Why Smart Contracts Reported as Vulnerable were not Exploited?

Smart contract security is essential for blockchain applications. Studies show that few of the reported vulnerabilities are exploited. However, no follow-up study is performed to why the reported vulnerabilities are not exploited. We aim to understand the reasons for the low exploitation rate to help improve vulnerability detection practices. We first collect 136,969 unique real-world smart contracts and analyze them using seven vulnerability detectors. Then, we apply Strauss’ grounded theory approach to understand if they are exploitable. In addition, we analyze the transaction logs of the exploitable vulnerabilities to understand their exploitations in history.  Among the 4,364 smart contracts reported as vulnerable by the vulnerability detectors, 75.27% of them are unexploitable. Only 66 (0.015%) exploitable contracts have been exploited. We uncover 11 reasons for making the detectors misidentify unexploitable vulnerabilities and six reasons that may lower the possibility of exploitable contracts being exploited by attackers. We illustrate that: beyond treating the smart contracts as yet another Object Oriented (OO) application, it is essential to consider the Solidity programming language’s design principle, smart contracts' application scenarios, and their execution environments. Based on the study's insights, we provide several suggestions to improve smart contract vulnerability detection, prioritization, and mitigation.