In Code We Trust?

Measuring the Control Flow Immutability of All Smart Contracts Deployed on Ethereum
  • Michael FröwisEmail author
  • Rainer Böhme
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10436)


Program code stored on the Ethereum blockchain is considered immutable, but this does not imply that its control flow cannot be modified. This bears the risk of loopholes whenever parties encode binding agreements in smart contracts. In order to quantify the issue, we define a heuristic indicator of control flow immutability, evaluate it based on a call graph of all smart contracts deployed on Ethereum, and find that two out of five smart contracts require trust in at least one third party. Besides, the analysis reveals that significant parts of the Ethereum blockchain are interspersed with debris from past attacks against the platform. We leverage the call graph to develop a method for data cleanup, which allows for less biased statistics of Ethereum use in practice.


Smart contract Trustless Code analysis Call graph Ethereum 



We like to thank Dr. Christian Reitwießner for answering many Ethereum related questions, Dr. Arthur Gervais for pointing out the existence of the parity tracing API and the excellent parsing script, Nick Johnson for the creation of the evmdis disassembler, Martin Holst Swende for the additional material on the Ethereum DoS attacks, and Clemens Brunner for proofreading and discussions. This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 740558.


  1. 1.
    Contracts - Solidity 0.4.12 documentation. Accessed 12 June 2017
  2. 2.
    Contracts - Solidity 0.4.12 documentation - Swarm. Accessed 12 June 2017
  3. 3.
    Ethereum Homestead Documentation. Accessed 19 June 2017
  4. 4.
    Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts. Technical report, Cryptology ePrint Archive: Report 2016/1007 (2016)Google Scholar
  5. 5.
    Bartoletti, M., Pompianu, L.: An empirical analysis of smart contracts: platforms, applications, and design patterns. arXiv preprint arXiv:1703.06322 (2017)
  6. 6.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Gollamudi, A., Gonthier, G., Kobeissi, N., Kulatova, N., Rastogi, A., Sibut-Pinote, T., Swamy, N., Zanella-Béguelin, S.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS 2016, pp. 91–96. ACM (2016)Google Scholar
  7. 7.
    Buterin, V.: A state clearing FAQ. Accessed 18 June 2017
  8. 8.
    Buterin, V.: Hard Fork Completed. Accessed 18 June 2017
  9. 9.
    del Castillo, M.: The DAO Attacked: Code Issue Leads to $60 Million Ether Theft. Accessed 18 June 2017
  10. 10.
    Hertig, A.: So, Ethereum’s Blockchain is Still Under Attack. Accessed 18 June 2017
  11. 11.
    Hirai, Y.: Formal verification of Deed contract in Ethereum name service. (2016). Accessed 31 July 2017
  12. 12.
    Jameson, H.: FAQ: Upcoming Ethereum Hard Fork. Accessed 18 June 2017
  13. 13.
    Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)Google Scholar
  14. 14.
    Luu, L., Teutsch, J., Kulkarni, R., Saxena, P.: Demystifying incentives in the consensus computer. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 706–719. ACM (2015)Google Scholar
  15. 15.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)Google Scholar
  16. 16.
    Norvill, R., Awan, I.U., Pontiveros, B., Cullen, A.J., et al.: Automated labeling of unknown contracts in Ethereum (2017)Google Scholar
  17. 17.
  18. 18.
    Szabo, N.: Formalizing and securing relationships on public networks. First Monday 2(9) (1997)Google Scholar
  19. 19.
    Wood, G.: Ethereum: A secure decentralised generalised transaction ledger (EIP-150 revision) (2017). Accessed 18 June 2017

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversität InnsbruckInnsbruckAustria

Personalised recommendations