A large‐scale empirical study of low‐level function use in Ethereum smart contracts and automated replacement

Abstract

AbstractThe Ethereum blockchain stores and executes complex logic via smart contracts written in Solidity, a high‐level programming language. The Solidity language (in its early versions) provides features to exercise fine‐grained control over smart contracts, whose usage is discouraged by later‐released Solidity documentation, but nonetheless supported in later versions for backward compatibility. We define these features as low‐level functions. However, the high‐volume of transactions and the improper use of low‐level functions lead to security exploits with heavy financial loss. Consequently, the documentation suggests secure alternatives to the use of low‐level functions. In this article, we first perform an empirical study on the use of low‐level functions in Ethereum smart contracts. We study a smart contract dataset consisting of over 2,100,000 real‐world smart contracts. We find that low‐level functions are widely used and that the majority of these uses are gratuitous. We then propose GoHigh, a source‐to‐source transformation tool to eliminate low‐level function‐related vulnerabilities, by replacing low‐level functions with secure alternatives. Our experimental evaluation on the dataset shows that GoHigh successfully replaces all low‐level functions with 4.9% fewer compiler warnings. Further, no unintended side‐effects are introduced in 80% of the contracts, and the remaining 20% are not verifiable due to their external dependency. GoHigh saves more than 5% of the gas cost of the contract. Finally, GoHigh takes 7 s on average per contract.