Smart Contract Vulnerabilities Research Articles

Vulnerability detection techniques for smart contracts: A systematic literature review

The number of applications supported by blockchain smart contracts has been greatly increasing in recent years, with smart contracts now being used across several domains, such as the music industry, finance, and retail, to name a few. Despite being used in business-critical contexts, the number of security vulnerabilities in smart contracts has also been increasing, with many of them being exploited and resulting in huge financial and reputation losses. This is despite the enormous effort that is being placed into the research and development of vulnerability detection tools and techniques, which have also greatly increased in number and type in the last few years. Motivated by the recent increase in both vulnerabilities and vulnerability detection techniques, this paper reviews the latest research in smart contract vulnerability detection, emphasizing the techniques being used, the vulnerabilities targeted, and the characteristics of the dataset used for evaluating the technique. We mapped the vulnerabilities against two common vulnerability classification schemes (DASP and SWC) and performed a consolidated analysis. We identified the current research trends and gaps in each technique and highlighted future research opportunities in the field.

SGDL: Smart contract vulnerability generation via deep learning

AbstractThe growing popularity of smart contracts in various areas, such as digital payments and the Internet of Things, has led to an increase in smart contract security challenges. Researchers have responded by developing vulnerability detection tools. However, the effectiveness of these tools is limited due to the lack of authentic smart contract vulnerability datasets to comprehensively assess their capacity for diverse vulnerabilities. This paper proposes a Deep Learning‐based Smart contract vulnerability Generation approach (SGDL) to overcome this challenge. SGDL utilizes static analysis techniques to extract both syntactic and semantic information from the contracts. It then uses a classification technique to match injected vulnerabilities with contracts. A generative adversarial network is employed to generate smart contract vulnerability fragments, creating a diverse and authentic pool of fragments. The vulnerability fragments are then injected into the smart contracts using an abstract syntax tree to ensure their syntactic correctness. Our experimental results demonstrate that our method is more effective than existing vulnerability injection methods in evaluating the contract vulnerability detection capacity of existing detection tools. Overall, SGDL provides a comprehensive and innovative solution to address the critical issue of authentic and diverse smart contract vulnerability datasets.

Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart Contracts

Reentrancy vulnerability as one of the most notorious vulnerabilities, has been a prominent topic in smart contract security research. Research shows that existing vulnerability detection presents a range of challenges, especially as smart contracts continue to increase in complexity. Existing tools perform poorly in terms of efficiency and successful detection rates for vulnerabilities in complex contracts. To effectively detect reentrancy vulnerabilities in contracts with complex logic, we propose a tool named SliSE. SliSE’s detection process consists of two stages: Warning Search and Symbolic Execution Verification . In Stage 1, SliSE utilizes program slicing to analyze the Inter-contract Program Dependency Graph (I-PDG) of the contract, and collects suspicious vulnerability information as warnings. In Stage 2, symbolic execution is employed to verify the reachability of these warnings, thereby enhancing vulnerability detection accuracy. SliSE obtained the best performance compared with eight state-of-the-art detection tools. It achieved an F1 score of 78.65%, surpassing the highest score recorded by an existing tool of 9.26%. Additionally, it attained a recall rate exceeding 90% for detection of contracts on Ethereum. Overall, SliSE provides a robust and efficient method for detection of Reentrancy vulnerabilities for complex contracts.

Smart contract vulnerability detection using wide and deep neural network

Smart contracts, integral to blockchain technology, automate agreements without intermediaries, ensuring transparency and security across various sectors. However, the immutable nature of blockchain exposes deployed contracts to potential risks if they contain vulnerabilities. Current approaches, including symbolic execution and graph-based machine learning, aim to ensure smart contract security. However, these methods suffer from limitations such as high false positive rates, heavy reliance on trained data, and over-generalization.The goal of this paper is to investigate the application of Wide and Deep Neural Networks in identifying vulnerabilities within smart contracts. We introduce WIDENNET, a method based on deep neural networks, designed to detect reentrancy and timestamp dependence vulnerabilities in smart contracts. Our approach involves extracting bytecodes from the contracts and converting them into Operational Codes (OPCODES), which are then transformed into distinct vector representations. These vectors are subsequently fed into the neural network to extract both complex and simple patterns for vulnerability detection. Testing on real-world datasets yielded an average accuracy of 83.07% and a precision of 83.13%. Our method offers a potential solution to mitigate vulnerabilities in blockchain applications.

Smart contract vulnerabilities detection with bidirectional encoder representations from transformers and control flow graph

Smart contract vulnerabilities detection with bidirectional encoder representations from transformers and control flow graph

OpenSCV: an open hierarchical taxonomy for smart contract vulnerabilities

Smart contracts are nowadays at the core of most blockchain systems. Like all computer programs, smart contracts are subject to the presence of residual faults, including severe security vulnerabilities. However, the key distinction lies in how these vulnerabilities are addressed. In smart contracts, when a vulnerability is identified, the affected contract must be terminated within the blockchain, as due to the immutable nature of blockchains, it is impossible to patch a contract once deployed. In this context, research efforts have been focused on proactively preventing the deployment of smart contracts containing vulnerabilities, mainly through the development of vulnerability detection tools. Along with these efforts, several heterogeneous vulnerability classification schemes appeared (e.g., most notably DASP and SWC). At the time of writing, these are mostly outdated initiatives, even though new smart contract vulnerabilities are consistently uncovered. In this paper, we propose OpenSCV, a new and Open hierarchical taxonomy for Smart Contract vulnerabilities, which is open to community contributions and matches the current state of the practice while being prepared to handle future modifications and evolution. The taxonomy was built based on the analysis of the existing research on vulnerability classification, community-maintained classification schemes, and research on smart contract vulnerability detection. We show how OpenSCV covers the announced detection ability of the current vulnerability detection tools and highlight its usefulness in smart contract vulnerability research. To validate OpenSCV, we performed an expert-based analysis wherein we invited multiple experts engaged in smart contract security research to participate in a questionnaire. The feedback from these experts indicated that the categories in OpenSCV are representative, clear, easily understandable, comprehensive, and highly useful. Regarding the vulnerabilities, the experts confirmed that they are easily understandable.

A vulnerability detection framework by focusing on critical execution paths

Context:Vulnerability detection is critical to ensure software security, and detecting vulnerabilities in smart contract code is currently gaining massive attention. Existing deep learning-based vulnerability detection methods represent the code as a code structure graph and eliminate vulnerability-irrelevant nodes. Then, they learn vulnerability-related code features from the simplified graph for vulnerability detection. However, this simplified graph struggles to represent relatively complete structural information of code, which may affect the performance of existing vulnerability detection methods. Objective:In this paper, we present a novel Vulnerability Detection framework based on Critical Execution Paths (VDCEP), which aims to improve smart contract vulnerability detection. Method:Firstly, given a code structure graph, we deconstruct it into multiple execution paths that reflect rich structural information of code. To reduce irrelevant code information, a path selection strategy is employed to identify critical execution paths that may contain vulnerable code information. Secondly, a feature extraction module is adopted to learn feature representations of critical paths. Finally, we feed all path feature representations into a classifier for vulnerability detection. Also, the feature weights of paths are provided to measure their importance in vulnerability detection. Results:We evaluate VDCEP on a large dataset with four types of smart contract vulnerabilities. Results show that VDCEP outperforms 14 representative vulnerability detection methods by 5.34%–60.88% in F1-score. The ablation studies analyze the effects of our path selection strategy and feature extraction module on VDCEP. Moreover, VDCEP still outperforms ChatGPT by 34.46% in F1-score. Conclusion:Compared to existing vulnerability detection methods, VDCEP is more effective in detecting smart contract vulnerabilities by utilizing critical execution paths. Besides, we can provide interpretable details about vulnerability detection by analyzing the path feature weights.

An interpretable model for large-scale smart contract vulnerability detection

Smart contracts hold billions of dollars in digital currency, and their security vulnerabilities have drawn a lot of attention in recent years. Traditional methods for detecting smart contract vulnerabilities rely primarily on symbol execution, which makes them time-consuming with high false positive rates. Recently, deep learning approaches have alleviated these issues but still face several major limitations, such as lack of interpretability and susceptibility to evasion techniques. In this paper, we propose a feature selection method for uplifting modeling. The fundamental concept of this method is a feature selection algorithm, utilizing interpretation outcomes to select critical features, thereby reducing the scales of features. The learning process could be accelerated significantly because of the reduction of the feature size. The experiment shows that our proposed model performs well in six types of vulnerability detection. The accuracy of each type is higher than 93% and the average detection time of each smart contract is less than 1 ms. Notably, through our proposed feature selection algorithm, the training time of each type of vulnerability is reduced by nearly 80% compared with that of its original.

SGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart Contracts

Smart contracts are becoming appealing targets for hackers because of the vast amount of cryptocurrencies under their control. Asset loss due to the exploitation of smart contract codes has increased significantly in recent years. To guarantee that smart contracts are vulnerability-free, there are many works to detect the vulnerabilities of smart contracts, but only a few vulnerability repair works have been proposed. Repairing smart contract vulnerabilities at the source code level is attractive as it is transparent to users, whereas existing repair tools, such as SCRepair and sGuard , suffer from many limitations: (1) ignoring the code of vulnerability prevention; (2) possibly applying the repair to the wrong statements and changing the original business logic of smart contracts; and (3) showing poor performance in terms of time and gas overhead. In this work, we propose machine learning guided rule-based automated vulnerability repair on smart contracts to improve the effectiveness and efficiency of sGuard . To address the limitations mentioned above, we design the features that characterize both the symptoms of vulnerabilities and the methods of vulnerability prevention to learn various vulnerability patterns and reduce false positives. Additionally, a fine-grained localization algorithm is designed by traversing the nodes of the abstract syntax tree, and we refine and extend the repair rules of sGuard to preserve the original business logic of smart contracts and support new vulnerability types. Our tool, named sGuard+ , reduces time overhead based on machine learning models, and reduces gas overhead by fewer code changes and precise patching. In our experiment, we collect a publicly available vulnerability dataset from CVE, SWC, and SmartBugs Curated as a ground truth for evaluations. Overall, sGuard+ repairs more vulnerabilities with less time and gas overhead than state-of-the-art tools. Furthermore, we reproduce about 9,000 historical transactions for regression testing. It is shown that sGuard+ has no impact on the original business logic of smart contracts.

Smart Contract Vulnerability Detection: The Role of Large Language Model (LLM)

Smart contracts are susceptible to various vulnerabilities that can lead to significant financial losses. The usage of tools for vulnerabilities is reducing the threats but presents some limitations related to the approach used by the tool itself. This paper presents a novel approach to smart contract vulnerability detection utilizing Large Language Models (LLMs), as a tool to detect all the vulnerabilities at once. Our proposed tool leverages the advanced natural language processing capabilities of LLMs to analyze smart contract code and identify potential security flaws. By training the LLM on a diverse dataset of known smart contract vulnerabilities and secure coding practices, we enhance its ability to recognize subtle and complex vulnerabilities that traditional static analysis tools might miss. The evaluation of our tool demonstrates its effectiveness in detecting a wide range of vulnerabilities with satisfaction and accuracy, providing developers with a robust mechanism to improve the security of their smart contracts before deployment. This approach signifies a significant advancement in the application of artificial intelligence for blockchain security, highlighting the potential of LLMs to enhance the reliability and safety of decentralized applications.

A vulnerability detection framework with enhanced graph feature learning

Vulnerability detection in smart contracts is critical to secure blockchain systems. Existing methods represent the bytecode as a graph structure and leverage graph neural networks to learn graph features for vulnerability detection. However, these methods are limited to handling the long-range dependencies between nodes. This means that they might focus on learning local node feature while ignoring global node information. In this paper, we propose a novel vulnerability detection framework with Enhanced Graph Feature Learning (EGFL), which aims to extract the global node information and utilize it to improve vulnerability detection in smart contracts. Specifically, we first represent the bytecode as a Control Flow Graph (CFG). To extract global node information, EGFL constructs a linear node feature matrix from CFG, and uses the feature-aware and relationship-aware modules to handle long-range dependencies between nodes. Meanwhile, a graph neural network is adopted to extract the local node feature from CFG. Subsequently, we fuse the global node information and local node feature to generate an enhanced graph feature for capturing more vulnerability features. We evaluate EGFL on the benchmark dataset with six types of smart contract vulnerabilities. Results show that EGFL outperforms fourteen state-of-the-art vulnerability detection methods by 10.83%–60.28% in F1 score.

Implementation of Multi Extension in Blockchain-Based IoT Platform for Industrial IoT Devices

The rise of the Internet of Things (IoT) has led to the creation of technologies to improve human life. IoT involves integrating the Internet with the physical world, spanning applications like smart homes, industries, supply chains, academia, and more. By the end of 2020, around 212 billion IoT devices were globally deployed, presenting substantial opportunities for manufacturers and diverse applications. There have been numerous implementations of IoT across various fields, including Blockchain IoT (B-IoT), Artificial Intelligence of Things (AIoT), Digital Twin, and new communication protocols like the Matter protocol. We conducted a comprehensive testing of the blockchain (B-IoT) extension system on various bandwidths and scenarios, such as blockchain API execution time, speed, retention performance, and smart contract vulnerability testing. Our testing has been successful, and several messaging systems were used. Kafka was recommended to overcome the pending transaction problem caused by unprocessed messages. Our smart contract exhibited high severity. The Artificial Intelligence of Things extension, tested on real environments for person and vehicle counters, has shown successful results. Digital Twin, integrated into the IoT platform to perform and control 3D assets such as the postgraduate PENS building, has demonstrated efficient performance. Matter protocol achieved an average task execution speed of 0.48 tasks per second. Matter P2P communication was also successfully tested in this research by implementing the Access Control List (ACL) command.

Security of the Secp256k1 Elliptic Curve used in the Bitcoin Blockchain

The article delves into the intricate characteristics and security properties of the secp256k1 elliptic curve used for the generation of addresses in the Bitcoin blockchain. The Bitcoin blockchain is a decentralized digital ledger that records all transactions made with Bitcoin cryptocurrency. In this work, the secp256k1 elliptic curve and its parameters and the method of generating private and public keys using random numbers are described. While the private key allows for the signing of transactions to spend Bitcoin, the corresponding public key and address enable others to verify transactions and send funds to that specific address on the blockchain, ensuring security, authenticity, and privacy in the decentralized network. The attacks on the use of secp256k1 for generating the bitcoin addresses like the Brute force attack, twist attack, fault attacks, and side channel attacks in the implementation of the elliptic curve are discussed. By maintaining the security and integrity of secp256k1, we can ensure that cryptographic operations, such as digital signatures and key exchanges, remain uncompromised. If the curve's security were compromised, malicious users could potentially derive private keys from public keys, leading to unauthorized transactions, double-spending, or other malicious activities. The security of implementation can be enhanced by ensuring cryptographic libraries and software implementations that utilize secp256k1 undergo thorough testing and validation to ensure correct and secure operations. The important attacks on blockchain technology like the 51% attack, Sybil attack, Double Spending attack, and Smart Contract vulnerabilities are discussed. Through a comprehensive exploration, readers will gain insights into why this particular elliptic curve was chosen for use in Bitcoin's cryptographic protocols, highlighting its role in ensuring the robustness and integrity of the blockchain ecosystem.

Understanding Common Smart Contract Vulnerabilities and the Critical Need for Testing and Audits

Understanding Common Smart Contract Vulnerabilities and the Critical Need for Testing and Audits

The Impact of Input Types on Smart Contract Vulnerability Detection Performance Based on Deep Learning: A Preliminary Study

Stemming vulnerabilities out of a smart contract prior to its deployment is essential to ensure the security of decentralized applications. As such, numerous tools and machine-learning-based methods have been proposed to help detect vulnerabilities in smart contracts. Furthermore, various ways of encoding the smart contracts for analysis have also been proposed. However, the impact of these input methods has not been systematically studied, which is the primary goal of this paper. In this preliminary study, we experimented with four common types of input, including Word2Vec, FastText, Bag-of-Words (BoW), and Term Frequency–Inverse Document Frequency (TF-IDF). To focus on the comparison of these input types, we used the same deep-learning model, i.e., convolutional neural networks, in all experiments. Using a public dataset, we compared the vulnerability detection performance of the four input types both in the binary classification scenarios and the multiclass classification scenario. Our findings show that TF-IDF is the best overall input type among the four. TF-IDF has excellent detection performance in all scenarios: (1) it has the best F1 score and accuracy in binary classifications for all vulnerability types except for the delegate vulnerability where TF-IDF comes in a close second, and (2) it comes in a very close second behind BoW (within 0.8%) in the multiclass classification.

