SmartCheck static analysis of ethereum smart contracts
Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where...
Saved in:
| Published in: | 2018 IEEE ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB) pp. 9 - 16 |
|---|---|
| Main Authors: | , , , , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
New York, NY, USA
ACM
27.05.2018
|
| Series: | ACM Conferences |
| Subjects: | |
| ISBN: | 9781450357265, 1450357261 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where anonymous attackers exploit bugs for immediate financial gain. Developers have a very limited ability to patch deployed contracts. Hackers steal up to tens of millions of dollars from flawed contracts, a well-known example being "The DAO", broken in June 2016. Advice on secure Ethereum programming practices is spread out across blogs, papers, and tutorials. Many sources are outdated due to a rapid pace of development in this field. Automated vulnerability detection tools, which help detect potentially problematic language constructs, are still underdeveloped in this area.
We provide a comprehensive classification of code issues in Solidity and implement SmartCheck - an extensible static analysis tool that detects them1. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. We evaluated our tool on a big dataset of real-world contracts and compared the results with manual audit on three contracts. Our tool reflects the current state of knowledge on Solidity vulnerabilities and shows significant improvements over alternatives. SmartCheck has its limitations, as detection of some bugs requires more sophisticated techniques such as taint analysis or even manual audit. We believe though that a static analyzer should be an essential part of contract developers' toolbox, letting them fix simple bugs fast and allocate more effort to complex issues. |
|---|---|
| AbstractList | Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where anonymous attackers exploit bugs for immediate financial gain. Developers have a very limited ability to patch deployed contracts. Hackers steal up to tens of millions of dollars from flawed contracts, a well-known example being "The DAO", broken in June 2016. Advice on secure Ethereum programming practices is spread out across blogs, papers, and tutorials. Many sources are outdated due to a rapid pace of development in this field. Automated vulnerability detection tools, which help detect potentially problematic language constructs, are still underdeveloped in this area. We provide a comprehensive classification of code issues in Solidity and implement SmartCheck -- an extensible static analysis tool that detects them. The source code is available at https://github.com/smartdec/smartcheck. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. We evaluated our tool on a big dataset of real-world contracts and compared the results with manual audit on three contracts. Our tool reflects the current state of knowledge on Solidity vulnerabilities and shows significant improvements over alternatives. SmartCheck has its limitations, as detection of some bugs requires more sophisticated techniques such as taint analysis or even manual audit. We believe though that a static analyzer should be an essential part of contract developers' toolbox, letting them fix simple bugs fast and allocate more effort to complex issues. Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where anonymous attackers exploit bugs for immediate financial gain. Developers have a very limited ability to patch deployed contracts. Hackers steal up to tens of millions of dollars from flawed contracts, a well-known example being "The DAO", broken in June 2016. Advice on secure Ethereum programming practices is spread out across blogs, papers, and tutorials. Many sources are outdated due to a rapid pace of development in this field. Automated vulnerability detection tools, which help detect potentially problematic language constructs, are still underdeveloped in this area. We provide a comprehensive classification of code issues in Solidity and implement SmartCheck - an extensible static analysis tool that detects them1. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. We evaluated our tool on a big dataset of real-world contracts and compared the results with manual audit on three contracts. Our tool reflects the current state of knowledge on Solidity vulnerabilities and shows significant improvements over alternatives. SmartCheck has its limitations, as detection of some bugs requires more sophisticated techniques such as taint analysis or even manual audit. We believe though that a static analyzer should be an essential part of contract developers' toolbox, letting them fix simple bugs fast and allocate more effort to complex issues. |
| Author | Takhaviev, Ramil Voskresenskaya, Ekaterina Alexandrov, Yaroslav Ivanitskiy, Ivan Tikhomirov, Sergei Marchenko, Evgeny |
