1 An Overview on Smart Contracts: Challenges, Advances and Platforms Zibin Zheng,Shaoan Xie, Hong-Ning Dai, Weili Chen, Xiangping Chen, Jian Weng, Muhammad Imran

Abstract—Smart contract technology is reshaping conventional industry and business processes. Being embedded in blockchains, Supplier Buyer Carrier smart contracts enable the contractual terms of an agreement to be enforced automatically without the intervention of a 1 trusted third party. As a result, smart contracts can cut down administration and save services costs, improve the efficiency of business processes and reduce the risks. Although smart Product contracts are promising to drive the new wave of innovation Catalog in business processes, there are a number of challenges to be Contract 1 tackled. This paper presents a survey on smart contracts. We first introduce blockchains and smart contracts. We then present the challenges in smart contracts as well as recent technical advances. Purchase We also compare typical smart contract platforms and give a order 2 categorization of smart contract applications along with some representative examples. Index Terms—Smart contract; Blockchain; Cryptocurrency; Sales order Decentralization

I.INTRODUCTION 3 Blockchain technology has recently fueled extensive in- terests from both academia and industry. A blockchain is Product a distributed software system allowing transactions to be Product Contract 2 transportation processed without the necessity of a trusted third party. As a delivery result, business activities can be completed in an inexpensive and quick manner. Moreover, the immutability of blockchains 4 also assures the distributed trust since it is nearly impossible Product to tamper any transactions stored in blockchains and all the reception historical transactions are auditable and traceable. Blockchain technology is enabling smart contracts that 5 were first proposed in 1990s by Nick Szabo [1]. In a smart contract, contract clauses written in computer programs will Payable Receivable be automatically executed when predefined conditions are account account met. Smart contracts consisting of transactions are essentially Payment stored, replicated and updated in distributed blockchains. In 6 arXiv:1912.10370v1 [cs.SE] 22 Dec 2019 contrast, conventional contracts need to be completed by a trusted third party in a centralized manner consequently Receivable Payable resulting in long execution time and extra cost. The integration account account of blockchain technology with smart contracts will make the dream of a “peer-to-peer market” come true. Figure 1. An example of a smart contract between a buyer and Take a smart contract between a buyer and a supplier as a supplier. an example. As shown in Figure 1, a supplier first sends a product catalog to a buyer through the blockchain network. This catalog that includes product descriptions (such as prop- erty, quantity, price and availability) along with shipping and payment terms is stored and distributed in the blockchain so that a buyer can obtain the product information and verify the Z. Zheng, S. Xie, W. Chen, X. Chen is with School of Data and Computer Science, Sun Yat-sen University, China. authenticity and reputation of the supplier at the same time. H.-N. Dai is with Faculty of Information Technology, Macau University of The buyer then submits the order with the specified quantity Science and Technology, Macau (email: [email protected]). and payment date via the blockchain. This whole procedure J. Weng is with Jinan University, Guangzhou, China. M. Immran is with College of Applied Computer Science, King Saud forms a purchase contract (i.e., Contract 1) enclosed in the University, Riyadh, Saudi Arabia blue box as shown in Figure 1. It is worth mentioning that 2 the whole procedure is completed between the buyer and the Table I. Acronym Table supplier without the intervention of a third party. Terms Acronyms After Contract 1 is done, the supplier will search for a carrier in the blockchain to complete the shipping phase. Like Proof of Work PoW Contract 1, the carrier also publishes the shipping description Proof of Stake PoS (such as transportation fees, source, destination, capacity and Practical Byzantine-Fault Tolerance PBFT shipping time) as well as shipping conditions and terms in Low Level Virtual Machine LLVM the blockchain. If the supplier accepts the contract issued by Convolutional Neural Network CNN the carrier, the products will be delivered to the carrier who Long Short Term Memory LSTM will finally dispatch the products to the buyer. This whole procedure constructs Contract 2 (enclosed in the pink box) as Ether ETH shown in Figure 1 . Similarly, the whole procedure of Contract Bitcoin BTC 2 is also conducted without the intervention of a third party. Ethereum Virtual Machine EVM In addition