for Clone and Bug Detection in Smart Contracts through Structural Code Embedding. In 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME), 394–397. DOI:https://doi.org/10.1109/ICSME.2019.00067

[18]Juan Guarnizo, Bithin Alangot, and Pawel Szalachowski. 2020. SmartWitness: A Proactive Software Transparency System using Smart Contracts. In Proceedings of the 2nd ACM International Symposium on Blockchain and Secure Critical Infrastructure (BSCI ’20), Association for Computing Machinery, New York, NY, USA, 117–129. DOI:https://doi.org/10.1145/3384943.3409428

[19]Jingxuan He, Mislav Balunović, Nodar Ambroladze, Petar Tsankov, and Martin Vechev. 2019. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19), Association for Computing Machinery, New York, NY, USA, 531–548. DOI:https://doi.org/10.1145/3319535.3363230

[20]Ningyu He, Ruiyi Zhang, Lei Wu, Haoyu Wang, Xiapu Luo, Yao Guo, Ting Yu, and Xuxian Jiang. 2020. Security Analysis of EOSIO Smart Contracts. arXiv:2003.06568 [cs] (July 2020). Retrieved February 28, 2022 from http://arxiv.org/abs/2003.06568

[21]Tharaka Mawanane Hewa, Yining Hu, Madhusanka Liyanage, Salil S. Kanhare, and Mika Ylianttila. 2021. Survey on Blockchain-Based Smart Contracts: Technical Aspects and Future Research. IEEE Access 9, (2021), 87643–87662. DOI:https://doi.org/10.1109/ACCESS.2021.3068178

[22]Huiwen Hu and Yuedong Xu. 2021. SCSGuard: Deep Scam Detection for Ethereum Smart Contracts. arXiv:2105.10426 [cs] (May 2021). Retrieved February 28, 2022 from http://arxiv.org/abs/2105.10426

[23]Jianjun Huang, Songming Han, Wei You, Wenchang Shi, Bin Liang, Jingzheng Wu, and Yanjun Wu. 2021. Hunting Vulnerable Smart Contracts via Graph Embedding Based Bytecode Matching. IEEE Transactions on Information Forensics and Security 16, (2021), 2144–2156. DOI:https://doi.org/10.1109/TIFS.2021.3050051

[24]Wanqing Jie, Arthur Sandor Voundi Koe, Pengfei Huang, and Shiwen Zhang. 2021. Full-Stack Hierarchical Fusion of Static Features for Smart Contracts Vulnerability Detection. In 2021 IEEE International Conference on Blockchain (Blockchain), 95–102. DOI:https://doi.org/10.1109/Blockchain53845.2021.00091

[25]Zulfiqar Ali Khan and Akbar Siami Namin. 2020. A Survey on Vulnerabilities of Ethereum Smart Contracts. arXiv:2012.14481 [cs] (December 2020). Retrieved February 28, 2022 from http://arxiv.org/abs/2012.14481

[26]Yuntae Kim, Dohyun Pak, and Jonghyup Lee. 2019. ScanAT: Identification of Bytecode-Only Smart Contracts With Multiple Attribute Tags. IEEE Access 7, (2019), 98669–98683. DOI:https://doi.org/10.1109/ACCESS.2019.2927003

[27]Ao Li, Jemin Andrew Choi, and Fan Long. 2020. Securing smart contract with runtime validation. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020), Association for Computing Machinery, New York, NY, USA, 438–453. DOI:https://doi.org/10.1145/3385412.3385982

[28]Ziyuan Li, Wangshu Guo, Quan Xu, Yingjie Xu, Huimei Wang, and Ming Xian. 2020. Research on Blockchain Smart Contracts Vulnerability and A Code Audit Tool based on Matching Rules. In Proceedings of the 2020 International Conference on Cyberspace Innovation of Advanced Technologies (CIAT 2020), Association for Computing Machinery, New York, NY, USA, 484–489. DOI:https://doi.org/10.1145/3444370.3444617

[29]Jian-Wei Liao, Tsung-Ta Tsai, Chia-Kang He, and Chin-Wei Tien. 2019. SoliAudit: Smart Contract Vulnerability Assessment Based on Machine Learning and Fuzz Testing. In 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), 458–465. DOI:https://doi.org/10.1109/IOTSMS48152.2019.8939256

