research-article

SmartCheck: static analysis of ethereum smart contracts

Authors:
Sergei Tikhomirov

University of Luxembourg, Esch-sur-Alzette, Luxembourg

University of Luxembourg, Esch-sur-Alzette, Luxembourg
View Profile

,
Ekaterina Voskresenskaya

SmartDec, Moscow, Russia

SmartDec, Moscow, Russia
View Profile

,
Ivan Ivanitskiy

SmartDec, Moscow, Russia

SmartDec, Moscow, Russia
View Profile

,
Ramil Takhaviev

SmartDec, Moscow, Russia

SmartDec, Moscow, Russia
View Profile

,
Evgeny Marchenko

SmartDec, Moscow, Russia

SmartDec, Moscow, Russia
View Profile

,
Yaroslav Alexandrov

SmartDec, Moscow, Russia

SmartDec, Moscow, Russia
View Profile

WETSEB '18: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for BlockchainMay 2018Pages 9–16https://doi.org/10.1145/3194113.3194115

Published:27 May 2018Publication History

WETSEB '18: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain

Pages 9–16

ABSTRACT

Ethereum is a major blockchain-based platform for smart contracts - Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where anonymous attackers exploit bugs for immediate financial gain. Developers have a very limited ability to patch deployed contracts. Hackers steal up to tens of millions of dollars from flawed contracts, a well-known example being "The DAO", broken in June 2016. Advice on secure Ethereum programming practices is spread out across blogs, papers, and tutorials. Many sources are outdated due to a rapid pace of development in this field. Automated vulnerability detection tools, which help detect potentially problematic language constructs, are still underdeveloped in this area.

We provide a comprehensive classification of code issues in Solidity and implement SmartCheck - an extensible static analysis tool that detects them¹. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. We evaluated our tool on a big dataset of real-world contracts and compared the results with manual audit on three contracts. Our tool reflects the current state of knowledge on Solidity vulnerabilities and shows significant improvements over alternatives. SmartCheck has its limitations, as detection of some bugs requires more sophisticated techniques such as taint analysis or even manual audit. We believe though that a static analyzer should be an essential part of contract developers' toolbox, letting them fix simple bugs fast and allocate more effort to complex issues.

References

{ABC17} Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on Ethereum smart contracts (SoK). In POST, volume 10204 of Lecture Notes in Computer Science, pages 164--186. Springer, 2017. http://eprint.iacr.org/2016/1007. Google ScholarDigital Library
{ant17} ANTLR, 2017. http://www.antlr.org/.Google Scholar
{ASU07} Alfred Aho, Ravi Sethi, and Jeffrey Ullman. Compilers: principles, techniques, and tools, volume 2. Addison-Wesley Reading, 2007.Google Scholar
{BDLF+16} Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Anitha Gollamudi, Georges Gonthier, Nadim Kobeissi, Natalia Kulatova, Aseem Rastogi, Thomas Sibut-Pinote, Nikhil Swamy, and Santiago Zanella-Béguelin. Formal verification of smart contracts: Short paper. In Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS '16, pages 91--96, New York, NY, USA, 2016. ACM. Google ScholarDigital Library
{But17} Vitalik Buterin. Design rationale, 2017. https://github.com/ethereum/wiki/wiki/Design-Rationale.Google Scholar
{CLLZ17} Ting Chen, Xiaoqi Li, Xiapu Luo, and Xiaosong Zhang. Under-optimized smart contracts devour your money. In SANER, pages 442--446. IEEE Computer Society, 2017.Google ScholarCross Ref
{Con16} Ethereum contract security techniques and tips, 2016. https://github.com/ConsenSys/smart-contract-best-practices.Google Scholar
{DAK+15} Kevin Delmolino, Mitchell Arnett, Ahmed Kosba, Andrew Miller, , and Elaine Shi. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. Cryptology ePrint Archive, Report 2015/460, 2015. http://eprint.iacr.org/2015/460.Google Scholar
{Eth17a} Contracts with verified source codes only, 2017. https://etherscan.io/contractsVerified.Google Scholar
{Eth17b} Ethereum Classic, 2017. https://ethereumclassic.github.io/.Google Scholar
{Gen17a} Genesis, 2017. https://genesis.vision/.Google Scholar
{Gen17b} Genesis Github repository, 2017. https://github.com/GenesisVision/ico-contracts/.Google Scholar
{Hen17} Kevlin Henney. Inside requirements, 2017. https://www.slideshare.net/Kevlin/inside-requirements.Google Scholar
{Hir17a} Yoichi Hirai. Dr. Y's Ethereum contract analyzer, 2017. http://dry.yoichihirai.com/.Google Scholar
{Hir17b} Yoichi Hirai. Formal verification of Ethereum contracts, 2017. https://github.com/pirapira/ethereum-formal-verification-overview.Google Scholar
{Hiv17a} Hive, 2017. https://bitcointalk.org/index.php?topic=1959159.0.Google Scholar
{Hiv17b} Hive Github repository, 2017. https://github.com/HiveProjectLtd/HVNTokenBasic/.Google Scholar
{HSZ+17} Everett Hildenbrandt, Manasvi Saxena, Xiaoran Zhu, Nishant Rodrigues, Philip Daian, Dwight Guth, and Grigore Rosu. KEVM: A complete semantics of the Ethereum virtual machine. 2017. https://hdl.handle.net/2142/97207.Google Scholar
{JSo17} jsoup: Java HTML parser, 2017. https://jsoup.org/.Google Scholar
{LCO+16} Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. Making smart contracts smarter. Cryptology ePrint Archive, Report 2016/633, 2016. http://eprint.iacr.org/2016/633.Google Scholar
{LCO+18} Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. Oyente, 2018. http://www.comp.nus.edu.sg/~loiluu/oyente.html.Google Scholar
{LSCL12} Bingchang Liu, Liang Shi, Zhuhua Cai, and Min Li. Software vulnerability discovery techniques: a survey. In 2012 Fourth International Conference on Multimedia Information Networking and Security (MINES), pages 152--156. IEEE, 2012. Google ScholarDigital Library
{Pal17} Santiago Palladino. The Parity wallet hack reloaded, 2017. https://blog.zeppelin.solutions/the-parity-wallet-hack-reloaded-91bbfa5e510c.Google Scholar
{PE16} Jack Pettersson and Robert Edström. Safer smart contracts through type-driven development. 2016. https://publications.lib.chalmers.se/records/fulltext/234939/234939.pdf.Google Scholar
{Pop17a} Populous, 2017. http://populous.co/.Google Scholar
{Pop17b} Populous Github repository, 2017. https://github.com/bitpopulous/Populous-smart-contracts/.Google Scholar
{Ran17} RANDAO: a DAO working as RNG of Ethereum, 2017. https://github.com/randao/randao.Google Scholar
{Rem17} Remix - Solidity IDE, 2017. https://ethereum.github.io/browser-solidity/.Google Scholar
{Saf17} Safemath, 2017. https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/contracts/math/SafeMath.sol.Google Scholar
{Sec17} Securify. Formal verification of Ethereum smart contracts, 2017. http://securify.ch/.Google Scholar
{Sir16} Emin Gün Sirer. Thoughts on The DAO hack, 2016. http://hackingdistributed.com/2016/06/17/thoughts-on-the-dao-hack/.Google Scholar
{Sol17a} Solidity official documentation, 2017. https://solidity.readthedocs.io/.Google Scholar
{Sol17b} Solidity version 0.4.14, 2017. https://github.com/ethereum/solidity/releases/tag/v0.4.14.Google Scholar
{Sol17c} Zeppellin Solutions, 2017. https://blog.zeppelin.solutions/tagged/security.Google Scholar
{Tik17} Sergei Tikhomirov. Ethereum: state of knowledge and research perspectives. 2017. https://hdl.handle.net/10993/32468.Google Scholar
{TPF+09} Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan, and Omri Weisman. TAJ: effective taint analysis of web applications. In ACM Sigplan Notices, volume 44, pages 87--97. ACM, 2009. Google ScholarDigital Library
{VB+14} Fabian Vogelsteller, Vitalik Buterin, et al. Ethereum whitepaper, 2014. https://github.com/ethereum/wiki/wiki/White-Paper.Google Scholar
{Wög05} Wolfgang Wögerer. A survey of static program analysis techniques. Technical report, Tech. rep., Technische Universität Wien, 2005.Google Scholar
{Woo14} Gavin Wood. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper, 151, 2014. http://yellowpaper.io/.Google Scholar
{xpa} XPath. https://www.w3.org/TR/xpath20/.Google Scholar
{ydt16} ydtm. The bug which the DAO hacker exploited was not merely in the DAO itself, 2016. https://redd.it/4opjov.Google Scholar

