Ethereum Smart Contracts: Security Vulnerabilities and Security Tools
Abstract
Ethereum represents the second generation of blockchain technology by providingan open and global computing platform which allows the exchange of cryptocurrency(Ether) and the development of self-verifying smart contract applications.Smart contracts present a foundation for possessing digital assets and a variety ofdecentralized applications within the blockchain area. Ethereum and smart contractsare public, distributed and immutable, as such, they are prone to vulnerabilitiessourcing from simple coding mistakes of developers.
Motivated by the security breaches and recurring financial losses in smart contracts,we aim to advance the field of security in smart contract programming.The main objective is to aid smart contract developers by providing a taxonomy ofall known security issues and by inspecting the security code analysis tools usedto identify those vulnerabilities. Based on previous research as well as attacks onEthereum smart contracts, we propose an updated taxonomy which categorizesall known vulnerabilities within their architectural and severity level. Our secondproposed taxonomy is a novel categorization of security tools on Ethereum.
Furthermore, we conduct the investigation of security code analysis tools onEthereum by assessing their effectiveness and accuracy. In particular, we analyzefour security tools, namely, Oyente, Securify, Remix, and SmartCheck. The resultsindicate that there are overall inconsistencies between the tools on different securityproperties. SmartCheck outperformed the other tools in terms of effectiveness,whereas Oyente performed the best in terms of accuracy. Furthermore, based onthe limitations we identified, we propose future improvements within the user interfaces,interpretation of results, and additional vulnerability checks.