[30]Han Liu, Chao Liu, Wenqi Zhao, Yu Jiang, and Jiaguang Sun. 2018. S-gram: towards semantic-aware security auditing for Ethereum smart contracts. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. Association for Computing Machinery, New York, NY, USA, 814–819. Retrieved February 26, 2022 from https://doi.org/10.1145/3238147.3240728

[31]Ye Liu, Yi Li, Shang-Wei Lin, and Rong Zhao. 2020. Towards automated verification of smart contract fairness. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2020), Association for Computing Machinery, New York, NY, USA, 666–677. DOI:https://doi.org/10.1145/3368089.3409740

[32]Zhenguang Liu, Peng Qian, Xiang Wang, Lei Zhu, Qinming He, and Shouling Ji. 2021. Smart Contract Vulnerability Detection: From Pure Neural Network to Interpretable Graph Feature and Expert Pattern Fusion. arXiv:2106.09282 [cs] (June 2021). Retrieved February 28, 2022 from http://arxiv.org/abs/2106.09282

[33]Zhenguang Liu, Peng Qian, Xiaoyang Wang, Yuan Zhuang, Lin Qiu, and Xun Wang. 2021. Combining Graph Neural Networks with Expert Knowledge for Smart Contract Vulnerability Detection. IEEE Trans. Knowl. Data Eng. (2021), 1–1. DOI:https://doi.org/10.1109/TKDE.2021.3095196

[34]Antonio López Vivar, Ana Lucila Sandoval Orozco, and Luis Javier García Villalba. 2021. A security framework for Ethereum smart contracts. Computer Communications 172, (April 2021), 119–129. DOI:https://doi.org/10.1016/j.comcom.2021.03.008

[35]Oliver Lutz, Huili Chen, Hossein Fereidooni, Christoph Sendner, Alexandra Dmitrienko, Ahmad Reza Sadeghi, and Farinaz Koushanfar. 2021. ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning. arXiv:2103.12607 [cs] (March 2021). Retrieved February 28, 2022 from http://arxiv.org/abs/2103.12607

[36]Bruno Mazorra, Victor Adan, and Vanesa Daza. 2022. Do not rug on me: Zero-dimensional Scam Detection. arXiv:2201.07220 [cs, q-fin] (January 2022). Retrieved February 28, 2022 from http://arxiv.org/abs/2201.07220

[37]Alexander Mense and Markus Flatscher. 2018. Security Vulnerabilities in Ethereum Smart Contracts. In Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services (iiWAS2018), Association for Computing Machinery, New York, NY, USA, 375–380. DOI:https://doi.org/10.1145/3282373.3282419

[38]Feng Mi, Zhuoyi Wang, Chen Zhao, Jinghui Guo, Fawaz Ahmed, and Latifur Khan. 2021. VSCL: Automating Vulnerability Detection in Smart Contracts with Deep Learning. In 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 1–9. DOI:https://doi.org/10.1109/ICBC51069.2021.9461050

[39]Pouyan Momeni, Yu Wang, and Reza Samavi. 2019. Machine Learning Model for Smart Contracts Security Analysis. In 2019 17th International Conference on Privacy, Security and Trust (PST), 1–6. DOI:https://doi.org/10.1109/PST47121.2019.8949045

[40]K. Lakshmi Narayana and K. Sathiyamurthy. 2021. Automation and smart materials in detecting smart contracts vulnerabilities in Blockchain using deep learning. Materials Today: Proceedings (April 2021). DOI:https://doi.org/10.1016/j.matpr.2021.04.125

[41]Peng Qian, Zhenguang Liu, Qinming He, Roger Zimmermann, and Xun Wang. 2020. Towards Automated Reentrancy Detection for Smart Contracts Based on Sequential Models. IEEE Access 8, (2020), 19685–19695. DOI:https://doi.org/10.1109/ACCESS.2020.2969429

[42]Meng Ren, Fuchen Ma, Zijing Yin, Ying Fu, Huizhong Li, Wanli Chang, and Yu Jiang. 2021. Making smart contract development more secure and easier. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021), Association for Computing Machinery, New York, NY, USA, 1360–1370. DOI:https://doi.org/10.1145/3468264.3473929

[43]Noama Fatima Samreen and Manar H. Alalfi. 2020. A survey of security vulnerabilities in ethereum smart contracts. In Proceedings of the 30th Annual International Conference on Computer Science and Software Engineering (CASCON ’20), IBM Corp., USA, 73–82.