to automatic execution of Contract 1 and Con- Unspent Transaction Output UTXO tract 2, the payment procedures (including the payment from Internet of Things IoT the supplier to the carrier and that from the buyer to the Distributed Autonomous Corporation DAC supplier) are also completed automatically. For example, once the buyer confirms the reception of the products, the payment Certificate Authority CA between the buyer and the supplier will be automatically Delegated Proof of Stake DPOS triggered as the predefined condition is met. The financial WebAssembly Wasm settlement from the buyer to the supplier is conducted via Border Gateway Protocol BGP crypto currencies (e.g., Bitcoin or Ether1.). In contrast to conventional transactions, the whole process is done in a peer- to-peer manner without the intervention of third parties like be solved. For example, even if blockchains can assure a banks. As a result, the turnaround time and transactional cost certain anonymity of the parties of the contract, the privacy can be greatly saved. of the whole contract execution may not be preserved since In summary, smart contracts have the following advantages all the transactions are globally available. Moreover, it is compared with conventional contracts: challenging to ensure the correctness of smart contracts due to • Reducing risks. Due to the immutability of blockchains, vulnerabilities of computer programs to the faults and failures. smart contracts cannot be arbitrarily altered once they are There are some recent studies on smart contracts. For issued. Moreover, all the transactions that are stored and example, [12], [13], [14] present comprehensive surveys of duplicated throughout the whole distributed blockchain blockchain technology and briefly introduce smart contracts. system are traceable and auditable. As a result, malicious The work of [15] provides an in-depth survey on Ethereum behaviors like financial frauds can be greatly mitigated. smart contract programming vulnerabilities while [17] presents • Cutting down administration and service costs. Block- a detailed survey over verification methods on smart contract chains assure the trust of the whole system by dis- languages. The work of [16] reports authors’ experiences in tributed consensus mechanisms without going through a teaching smart contract programming and summarizes several central broker or a mediator. Smart contracts stored in typical types of mistakes made by students. Ref. [18] presents blockchains can be automatically triggered in a decentral- an empirical analysis on smart contract platforms. Recent ized way. Consequently, the administration and services studies [19], [20] also collect some literature of smart contracts costs due to the intervention from the third party can be and present reviews while fail to discuss the challenges in this significantly saved. area. Moreover, the work of [21] presents a brief overview of • Improving the efficiency of business processes. The elim- smart contract platforms and architectures. However, most of ination of the dependence on the intermediary can sig- existing papers fail to identify the rising challenges and give nificantly improve the efficiency of business process. a comprehensive survey. For example, Ethereum can be used Take the aforementioned supply-chain procedure as an to conduct illegal business such as Ponzi schemes that were example. The financial settlement will be automatically reported to defraud over 410,000 US dollars while few studies completed in a peer-to-peer manner once the predefined address this issue [22]. We summarize the differences between condition is met (e.g., the buyer confirms the reception this paper and existing studies in Table II. of the products). As a result, the turnaround time can be The objective of this paper is to conduct a systematic significantly reduced. overview of technical challenges in smart contracts enabled Smart contracts are boosting a broad spectrum of appli- by blockchain technologies. Contributions of this paper are cations ranging from industrial Internet of Things to financial highlighted as following: services [2], [3], [4], [5], [6], [7], [8], [9], [10], [11]. Although smart contracts have great potentials to reshape conventional • Important research challenges in the life cycle of smart business procedures, there are a number of challenges to contracts are identified. • Recent advances in addressing technical challenges are 1Commonly used acronyms in this paper are listed in Table I summarized. 3

Table II. Comparison with related work Research Ethereum Other Programming Other technical Technical Rising Applications platforms Languages challenges advances challenges [12], [13], [14] X       [15], [16] X  X     [17] X X X     [18] X X X    X [19], [20], [21] X X X X X  X This paper X X X X X X X