| Author_xml | – sequence: 1 givenname: Sergei surname: Tikhomirov fullname: Tikhomirov, Sergei email: sergey.s.tikhomirov@gmail.com organization: University of Luxembourg, Esch-sur-Alzette, Luxembourg – sequence: 2 givenname: Ekaterina surname: Voskresenskaya fullname: Voskresenskaya, Ekaterina email: voskresenskaya@smartdec.net organization: SmartDec, Moscow, Russia – sequence: 3 givenname: Ivan surname: Ivanitskiy fullname: Ivanitskiy, Ivan email: ivanitskiy@smartdec.net organization: SmartDec, Moscow, Russia – sequence: 4 givenname: Ramil surname: Takhaviev fullname: Takhaviev, Ramil email: tahaviev@smartdec.net organization: SmartDec, Moscow, Russia – sequence: 5 givenname: Evgeny surname: Marchenko fullname: Marchenko, Evgeny email: marchenko@smartdec.net organization: SmartDec, Moscow, Russia – sequence: 6 givenname: Yaroslav surname: Alexandrov fullname: Alexandrov, Yaroslav email: alexandrov@smartdec.net organization: SmartDec, Moscow, Russia |
| BookMark | eNqNj71OxDAQhI0ACe5ITcEL0CR4vd7ELlHEn3QSBVBbtrMW4bgLSq7h7TFKKiqqb1czu5pZiZP9sGchLkFWAJpuEKwGwGomHYnCNiYLEqlRNR3_2c9EMU0fUkpVG23BnIvVy86Ph_ad4_ZCnCb_OXGxcC3e7u9e28dy8_zw1N5uSq90cygDRkUddxJjTMFbxYBGdwaZOeY5JQOEBiIkTQ2qIBVra2qWEBEp4lpczX_7fOG-xj4n-HZG55Sksno9qz7uXBiG7eRAut-ybim7kLK1-qfVhbHnhD9ZzVCf |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| Copyright | 2018 ACM |
| Copyright_xml | – notice: 2018 ACM |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1145/3194113.3194115 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781450357265 1450357261 |
| EndPage | 16 |
| ExternalDocumentID | 8445052 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IL 6IN AAJGR ABLEC ACM ADPZR ALMA_UNASSIGNED_HOLDINGS APO BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK GUFHI IEGSK OCL RIB RIC RIE RIL AAWTH LHSKQ |
| ID | FETCH-LOGICAL-a247t-b3c25ded03ccfba92e1384d83eeece13ff815381c1f45732b02e4986e01c335c3 |
| IEDL.DBID | RIE |
| ISBN | 9781450357265 1450357261 |
| ISICitedReferencesCount | 552 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000454741800002&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:58:07 EDT 2025 Wed Jan 31 06:36:01 EST 2024 Wed Jan 31 06:47:20 EST 2024 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Keywords | static analysis ethereum bug detection smart contracts solidity |
| Language | English |
| License | Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. |
| LinkModel | DirectLink |
| MeetingName | ICSE '18: 40th International Conference on Software Engineering |
| MergedId | FETCHMERGED-LOGICAL-a247t-b3c25ded03ccfba92e1384d83eeece13ff815381c1f45732b02e4986e01c335c3 |
| PageCount | 8 |
| ParticipantIDs | ieee_primary_8445052 acm_books_10_1145_3194113_3194115 acm_books_10_1145_3194113_3194115_brief |
| PublicationCentury | 2000 |
| PublicationDate | 20180527 2018-May |
| PublicationDateYYYYMMDD | 2018-05-27 2018-05-01 |
| PublicationDate_xml | – month: 05 year: 2018 text: 20180527 day: 27 |
| PublicationDecade | 2010 |
| PublicationPlace | New York, NY, USA |
| PublicationPlace_xml | – name: New York, NY, USA |
| PublicationSeriesTitle | ACM Conferences |
| PublicationTitle | 2018 IEEE ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB) |
| PublicationTitleAbbrev | WETSEB |
| PublicationYear | 2018 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssj0002684918 |
| Score | 2.6025474 |
| Snippet | Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually... |
| SourceID | ieee acm |
| SourceType | Publisher |
| StartPage | 9 |
| SubjectTerms | bug detection Computer bugs Computer hacking Contracts Ethereum smart contracts Solidity Static analysis |
| Subtitle | static analysis of ethereum smart contracts |
| Title | SmartCheck |
| URI | https://ieeexplore.ieee.org/document/8445052 |
| WOSCitedRecordID | wos000454741800002&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1bS8MwGP3Yhg8-ednEeSOC4IvdmiZtUl_Hhk9joMLeSvIlwSHbZBd_v0nbTQRBfEoIgYbTtN_J5TsH4C7OYqMzxAiZX6Jwl-tIJVpF6ETmDFdxhq40mxDjsZxO80kDHva5MNba8vKZ7YVqeZZvlrgNW2V9yXnwXWtCU4isytXa76cE1ZKcylq9h_K07ycXp5T1qjIED4XzHyYqZQwZHf3v6cfQ-U7GI5N9mDmBhl2cwtHOjYHUH2cbxPPcT4PBm8X3RxI45AzJTnKELB0ZBqpnt3NS9iNBlipkSK078DoavgyeotoWwaPIxSbSDJPUWBMzRKdVnljKJDeS-RGjrzsnw2-MInU8FSzRcWJ5LjMbU2QsRXYGrcVyYc-BMENNkhuH1GOkaa5ZbEWmpJLMMx_Lu3DrMSsC318XVQpzWtS41mXahfs_-xTar_tdF9oB1eKj0tEoakAvfm--hENPTmR1ufAKWpvV1l7DAX5uZuvVTfnyvwDl4qsu |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1dS8MwFL3MKejT1E2cnxEEX-zWNGmb-jo2Js4xcMLeSnOT4JBtsg9_v0nXTQRBfEoogYTDbe9JmnsOwK0f-UpGiB4yu0XhJpFeFsjMQxNHRvHMj9DkZhNxvy9Go2RQgvttLYzWOr98phuum__LVzNcuaOypuDc-a7twK5zziqqtbYnKk63JKGi0O-hPGza8OKUssa6dekjw8kPG5U8i3Qq_5v_EGrf5XhksE00R1DS02OobPwYSPF6ViF-mdhAaL1pfH8gjkWOkWxER8jMkLYje3o1Ifk44oSpXI3Uogavnfaw1fUKYwSLI4-XnmQYhEornyEamSWBpkxwJZhdMdq-McJ9yChSw8OYBdIPNE9EpH2KjIXITqA8nU31KRCmqAoSZZBajCRNJPN1HGUiE8xyH83rcGMxSx3jX6TrIuYwLXAt2rAOd3-OSaXd-Zs6VB2q6cdaSSMtAD37_fE17HeHz72099h_OocDS1XE-qrhBZSX85W-hD38XI4X86s8EL4ABYaudw |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2018+IEEE+ACM+1st+International+Workshop+on+Emerging+Trends+in+Software+Engineering+for+Blockchain+%28WETSEB%29&rft.atitle=SmartCheck%3A+Static+Analysis+of+Ethereum+Smart+Contracts&rft.au=Tikhomirov%2C+Sergei&rft.au=Voskresenskaya%2C+Ekaterina&rft.au=Ivanitskiy%2C+Ivan&rft.au=Takhaviev%2C+Ramil&rft.date=2018-05-01&rft.pub=ACM&rft.spage=9&rft.epage=16&rft_id=info:doi/10.1145%2F3194113.3194115&rft.externalDocID=8445052 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450357265/lc.gif&client=summon&freeimage=true |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450357265/mc.gif&client=summon&freeimage=true |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450357265/sc.gif&client=summon&freeimage=true |