Abstract
In 2022, the Ethereum Entreprise Alliance (EEA) published a first version of EthTrust [2], a document that aims to certify the security level of smart contracts written in the Solidity language. A smart contract is a computer code whose execution is triggered by a transaction issued by a peer on a distributed network. Once deployed in a blockchain, the contract is immutable and no security flaw can be corrected. In order to provide an uninitiated user with the means to check the security level of the targeted contract before sending a transaction, it would be desirable to have a tool capable of certifying the security level of smart contracts. With this objective in mind, the work presented in this paper aims to qualify the existing tools for detecting vulnerabilities in contracts, as well as advances based on the use of AI to analyse the Solidity language. Finally, the needs and a methodology are discussed to build a tool for systematically certifying the security level of open source smart contracts.
This work is a collaborative research action that is supported by the French National Research Agency (ANR) in the framework of the “investissements d’avenir” program ANR-10-AIRT-05, irtnanoelec.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
References
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Yellow Paper (2014). https://ethereum.github.io/yellowpaper/paper.pdf
Ethereum Entreprise Alliance: EEA EthTrust Security Levels Specification v-after-1 (Editor’s Draft). EEA Editor’s Draft, 27 August 2023. https://entethalliance.github.io/eta-registry/security-levels-spec.html
Zhang, L., et al.: CBGRU: a detection method of smart contract vulnerability based on a hybrid model. MDPI Sensors 22(9), 3577 (2022). https://dl.acm.org/doi/abs/10.1145/3457337.3457841
Nehaï, Z., Bobot, F.: Deductive proof of industrial smart contracts using Why3. In: Sekerinski, E., et al. (eds.) FM 2019. LNCS, vol. 12232, pp. 299–311. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-54994-7_22
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts (SoK). In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 164–186. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_8
Ashizawa, N., Yanai, N., Cruz, J.P., Okamura, S.: Eth2Vec: learning contract-wide code representations for vulnerability detection on Ethereum smart contracts. arXiv:2101.02377v2 [cs.CR], 8 January 2021. https://arxiv.org/pdf/2101.02377.pdf
Goswami, S., Singh, R., Saikia, N., Bora, K.K., Sharma, U.: TokenCheck: towards deep learning based security vulnerability detection in ERC-20 tokens. In: 2021 IEEE Region 10 Symposium (TENSYMP), Jeju, Republic of Korea, pp. 1–8 (2021). https://doi.org/10.1109/TENSYMP52854.2021.9550913
Yashavant, C.S., Kumar, S., Karkare, A.: ScrawlD: a dataset of real world Ethereum smart contracts labelled with vulnerabilities. arXiv:2202.11409v3 [cs.CR], 25 February 2022. https://arxiv.org/pdf/2202.11409.pdf
Hao, X., Ren, W., Zheng, W., Zhu, T.: SCScan: a SVM-based scanning system for vulnerabilities in blockchain smart contracts. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, pp. 1598–1605 (2020). https://doi.org/10.1109/TrustCom50675.2020.00221
Zeng, Q., et al.: EtherGIS: a vulnerability detection framework for Ethereum smart contracts based on graph learning features. In: 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC), Los Alamitos, CA, USA, pp. 1742–1749 (2022). https://doi.org/10.1109/COMPSAC54236.2022.00277
Momeni, P., Wang, Y., Samavi, R.: Machine learning model for smart contracts security analysis. In: IEEE Proceeding of PST 2019, pp. 1–6 (2019)
Ghaleb, A., Pattabiraman, K.: How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection. arXiv:2005.11613v1 [cs.SE], 23 May 2020. https://arxiv.org/pdf/2005.11613.pdf
Durieux, T., Ferreira, J.F., Abreu, R., Cruz, P.: Empirical review of automated analysis tools ethereum smart contracts. arXiv:1910.10601v2 [cs.SE], 9 February 2020. https://arxiv.org/pdf/1910.10601.pdf
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269 (2016)
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Buenzli, F., Vechev, M.: Securify: practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82 (2018)
Mueller, B.: Smashing Ethereum smart contracts for fun and real profit, HITB SECCONF Amsterdam (2018)
Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8–15 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mekkouri, M., Hennebert, C. (2024). Practices for Assessing the Security Level of Solidity Smart Contracts. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)