• A detailed comparison of typical smart contract platforms In summary, blockchain technology has the key characteris- is made. tics of decentralization, immutable, persistency and anonymity • Diverse smart contract applications are summarized. [26], [27], [28]. Organization of this paper. Section II gives a brief introduction to blockchains and smart contracts. Section III B. Smart Contract then summarizes research challenges in smart contracts as well Smart contracts can be regarded as a great advance in as recent technical advances. Section IV next compares typical blockchain technology [29]. In 1990s, a smart contract was smart contract development platforms. Section V categorizes proposed as a computerized transaction protocol that executes typical smart contract applications. Finally, Section VI con- the contractual terms of an agreement [1]. Contractual clauses cludes the paper. that are embedded in smart contracts will be enforced auto- matically when a certain condition is satisfied (e.g., one party II.OVERVIEW OF BLOCKCHAINAND SMART CONTRACT who breaches the contract will be punished automatically). Smart contracts are built upon blockchain technology en- Blockchains are enabling smart contracts. Smart contracts suring the correct execution of the contracts. We first provide are essentially implemented on top of blockchains. The ap- a brief introduction to blockchain technology in Section II-A. proved contractual clauses are converted into executable com- We then give an overview on smart contracts in Section II-B. puter programs. The logical connections between contractual clauses have also been preserved in the form of logical A. Blockchain flows in programs (e.g., the if-else-if statement). The A blockchain can be regarded as a public ledger, in which all execution of each contract statement is recorded as an im- transactions cannot be falsified. Figure 2 illustrates an example mutable transaction stored in the blockchain. Smart contracts of a blockchain. A blockchain is a continuously-growing chain guarantee appropriate access control and contract enforcement. of blocks. When a new block is generated, all the nodes in In particular, developers can assign access permission for the network will participate in validating the block. Once the each function in the contract. Once any condition in a smart block is validated, it will be appended to the blockchain. contract is satisfied, the triggered statement will automatically To validate the trustfulness of blocks, consensus algorithms execute the corresponding function in a predictable manner. are developed. Consensus algorithms determine which node to For example, Alice and Bob agree on the penalty of violating store the next block and how the new appended block to be the contract. If Bob breaches the contract, the corresponding validated by other nodes. Representative consensus algorithms penalty (as specified in the contract) will be automatically paid include proof of work (PoW) [23] and proof of stake (PoS) (deducted) from Bob’s deposit. and practical byzantine-fault tolerance (PBFT) [24], [25]. The whole life cycle of smart contracts consists of four Consensus algorithms are usually done by users who first solve consecutive phases as illustrated in Figure 3: the puzzle (i.e., PoW or PoS). These users are called miners. 1) Creation of smart contracts. Several involved parties first Each miner keeps a full copy of the blockchain. Different from negotiate on the obligations, rights and prohibitions on PoW and PoS, PBFT requires a multi-round voting process to contracts. After multiple rounds of discussions and nego- reach the consensus. The distributed consensus algorithms can tiations, an agreement can reach. Lawyers or counselors ensure that transactions are done without the intervention of will help parties to draft an initial contractual agree- third parties like banks. As a result, the transaction costs can ment. Software engineers then convert this agreement be saved. Moreover, users transact with their virtual addresses written in natural languages into a smart contract written instead of real identities so that the privacy of users is also in computer languages including declarative languages preserved. and logic-based rule languages [30]. Similar to the In blockchain systems, it is possible that several nodes can development of computer software, the procedure of successfully reach the consensus (i.e., solving the puzzle) at the smart contract conversion is composed of design, the same time, consequently it can cause the bisected branches. implementation and validation (i.e., testing). It is worth To solve the disparity, a shorted side chain is desolated as mentioning that the creation of smart contracts is an shown in Figure 2 while the longest chain is selected as the iterative process involving with multiple rounds of ne- valid chain. This mechanism is effective since the longer chain gotiations and iterations. Meanwhile, it is also involved is more tolerant to malicious attacks than the shorter chain in with multiple parties, such as stakeholders, lawyers and distributed systems. software engineers. 4

A shorter side chain is desolated

Block jj Block j + 1

Genesis block Block 1 Block ii Block i + 1 Block mm

MerkleRoot Hash of block i 1 Hash of block ii − Timestamp Nonce Timestamp Nonce hash (TX1 , TX2) … hash (TXn 1, TXn) − MerkleRoot MerkleRoot

TX 1 TX 2 TX TX 1 TX 2 TX hash (TX1) hash (TX2) … hash (TXn) nn nn

Block ii Block i + 1 TX 11 TX 22 … TX nn

Figure 2. A blockchain consists of a sequence of blocks, each of which contains an inverse hash pointing back to its parent block. Meanwhile, there are a number of transactions stored inside a block.