Recommendations

A study of inline assembly in solidity smart contracts

The Solidity programming language is the most widely used language for smart contract development. Improving smart contracts’ correctness, security, and performance has been the driving force for research in vulnerability detection, program analysis, ...
Read More
A Minimal Core Calculus for Solidity Contracts
Data Privacy Management, Cryptocurrencies and Blockchain Technology
Abstract
The Ethereum platform supports the decentralized execution of smart contracts, i.e. computer programs that transfer digital assets between users. The most common language used to develop these contracts is Solidity, a Javascript-like language ...
Read More
Towards Effective Static Analysis Approaches for Security Vulnerabilities in Smart Contracts
ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

The growth in the popularity of smart contracts has been accompanied by a rise in security attacks targeting smart contracts, which have led to financial losses of millions of dollars and erosion of trust. To enable developers discover vulnerabilities ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WETSEB '18: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain
May 2018
70 pages
ISBN:9781450357265
DOI:10.1145/3194113
Program Chairs:
Roberto Tonelli
University of Cagliari, Cagliari, Italy
,
Giuseppe Destefanis
University of Hertfordshire, Hatfield, United Kingdom
,
Steve Counsell
Brunel University London, United Kingdom
,
Michele Marchesi
University of Cagliari, Cagliari, Italy
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 May 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
bug detection
ethereum
smart contracts
solidity
static analysis
Qualifiers
- research-article
Conference

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 386
  Total Citations
  View Citations
- 2,433
  Total Downloads
- Downloads (Last 12 months)394
- Downloads (Last 6 weeks)38
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

SmartCheck: static analysis of ethereum smart contracts

WETSEB '18: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain

ABSTRACT

References

Cited By

Recommendations

A study of inline assembly in solidity smart contracts

A Minimal Core Calculus for Solidity Contracts

Towards Effective Static Analysis Approaches for Security Vulnerabilities in Smart Contracts

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

SmartCheck: static analysis of ethereum smart contracts

WETSEB '18: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain

ABSTRACT

References

Cited By

Recommendations

A study of inline assembly in solidity smart contracts

A Minimal Core Calculus for Solidity Contracts

Towards Effective Static Analysis Approaches for Security Vulnerabilities in Smart Contracts

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media