[44]Noama Fatima Samreen and Manar H. Alalfi. 2021. A Survey of Security Vulnerabilities in Ethereum Smart Contracts. arXiv:2105.06974 [cs] (May 2021). Retrieved February 28, 2022 from http://arxiv.org/abs/2105.06974

[45]R Sujeetha and C. A. S Deiva Preetha. 2021. A Literature Survey on Smart Contract Testing and Analysis for Smart Contract Based Blockchain Application Development. In 2021 2nd International Conference on Smart Electronics and Communication (ICOSEC), 378–385. DOI:https://doi.org/10.1109/ICOSEC51865.2021.9591750

[46]Wesley Joon-Wie Tann, Xing Jie Han, Sourav Sen Gupta, and Yew-Soon Ong. 2019. Towards Safer Smart Contracts: A Sequence Learning Approach to Detecting Security Threats. arXiv:1811.06632 [cs] (June 2019). Retrieved February 28, 2022 from http://arxiv.org/abs/1811.06632

[47]Zhiyuan Wan, Xin Xia, David Lo, Jiachi Chen, Xiapu Luo, and Xiaohu Yang. 2021. Smart Contract Security: a Practitioners’ Perspective. In Proceedings of the 43rd International Conference on Software Engineering. IEEE Press, 1410–1422. Retrieved February 26, 2022 from https://doi.org/10.1109/ICSE43902.2021.00127

[48]Ben Wang, Hanting Chu, Pengcheng Zhang, and Hai Dong. 2021. Smart Contract Vulnerability Detection Using Code Representation Fusion. In 2021 28th Asia-Pacific Software Engineering Conference (APSEC), 564–565. DOI:https://doi.org/10.1109/APSEC53868.2021.00069

[49]Wei Wang, Jingjing Song, Guangquan Xu, Yidong Li, Hao Wang, and Chunhua Su. 2021. ContractWard: Automated Vulnerability Detection Models for Ethereum Smart Contracts. IEEE Transactions on Network Science and Engineering 8, 2 (April 2021), 1133–1144. DOI:https://doi.org/10.1109/TNSE.2020.2968505

[50]Yajing Wang, Jingsha He, Nafei Zhu, Yuzi Yi, Qingqing Zhang, Hongyu Song, and Ruixin Xue. 2021. Security enhancement technologies for smart contracts in the blockchain: A survey. Trans Emerging Tel Tech 32, 12 (December 2021). DOI:https://doi.org/10.1002/ett.4341

[51]Karl Wüst, Sinisa Matetic, Silvan Egli, Kari Kostiainen, and Srdjan Capkun. 2020. ACE: Asynchronous and Concurrent Execution of Complex Smart Contracts. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 587–600. Retrieved February 26, 2022 from https://doi.org/10.1145/3372297.3417243

[52]Valentin Wüstholz and Maria Christakis. 2020. Harvey: a greybox fuzzer for smart contracts. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, 1398–1409. Retrieved February 26, 2022 from https://doi.org/10.1145/3368089.3417064

[53]Pengcheng Xia, Haoyu Wang, Bingyu Gao, Weihang Su, Zhou Yu, Xiapu Luo, Chao Zhang, Xusheng Xiao, and Guoai Xu. 2021. Trade or Trick? Detecting and Characterizing Scam Tokens on Uniswap Decentralized Exchange. Proc. ACM Meas. Anal. Comput. Syst. 5, 3 (December 2021), 39:1-39:26. DOI:https://doi.org/10.1145/3491051

[54]Cipai Xing, Zhuorong Chen, Lexin Chen, Xiaojie Guo, Zibin Zheng, and Jin Li. 2020. A new scheme of vulnerability analysis in smart contract with machine learning. Wireless Netw (July 2020). DOI:https://doi.org/10.1007/s11276-020-02379-z

[55]Yinxing Xue, Jiaming Ye, Wei Zhang, Jun Sun, Lei Ma, Haijun Wang, and Jianjun Zhao. 2021. Machine Learning Guided Cross-Contract Fuzzing. arXiv:2111.12423 [cs] (November 2021). Retrieved February 28, 2022 from http://arxiv.org/abs/2111.12423

[56]Shanqing Yu, Jie Jin, Yunyi Xie, Jie Shen, and Qi Xuan. 2021. Ponzi Scheme Detection in Ethereum Transaction Network. In Blockchain and Trustworthy Systems (Communications in Computer and Information Science), Springer, Singapore, 175–186. DOI:https://doi.org/10.1007/978-981-16-7993-3_14

[57]Xiao Liang Yu, Omar Al-Bataineh, David Lo, and Abhik Roychoudhury. 2020. Smart Contract Repair. ACM Trans. Softw. Eng. Methodol. 29, 4 (September 2020), 27:1-27:32. DOI:https://doi.org/10.1145/3402450

[58]Xingxin Yu, Haoyue Zhao, Botao Hou, Zonghao Ying, and Bin Wu. 2021. DeeSCVHunter: A Deep Learning-Based Framework for Smart Contract Vulnerability Detection. In 2021 International Joint Conference on Neural Networks (IJCNN), 1–8. DOI:https://doi.org/10.1109/IJCNN52387.2021.9534324

[59]Pengcheng Zhang, Feng Xiao, and Xiapu Luo. 2020. A Framework and DataSet for Bugs in Ethereum Smart Contracts. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), 139–150. DOI:https://doi.org/10.1109/ICSME46990.2020.00023

[60]Qingzhao Zhang, Yizhuo Wang, Juanru Li, and Siqi Ma. 2020. EthPloit: From Fuzzing to Efficient Exploit Generation against Smart Contracts. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), 116–126. DOI:https://doi.org/10.1109/SANER48275.2020.9054822

[61]Yanmei Zhang, Siqian Kang, Wei Dai, Shiping Chen, and Jianming Zhu. 2021. Code Will Speak: Early detection of Ponzi Smart Contracts on Ethereum. In 2021 IEEE International Conference on Services Computing (SCC), 301–308. DOI:https://doi.org/10.1109/SCC53864.2021.00043

[62]Teng Zhou, Kui Liu, Li Li, Zhe Liu, Jacques Klein, and Tegawendé F. Bissyandé. 2021. SmartGift: Learning to Generate Practical Inputs for Testing Smart Contracts. In 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME), 23–34. DOI:https://doi.org/10.1109/ICSME52107.2021.00009

[63]Yuan Zhuang, Zhenguang Liu, Peng Qian, Qi Liu, Xiang Wang, and Qinming He. 2021. Smart contract vulnerability detection using graph neural networks. In Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence (IJCAI’20), Yokohama, Yokohama, Japan, 3283–3290.

[64]Albert, Elvira, et al. “Taming Callbacks for Smart Contract Modularity.” Proceedings of the ACM on Programming Languages, vol. 4, no. OOPSLA, Nov. 2020, p. 209:1-209:30. November 2020, https://doi.org/10.1145/3428277.

[65]Xue, Yinxing, Mingliang Ma, et al. “Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts.” Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, Association for Computing Machinery, 2020, pp. 1029–40. ACM Digital Library, https://doi.org/10.1145/3324884.3416553.

[66]Xue, Yinxing, Jiaming Ye, et al. “XFuzz: Machine Learning Guided Cross-Contract Fuzzing.” IEEE Transactions on Dependable and Secure Computing, 2022, pp. 1–14. IEEE Xplore, https://doi.org/10.1109/TDSC.2022.3182373.

[67]Ye, Jiaming, et al. “Clairvoyance: Cross-Contract Static Analysis for Detecting Practical Reentrancy Vulnerabilities in Smart Contracts.” Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings, Association for Computing Machinery, 2020, pp. 274–75. ACM Digital Library, https://doi.org/10.1145/3377812.3390908.