Abstract
The Ethereum blockchain allows, through software called smart contract, to automate the contract execution between multiple parties without requiring a trusted middle party. However, smart contracts are vulnerable to attacks. Tools and programming practices are available to support the development of secure smart contracts. These approaches are effective to mitigate the smart contract vulnerabilities, but the unsophisticated ecosystem of the smart contract prevents these approaches from being foolproof. Besides, the Blockchain immutability does not allow smart contracts deployed in the Blockchain to be updated. Thus, businesses and developers would develop new contracts if vulnerabilities were detected in their smart contracts deployed in Ethereum, which would imply new costs for the business. To support developers and businesses in the smart contract security decision makings, we investigate the applicability of the security code metric from non-blockchain into the smart contract domain. We use the Goal Question Metric (GQM) approach to analyze the applicability of these metrics into the smart contract domain based on metric construct and measurement. As a result, we found 15 security code metrics that can be applied to smart contract development.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Nakamoto, S.: “Bitcoin: A Peer-to-Peer Electronic Cash System.”
Buterin, V.: A next generation smart contract & decentralized application platform.
Androulaki, E., et al.: Hyperledger fabric. In: Proceedings of the Thirteenth EuroSys Conference, 2018, pp. 1–15 (2018)
Kuo, T.T., Kim, H.E., Ohno-Machado, L.: Blockchain distributed ledger technologies for biomedical and health care applications. J. Am. Med. Inform. Assoc. 24(6), 1211–1220 (2017)
Christidis, K., Devetsikiotis, M.: Blockchains and smart contracts for the internet of things. IEEE Access 4, 2292–2303 (2016)
“The DAO Attacked: Code Issue Leads to $60 Million Ether Theft - CoinDesk”. https://www.coindesk.com/dao-attacked-code-issue-leads-60-million-ether-theft. Accessed 21 Oct 2019
Luu, L., Chu, D. H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the ACM Conference on Computer and Communications Security, 2016, vol. 24–28 October, pp. 254–269 (2016)
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Buenzli, F., Vechev, M.: Securify: practical security analysis of smart contracts. In: Proceedings of the ACM Conference on Computer and Communications Security, 2018, pp. 67–82 (2018)
Amani, S., Bégel, M., Bortin, M., Staples, M.: Towards verifying ethereum smart contract bytecode in Isabelle/HOL. In: CPP 2018 - Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, Co-located with POPL 2018, vol. 2018–January, pp. 66–77 (2018)
Kalra, S., Goel, S., Dhawan, M., Sharma, S.: ZEUS: analyzing safety of smart contracts, no. February (2018)
Wohrer, M., Zdun, U.: Smart contracts: Security patterns in the ethereum ecosystem and solidity. In: 2018 IEEE 1st International Workshop on Blockchain Oriented Software Engineering (IWBOSE) 2018 - Proceedings, vol. 2018–January, pp. 2–8 (2018)
Mavridou A., Laszka A.: Designing secure ethereum smart contracts: a finite state machine based approach. In: Meiklejohn, S., Sako, K. (eds.) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science, vol. 10957 (2018). Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_28
N’Da, A.A.K., Matalonga, S., Dahal, K.: Characterizing the cost of introducing secure programming patterns and practices in ethereum. In: Rocha, Á., Adeli, H., Reis, L.P., Costanzo, S., Orovic, I., Moreira, F. (eds.) WorldCIST 2020. AISC, vol. 1160, pp. 25–34. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45691-7_3
Szabo, N.: Smart contracts: building blocks for digital free markets. Extropy J. Transhuman Thought 18(2) (1996)
“Solidity Documentation Release 0.5.0 Ethereum,” (2018)
Treleaven, P., Brown, R.G., Yang, D.: Blockchain Technology in Finance. Computer (Long. Beach. Calif.) 50(9), 14–17 (2017)
Delmolino K., Arnett M., Kosba A., Miller A., Shi E.: Step by step towards creating a safe smart contract: lessons and insights from a cryptocurrency lab. In: Clark, J., Meiklejohn, S., Ryan, P., Wallach, D., Brenner, M., Rohloff, K. (eds.) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science, vol. 9604 (2016). Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53357-4_6
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Chen, H., Pendleton, M., Njilla, L., Xu, S.: A survey on ethereum systems security: vulnerabilities, attacks, and defenses. ACM Comput. Surv. 53(3), 1–43 (2020)
Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: PLAS 2016 - Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, co-located with CCS 2016, pp. 91–96 (2016)
Chowdhury, I., Zulkernine, M.: Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities? In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1963–1969 (2010)
