Skip to main content

The Good, The Bad and The Ugly: Pitfalls and Best Practices in Automated Sound Static Analysis of Ethereum Smart Contracts

  • Conference paper
  • First Online:
Leveraging Applications of Formal Methods, Verification and Validation: Applications (ISoLA 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12478))

Included in the following conference series:


Ethereum smart contracts are distributed programs running on top of the Ethereum blockchain. Since program flaws can cause significant monetary losses and can hardly be fixed due to the immutable nature of the blockchain, there is a strong need of automated analysis tools which provide formal security guarantees. Designing such analyzers, however, proved to be challenging and error-prone. We review the existing approaches to automated, sound, static analysis of Ethereum smart contracts and highlight prevalent issues in the state of the art. Finally, we overview eThor, a recent static analysis tool that we developed following a principled design and implementation approach based on rigorous semantic foundations to overcome the problems of past works.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    Supporting a Turing complete instruction set, Ethereum enforces termination by bounding the number of computation steps based on an prespecified resource limit.

  2. 2.

    As of the fourth quarter of 2019, see

  3. 3.

    Currently, a Go, a C++ and a Python implementation are distributed by the Ethereum Foundation:,-tools,-dapp-browsers,-wallets-and-other-projects.

  4. 4.

    Also called the Jello paper:

  5. 5.

    Only an excerpt is presented in  [31], and the public implementation at intermingles specification and implementation.

  6. 6.

    We illustrate the issue with a violation pattern for easier presentation and since the affected compliance pattern turned out not to be implemented in Securify.

  7. 7.

    eThor was evaluated against ZEUS since this is the only tool to implement a property similar to single-entrancy.


  1. The DAO smart contract (2016).

  2. The parity wallet breach (2017).

  3. The parity wallet vulnerability (2017).

  4. Solidity (2019).

  5. Adhikari, C.: Secure framework for healthcare data management using ethereum-based blockchain technology (2017)

    Google Scholar 

  6. Amani, S., Bégel, M., Bortin, M., Staples, M.: Towards verifying ethereum smart contract bytecode in isabelle/hol. In: Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, pp. 66–77 (2018)

    Google Scholar 

  7. Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: Medrec: using blockchain for medical data access and permission management. In: International Conference on Open and Big Data (OBD), pp. 25–30. IEEE (2016)

    Google Scholar 

  8. Bartoletti, M., Galletta, L., Murgia, M.: A minimal core calculus for solidity contracts. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 233–243. Springer, Cham (2019).

    Chapter  Google Scholar 

  9. Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, pp. 91–96 (2016)

    Google Scholar 

  10. Crafa, S., Di Pirro, M., Zucca, E.: Is solidity solid enough? In: Bracciali, A., Clark, J., Pintore, F., Rønne, P.B., Sala, M. (eds.) FC 2019. LNCS, vol. 11599, pp. 138–153. Springer, Cham (2020).

    Chapter  Google Scholar 

  11. Cruz, J.P., Kaji, Y., Yanai, N.: RBAC-SC: role-based access control using smart contract. IEEE Access 6, 12240–12251 (2018)

    Article  Google Scholar 

  12. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008).

    Chapter  Google Scholar 

  13. Galal, H.S., Youssef, A.M.: Verifiable sealed-bid auction on the ethereum blockchain. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 265–278. Springer, Heidelberg (2019).

    Chapter  Google Scholar 

  14. Grishchenko, I., Maffei, M., Schneidewind, C.: Foundations and tools for the static analysis of ethereum smart contracts. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 51–78. Springer, Cham (2018).

    Chapter  Google Scholar 

  15. Grishchenko, I., Maffei, M., Schneidewind, C.: A semantic framework for the security analysis of ethereum smart contracts. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 243–269. Springer, Cham (2018).

    Chapter  Google Scholar 

  16. Grossman, S., et al.: Online detection of effectively callback free objects with applications to smart contracts. Proc. ACM Program. Lang. 2(POPL), 1–28 (2017)

    Google Scholar 

  17. Hahn, A., Singh, R., Liu, C.C., Chen, S.: Smart contract-based campus demonstration of decentralized transactive energy auctions. In: 2017 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), pp. 1–5. IEEE (2017)

    Google Scholar 

  18. Hildenbrandt, E., et al.: KEVM: a complete formal semantics of the ethereum virtual machine, pp. 204–217. IEEE (2018).

