Abstract
Blockchain and smart contract technology have led to the creation of an alternative financial system called Decentralised Finance (DeFi) which has grown exponentially in the last year alone to a current value of $76B. Without a central custodian or regulator, non-technical users may find it difficult to assess the security of their favourite projects. In this trustless environment, can the current state-of-the-art smart contract analysis tools be used by non-technical users to protect investors from incurring losses and improving the security in the space? In the paper, we review the literature focusing on well-known vulnerabilities of financial smart contracts and show the scale of successful DeFi attacks. By analysing the root cause of recent exploits of contracts, we assess the feasibility of detecting these vulnerabilities by automatic verification. We investigate 21 analysis tools for detecting vulnerabilities in smart contracts with an in-depth evaluation of six tools: Slither, Mythril, DerScanner, Manticore, Oyente and Securify v2. The tools were evaluated for their efficiency and accuracy against a custom dataset containing 28 vulnerable and 16 healthy smart contracts and are ultimately rated based on how useful they may be from a DeFi user perspective. The results indicate that, while Slither received the highest rating, none of the existing tools can successfully assist DeFi users at present due to lack of reliability or lack of simplicity for the targeted market.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
References
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Buterin, V.: Ethereum white paper—a next generation smart contract & decentralized application platform. ethereum.org (2015)
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts (SoK). In: Principles of Security and Trust (2017)
Understanding the DAO Hack. http://www.coindesk.com/understanding-dao-hack-journalists
Leid, A., Van der Merwe B., Visser W.: Testing Ethereum smart contracts: a comparison of symbolic analysis and fuzz testing tools. In: South African Institute of Computer Scientists and Information Technologists (2020)
Mense, A., Flatscher, M.: Security vulnerabilities in Ethereum smart contracts. In: 20th International Conference on Information Integration and Web-Based Applications & Services (2018)
Dika, A., Nowostawski, M.: Security vulnerabilities in Ethereum smart contracts. In: IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) (2018)
Huang, Y., Brian, Y., Li, R., Zhao, L., Shi, P.: Smart contract security: a software lifecycle perspective. IEEE Access 150184–150202 (2019)
Sayeed, S., Marco-Gisbert H., Caira, T.: Smart contract: attacks and protections. IEEE Access 24416–24427 (2020)
Almakhour, M., Sliman, L., Samhat, A.E., Mellouk, A.: Verification of smart contracts: a survey. Pervasive Mobile Comput. (Elsevier) (2020)
Petrović, N., Tošić, M.: Semantic approach to smart contract verification. Facta Universitatis. Series: Autom. Control Robot. 19(1), 021–037 (2020)
Gudgeon L., Perez, D., Harz, D., Gervais A., Livshits, B.: The decentralized financial crisis: attacking DeFi (2020)
He, D., Deng, Z., Zhang, Y., Chan, S., Cheng, Y., Guizani, N.: Smart contract vulnerability analysis and security audit. IEEE Netw. 34(5), 276–282 (2020)
SWC registry—smart contract weakness classification and test cases [Online]. https://swcregistry.io. Accessed 14 May 2021
Yang, Q., Zeng, X., Zhang, Y., Hu, W.: New loan system based on smart contract. In: The 2019 ACM International Symposium on Blockchain and Secure Critical Infrastructure, pp. 121–126 (2019)
Oosthoek, K.: Flash crash for cash: cyber threats in decentralized finance. Preprint arXiv:2106.10740 (2021)
Schär, F.: Decentralized finance: on blockchain- and smart contract-based financial markets. Federal Reserve Bank of St. Louis Review (2021)
Imeri, A., Agoulmine, N., Khadraoui, D.: Smart contract modeling and verification techniques: a survey. In: 8th International Workshop on ADVANCEs in ICT Infrastructures and Services (ADVANCE 2020) (2020)
Ghaleb, A., Pattabiraman, K.: How effective are smart contract analysis tools? Evaluating. In: 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 415–427 (2020)
Durieux, T., Ferreira, J., Abreu, R., Cruz, P.: Empirical review of automated analysis tools on 47,587 Ethereum smart contracts. In: ACM/IEEE 42nd International Conference on Software Engineering (2020)
Liu, Y., Li, Y., Lin, S., Zhao, R.: Towards automated verification of smart contract fairness. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2020)
Brent, L., Grech, N., Lagouvardos, S., Scholz, B., Smaragdakis, Y.: Ethainter: a smart contract security analyzer for composite vulnerabilities. In: 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (2020)
