Essential Maintenance: All Authorea-powered sites will be offline 9am-10am EDT Tuesday 28 May
and 11pm-1am EDT Tuesday 28-Wednesday 29 May. We apologise for any inconvenience.

loading page

Why Smart Contracts Reported as Vulnerable were not Exploited?
  • +1
  • Tianyuan Hu ,
  • Jingyue Li ,
  • Bixin Li ,
  • André Storhaug
Tianyuan Hu
Southeast University

Corresponding Author:[email protected]

Author Profile
Jingyue Li
Author Profile
André Storhaug
Author Profile

Abstract

As smart contracts process digital assets, their security is essential for blockchain applications. Many approaches have been proposed to detect smart contract vulnerabilities. Studies show that few of the reported vulnerabilities are exploited and hypothesize that many of the reported vulnerabilities are false positives. However, no follow-up study is performed to confirm the hypothesis and understand why the reported vulnerabilities are not exploited. In this study, we first collect 136,969 unique real-world smart contracts and analyze them using four vulnerability detectors, namely Oyente, SmartCheck, Slither, and SolDetector. Then, we apply Strauss’ grounded theory approach to manually analyze the source code of the smart contracts reported as vulnerable to recognizing false positives and understand the reasons for false results. In addition, we analyze the transaction logs of the smart contracts reported as vulnerable to identifying and understanding their exploitations. Our results show that 75.37% of the 4,364 smart contracts reported as vulnerable are false positives, and eleven reasons are causing the false positives. After analyzing the 4,106,134 transaction logs of the contracts reported as vulnerable, we find that vulnerabilities of only 67 (0.015%) of the contracts have been exploited in history. We also identify six reasons for demotivating and preventing the attackers from exploiting the vulnerabilities. Our results reveal that state-of-the-art smart contract vulnerability detectors primarily treat the smart contracts as yet another application developed using Object Oriented (OO) languages when analyzing and reporting the smart contract vulnerabilities. Without considering the specific design principles of the Solidity programming language and the characteristics of smart contracts’ application scenarios and execution environments, many of the reported vulnerabilities are not exploitable or not cost-effective to be exploited by adversaries.