  19. Hirai, Y.: Defining the ethereum virtual machine for interactive theorem provers. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 520–535. Springer, Cham (2017).

    Chapter  Google Scholar 

  20. Jiao, J., Kan, S., Lin, S.W., Sanan, D., Liu, Y., Sun, J.: Executable operational semantics of solidity. arXiv preprint arXiv:1804.01295 (2018)

  21. Jordan, H., Scholz, B., Subotić, P.: Soufflé: on synthesis of program analyzers. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 422–430. Springer, Cham (2016).

    Chapter  Google Scholar 

  22. Kalra, S., Goel, S., Dhawan, M., Sharma, S.: ZEUS: analyzing safety of smart contracts. Internet Society (2018).

  23. Lu, N., Wang, B., Zhang, Y., Shi, W., Esposito, C.: Neucheck: a more practical ethereum smart contract security analysis tool. Pract. Exp. Softw.(2019)

    Google Scholar 

  24. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269 (2016)

    Google Scholar 

  25. Mathieu, F., Mathee, R.: Blocktix: decentralized event hosting and ticket distribution network (2017).

  26. McCorry, P., Shahandashti, S.F., Hao, F.: A smart contract for boardroom voting with maximum voter privacy. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 357–375. Springer, Cham (2017).

    Chapter  Google Scholar 

  27. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008).

  28. Notheisen, B., Gödde, M., Weinhardt, C.: Trading stocks on blocks - engineering decentralized markets. In: Maedche, A., vom Brocke, J., Hevner, A. (eds.) DESRIST 2017. LNCS, vol. 10243, pp. 474–478. Springer, Cham (2017).

    Chapter  Google Scholar 

  29. Panescu, A.T., Manta, V.: Smart contracts for research data rights management over the ethereum blockchain network. Sci. Technol. Libr. 37(3), 235–245 (2018)

    Article  Google Scholar 

  30. Schneidewind, C., Grishchenko, I., Scherer, M., Maffei, M.: ethor: practical and provably sound static analysis of ethereum smart contracts. arXiv preprint arXiv:2005.06227 (2020)

  31. Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Bünzli, F., Vechev, M.: Securify: practical security analysis of smart contracts, pp. 67–82. ACM (2018).

  32. Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Proj. Yellow Paper 151, 1–32 (2014)

    Google Scholar 

  33. Wood, G.: Ethereum: a secure decentralised generalised transaction ledger (2014)

    Google Scholar 

  34. Yang, Z., Lei, H.: Lolisa: formal syntax and semantics for a subset of the solidity programming language. arXiv preprint arXiv:1803.09885 (2018)

  35. Zakrzewski, J.: Towards verification of ethereum smart contracts: a formalization of core of solidity. In: Piskac, R., Rümmer, P. (eds.) VSTTE 2018. LNCS, vol. 11294, pp. 229–247. Springer, Cham (2018).

    Chapter  Google Scholar 

Download references


This work has been partially supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research (grant agreement 771527-BROWSEC); by the Austrian Science Fund (FWF) through the projects PROFET (grant agreement P31621) and the project W1255-N23; by the Austrian Research Promotion Agency (FFG) through the Bridge-1 project PR4DLT (grant agreement 13808694) and the COMET K1 SBA; and by the Internet Foundation Austria (IPA) through the netidee project EtherTrust (Call 12, project 2158).

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Clara Schneidewind , Markus Scherer or Matteo Maffei .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schneidewind, C., Scherer, M., Maffei, M. (2020). The Good, The Bad and The Ugly: Pitfalls and Best Practices in Automated Sound Static Analysis of Ethereum Smart Contracts. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation: Applications. ISoLA 2020. Lecture Notes in Computer Science(), vol 12478. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61466-9

  • Online ISBN: 978-3-030-61467-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics