Abstract
As smart contracts process digital assets, their security is essential
for blockchain applications. Many approaches have been proposed to
detect smart contract vulnerabilities. Studies show that few of the
reported vulnerabilities are exploited and hypothesize that many of the
reported vulnerabilities are false positives. However, no follow-up
study is performed to confirm the hypothesis and understand why the
reported vulnerabilities are not exploited. In this study, we first
collect 136,969 unique real-world smart contracts and analyze them using
four vulnerability detectors, namely Oyente, SmartCheck, Slither, and
SolDetector. Then, we apply Strauss’ grounded theory approach to
manually analyze the source code of the smart contracts reported as
vulnerable to recognizing false positives and understand the reasons for
false results. In addition, we analyze the transaction logs of the smart
contracts reported as vulnerable to identifying and understanding their
exploitations. Our results show that 75.37% of the 4,364 smart
contracts reported as vulnerable are false positives, and eleven reasons
are causing the false positives. After analyzing the 4,106,134
transaction logs of the contracts reported as vulnerable, we find that
vulnerabilities of only 67 (0.015%) of the contracts have been
exploited in history. We also identify six reasons for demotivating and
preventing the attackers from exploiting the vulnerabilities. Our
results reveal that state-of-the-art smart contract vulnerability
detectors primarily treat the smart contracts as yet another application
developed using Object Oriented (OO) languages when analyzing and
reporting the smart contract vulnerabilities. Without considering the
specific design principles of the Solidity programming language and the
characteristics of smart contracts’ application scenarios and execution
environments, many of the reported vulnerabilities are not exploitable
or not cost-effective to be exploited by adversaries.