Chen, T., Li, X., Luo, X., Zhang, X.: Under-optimized smart contracts devour your money. In: IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER) (2017)
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, E.: SmartCheck: static analysis of Ethereum smart contracts. In: 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (2018)
Luu, L, Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269 (2016)
Mueller, B.: Github—Mythril [Online]. https://github.com/b-mueller/mythril/. Accessed 16 July 2021
Feist, J., Grieco, G., Groce, A., Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8–15 (2019)
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Buenzli, F., Vechev, M.: Securify: Practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82 (2018)
Amani, S., Bégel, M., Borti, M., Staples, M.: Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In: 7th ACM SIGPLAN International Conference on Certified Programs and Proofs (2018)
Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Gollamudi, A., Gonthier, G., Kobeissi, N.: Formal verification of smart contracts: short paper. In: 2016 ACM Workshop on Programming Languages and Analysis for Security (PLAS ‘16) (2016)
Mossberg, M., Manzano, F., Hennenfent, E., Groce, A., Grieco, G., Feist, J., Brunson, T., Dinaburg, A.: Manticore: a user-friendly symbolic execution framework for binaries and smart contracts. In: 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1186–1189 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix—Rating Criteria
Appendix—Rating Criteria
Installation
-
1.
We were not successful installing the tool.
-
2.
Installation was cumbersome and had multiple dependencies.
-
3.
Only manual installation is available.
-
4.
Docker image is available.
-
5.
Tool is based online and no installation is required.
Additional Features
-
1.
Features limited to main scan and no option to extension.
-
2.
Few basic options only.
-
3.
Few additional options but scan types can be selected.
-
4.
Additional scanners can be added. Arguments allow flexible selection of checks and modification of solidity version.
-
5.
Tool has an excellent selection of additional options and offers significant extendibility which are also easy to use. This may include easy access to additional documentation related to vulnerability, option to scan contract by providing its address or GitHub link, presentation of data in different formats (including graphs), showing functions dependency, etc.
Effectiveness
-
1.
<=20% of vulnerabilities found.
-
2.
>20% of vulnerabilities found.
-
3.
>50% of vulnerabilities found.
-
4.
>70% of vulnerabilities found.
-
5.
Tool successfully detected >90% of prepared vulnerabilities and correctly indicated the line and type of vulnerability.
Liveliness
-
1.
Latest commits older than 2Â years.
-
2.
Latest commits are older than 1Â year, but newer than 2Â years.
-
3.
Latest commits over 6Â months, but less than 1Â year.
-
4.
Latest commits between 3 and 6Â months.
-
5.
Latest commits to git library within the last 3Â months.
Open Source
-
1.
Proprietary tool.
-
2.
Open source and community below 100.
-
3.
Open source and community over 100.
-
4.
Open source and community over 200.
-
5.
Tool is open source and git community is over 300 members.
Friendly Output
-
1.
General names of issue category only. No description or links.
-
2.
Names of issues are descriptive, but lack clear explanation.
-
3.
Simple categories of issues or short descriptions.
-
4.
Categories are clear and descriptions of issues are also provided. No links with further information.
-
5.
The tool uses clear ranks to indicate the severity of the problem, gives clear description and links where additional information could be found.
Accuracy
-
1.
6 or more false positive issues indicated (high or medium category).
-
2.
5 or less false positive issues indicated (high or medium category).
-
3.
2 or less false positive issues indicated (high or medium category).
-
4.
No false positive with critical or high-severity issues indicated. Some recommendations may be not correct.
-
5.
The tool did not indicate any false positive vulnerabilities. All warnings or recommendations are correct.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Faura, G., Siewiersky, C., Tal, I. (2023). A User-Centric Evaluation of Smart Contract Analysis Tools in Decentralised Finance (DeFi). In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-19-6414-5_25
Download citation
DOI: https://doi.org/10.1007/978-981-19-6414-5_25
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-6413-8
Online ISBN: 978-981-19-6414-5
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)