Essential Maintenance: All Authorea-powered sites will be offline 9am-10am EDT Tuesday 28 May
and 11pm-1am EDT Tuesday 28-Wednesday 29 May. We apologise for any inconvenience.

loading page

Why Smart Contracts Reported as Vulnerable were not Exploited?
  • +1
  • Tianyuan Hu ,
  • Jingyue Li ,
  • Bixin Li ,
  • André Storhaug
Tianyuan Hu
Southeast University

Corresponding Author:[email protected]

Author Profile
Jingyue Li
Author Profile
André Storhaug
Author Profile

Abstract

Smart contract security is essential for blockchain applications. Studies show that few of the reported vulnerabilities are exploited. However, no follow-up study is performed to why the reported vulnerabilities are not exploited. We aim to understand the reasons for the low exploitation rate to help improve vulnerability detection practices. We first collect 136,969 unique real-world smart contracts and analyze them using seven vulnerability detectors. Then, we apply Strauss’ grounded theory approach to understand if they are exploitable. In addition, we analyze the transaction logs of the exploitable vulnerabilities to understand their exploitations in history.  Among the 4,364 smart contracts reported as vulnerable by the vulnerability detectors, 75.27% of them are unexploitable. Only 66 (0.015%) exploitable contracts have been exploited. We uncover 11 reasons for making the detectors misidentify unexploitable vulnerabilities and six reasons that may lower the possibility of exploitable contracts being exploited by attackers. We illustrate that: beyond treating the smart contracts as yet another Object Oriented (OO) application, it is essential to consider the Solidity programming language’s design principle, smart contracts’ application scenarios, and their execution environments. Based on the study’s insights, we provide several suggestions to improve smart contract vulnerability detection, prioritization, and mitigation.