Wang, J.A., Wang, H., Guo, M., Xia, M.: Security metrics for software systems. In: Proceedings of the 47th Annual Southeast Regional Conference ACM-SE 47 (2009)
Nguyen, V.H., Tran, L.M.S.: Predicting vulnerable software components with dependency graphs. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics 2010, pp. 1–8 (2010)
Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: ESEM 2008 Proceedings of the 2008 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 315–317 (2008)
Moshtari, S., Sami, A., Azimi, M.: Using complexity metrics to improve software security. Comput. Fraud Secur. 2013(5), 8–17 (2013)
Sultan, K., En-Nouaary, A., Hamou-Lhadj, A.: Catalog of metrics for assessing security risks of software throughout the software development life cycle. In: Proceedings of the 2nd International Conference on Information Security and Assurance ISA 2008, pp. 461–465 (2008)
Wang, J.A., Zhang, F., Xia, M.: Temporal metrics for software vulnerabilities. In: CSIIRW 2008 - 4th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges ahead, pp. 1–3 (2008)
Wang, A.J.A., Xia, M., Zhang, F.: Metrics for information security vulnerabilities. J. Appl. Glob. Res. 1(1), 48–58 (2008)
Hegedűs, P.: Towards analyzing the complexity landscape of solidity based ethereum smart contracts. Technologies 7(1), 6 (2019)
Pierro, G.A., Tonelli, R.: PASO: a web-based parser for solidity language analysis. In: IWBOSE 2020 - Proceedings of the 2020 IEEE 3rd International Workshop on Blockchain Oriented Software Engineering (IWBOSE), pp. 16–21 (2020)
Vandenbogaerde, B.: A graph-based framework for analysing the design of smart contracts. In: ESEC/FSE 2019 - Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1220–1222 (2019)
Ajienka, N., Vangorp, P., Capiluppi, A.: An empirical analysis of source code metrics and smart contract resource consumption. J. Softw. Evol. Process 32(10), e2267 (2020). https://doi.org/10.1002/smr.2267
“Documentation | Truffle Suite”. https://www.trufflesuite.com/docs. Accessed 16 Nov 2020
Basili, V.R., Caldiera, G., Rombach, H.D.: The goal question metric approach. Encycl. Softw. Eng. 2, 528–532 (1994)
“National Institute of Standards and Technology | NIST”. https://www.nist.gov/. Accessed 24 March 2021
“Contracts — Solidity 0.5.3 documentation”. https://solidity.readthedocs.io/en/v0.5.3/contracts.html. Accessed 11 Nov 2019
Koirala, R.C., Dahal, K., Matalonga, S.: Supply chain using smart contract: a blockchain enabled model with traceability and ownership management. In: Proceedings of the 9th International Conference on Cloud Computing, Data Science & Engineering (Confluence 2019), pp. 538–544 (2019)
Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57(3), 294–313 (2011)
Chidamber, S., Kemerer, C.: MetricForOOD_ChidamberKemerer94.pdf. IEEE Trans. Softw. Eng. 20(6), 476–493 (1994)
“CWE - Common Weakness Enumeration”. https://cwe.mitre.org/. Accessed 17 Nov 2020
“CVE - Common Vulnerabilities and Exposures (CVE)”. https://cve.mitre.org/. Accessed 17 Nov 2020
“SmartContractSecurity/SWC-registry: Smart Contract Weakness Classification and Test Cases”. https://github.com/SmartContractSecurity/SWC-registry. Accessed 14 Nov 2020
Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: Proceedings of the International Conference on Software Engineering, no. June, pp. 57–64 (2008)
Mccabe, T.J.: “A Complexity,” no. 4, pp. 308–320 (1976)
Hariprasad, T., Vidhyagaran, G., Seenu, K., Thirumalai, C.: Software complexity analysis using halstead metrics. In: Proceedings of the International Conference on Trends in Electronics and Informatics (ICEI) 2017, vol. 2018–January, pp. 1109–1113 (2018)
Davari, M., Zulkernine, M.: Analysing vulnerability reproducibility for Firefox browser. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST) 2016, pp. 674–681 (2016)
Aggarwal, K.K., Singh, Y., Kaur, A., Malhotra, R.: Software design metrics for object-oriented software. J. Object Technol. 6(1), 121–138 (2007)
Shin, Y., Williams, L.: Is complexity really the enemy of software security? In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 47–50 (2008)
Maxion, R.A.: Eliminating exception handling errors with dependability cases: a comparative, empirical study. IEEE Trans. Softw. Eng. 26(9), 888–906 (2000)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kevin N’DA, A.A., Matalonga, S., Dahal, K. (2022). Applicability of the Software Security Code Metrics for Ethereum Smart Contract. In: Awan, I., Benbernou, S., Younas, M., Aleksy, M. (eds) The International Conference on Deep Learning, Big Data and Blockchain (Deep-BDB 2021). Deep-BDB 2021. Lecture Notes in Networks and Systems, vol 309. Springer, Cham. https://doi.org/10.1007/978-3-030-84337-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-84337-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84336-6
Online ISBN: 978-3-030-84337-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)