Reentrancy vulnerability detection based on graph convolutional networks and expert patterns under subspace mapping

Smart contracts with automatic execution capability provide a vast development space for transactions in Blockchain. However, due to the vulnerabilities in smart contracts, Blockchain has suffered huge economic losses, which greatly undermines people’s trust in Blockchain and smart contracts. In this paper, we explore a vulnerability detection method based on graph neural networks and combine both contract source code and opcode. The structure of the method consists of four modules, i.e., preprocessing, subspace mapping, feature extraction, and detection modules. In the feature mapping module, we use a multi-subspace mapping approach to explore the impact of different subspace mappings on the detection method. For reentrancy vulnerability, we conducted extensive experiments. The experiments prove that our method achieves 95% accuracy and 94% F1-Score on average.

Detection of vulnerabilities in blockchain smart contracts using deep learning

Detection of vulnerabilities in blockchain smart contracts using deep learning

Securing Smart Contracts: Harnessing the Power of Efficient NetB2 Detection

Objective: Using a variety of datasets from the Ethereum documentation and Smart Contract Dataset repository, this study tackles the crucial problem of classifying smart contract vulnerabilities. Methods: Our study uses a three-module method and focuses on the Resource 3 Dataset, which contains over 2,000 Ethereum smart contracts, including inherited contracts. The groundwork for deep learning model training is laid in Module 1 by extracting bytecode from Solidity files and creating images thereafter. In Colab, Module 2 entails importing data, pre-processing, SMOTE balancing, and building three deep learning models: CNN, XCEPTION, and EfficientNet-B2. Module 3 is a Flask-based web application created in Visual Studio Code that enables vulnerability predictions, bytecode extraction, and user interaction. Findings: With an overall accuracy of 71 percent, the Convolutional Neural Network (CNN) displays its effectiveness in classifying vulnerabilities. Although the accuracy of XCEPTION and EfficientNet-B2 is 69% and 75%, respectively, the latter is the top performer. Novelty & Applications: The online application adds to the comprehensive examination of smart contract security by giving users an easy-to-use interface. The EfficientNet-B2 model stands out as a dependable tool for precise vulnerability classification, and this study advances our understanding of and efforts to mitigate vulnerabilities in Ethereum smart contracts. Keywords: Smart Contracts, Vulnerability Classification, Ethereum, Deep Learning, Convolutional Neural Network (CNN)

Examination of Approaches for Identifying Vulnerabilities in Smart Contracts

Objective: By reviewing various previous works, this paper collects the multiple of approaches, strategies used to identify vulnerabilities in smart contracts. Blockchain is a decentralized technology that securely and immutably, records transactions across numerous computers in a visible manner. On a blockchain, smart contracts are self-executing agreements that independently execute and verify contract conditions. This reduces the need for middlemen and increases transparency. Smart contract vulnerabilities are problems in the code that could allow other parties to gain access to, alter, or steal assets as a result of mistakes, faults or imperfections made during development, thereby causing financial and operational harm. In this paper we have algorithms, techniques to detect vulnerabilities in smart contract using deep learning found in literature surveys. Methods: We have found some techniques using opcode, bytecode, Skip-Gram-Word2Vec to convert the smart contract file. Findings: We have found that LSTM, Vanilla-RNN, GRU have very less accuracy 49.64,53.68,54.54. Novelty & Applications: We will come with some different algorithms that will understand different vulnerability with more accuracy. We have come with CNN, Xception, EfficientNet-B2 which has accuracy high then LSTM, Vanilla-RNN, GRU i.e.71,69,75 percent.

Blockchain and Cryptocurrency Security: Challenges, Innovations, and Future Directions

Blockchain technology and cryptocurrencies have emerged as transformative innovations with the potential to revolutionize various sectors, including finance, supply chain management, and healthcare. However, their widespread adoption also brings forth significant security challenges. This paper provides an overview of the security issues facing blockchain and cryptocurrency systems, explores current research efforts to address these challenges, and discusses potential future directions in blockchain and cryptocurrency security research. We examine topics such as secure consensus mechanisms, smart contract vulnerabilities, privacy-preserving techniques, and regulatory considerations. By understanding these challenges and exploring innovative solutions, we aim to foster the development of more robust and secure blockchain-based systems.