2) Deployment of smart contracts. The validated smart (e.g., money transfer from the buyer to the supplier). contracts can then be deployed to platforms on top of Consequently, digital assets of involved parties have blockchains. Contracts stored on the blockchains cannot been unlocked. The smart contract then has completed be modified due to the immutability of block-chains. the whole life cycle. Any emendation requires the creation of a new contract. It is worth mentioning that during deployment, execution Once smart contracts are deployed on blockchains, and completion of a smart contract, a sequence of transactions all the parties can access the contracts through the has been executed (each corresponding to a statement in the blockchains. Moreover, digital assets of both involved smart contract) and stored in the blockchain. Therefore, all parties in the smart contract are locked via freezing the these three phases need to write data to the blockchain as corresponding digital wallets [31]. For example, the coin shown in Figure 3. transfers (either incoming or outgoing) on the wallets relevant to the contract are blocked. Meanwhile, the III.CHALLENGES AND ADVANCES OF SMART CONTRACT parties can be identified by their digital wallets. 3) Execution of smart contracts. After the deployment Although a smart contract is a promising technology, there of smart contracts, the contractual clauses have been are still a number of challenges to be tackled. We categorize monitored and evaluated. Once the contractual con- these major challenges into four types according to four phases ditions reach (e.g., product reception), the contractual of the life cycle of smart contracts. Meanwhile, we also give procedures (or functions) will be automatically executed. an overview on recent advances in solving these challenges. It is worth noting that a smart contract consists of a Table III summarizes the challenges and recent advances. number of declarative statements with logical connec- tions. When a condition is triggered, the corresponding A. Creation challenges statement will be automatically executed, consequently Contract creation is an important step to implement smart a transaction being executed and validated by miners in contracts. Users have to code their own contracts and then the blockchains [32]. The committed transactions and deploy them in various blockchain platforms (to be introduced the updated states have been stored on the blockchains in Section IV). Since blockchains are essentially immutable, thereafter. blockchain-based smart contracts also cannot be modified after 4) Completion of smart contracts. After a smart contract being deployed. As a result, developers need to carefully has been executed, new states of all involved parties are address the following problems. updated. Accordingly, the transactions during the execu- 1) Readability: Most of smart contracts are written in tion of the smart contracts as well as the updated states programming languages such as Solidity, Go, Kotlin and are stored in blockchains. Meanwhile, the digital assets Java (to be described in Section IV). Then source codes have been transferred from one party to another party will be compiled and executed. Therefore, in different time 5

Creation Deployment Execution Completion

Unfreezing of assets Negotiation Smart contract Deployment Freezing of assets Evaluation Auto-execute State updating 1. Negotiation of multiple 1. Contracts stored on 1. Evaluation on contract 1. State updating and digital parties blockchain clauses (conditions) assets allocated 2. Design, implementation 2. Freezing of digital assets 2. Auto-execute contract 2. Unfreezing of digital and validation of smart of involved parties statements once triggered assets contract

Write to Write to Write to blockchain blockchain blockchain

Software Program engineer

Genesis block Block 1 Block ii Block i + 1 Block mm

Approve Blockchain Figure 3. A life cycle of a smart contract consists of four major phases: Creation, Deployment, Execution and Completion periods, programs have different forms of codes. How to make Ref. [36] proposed an intermediate level language named programs readable in each form remains a big challenge. IELE to solve this challenge. IELE has a similar syntax to Low Level Virtual Machine (LLVM) [37] so as to provide Recent advances for readability challenge compilers with high-level information during the compile • Recover source code: It is shown in [33] that more than time, link time, run time, and idle time. 77% smart contracts have not released public source 2) Functional issues: There are a number of functional codes, all of which are involved with over $3 billion issues with incumbent smart contract platforms. We present US dollars. Unavailability of source code makes smart several representative challenges: 1) Re-entrancy means that contract be opaque to the official auditors. To address this the interrupted function can be safely recalled again. Ma- issue, [33] proposed a reverse engineering tool (namely licious users may exploit this vulnerability to steal digital Erays) to analyze compiled smart contracts. This reverse currency as indicated in [81]. 2) Block randomness. Some engineering tool is able to convert hex encoded contract smart contract applications such as lotteries and betting pools into a human readable pseudo codes. may require randomness of generated blocks. This can be • Human readable code: Frantz and Nowostawski [34] pro- achieved by generating pseudo-random numbers in a block posed a semi-automated translation system that can con- timestamp or nonce. However, some malicious miners may vert human-readable contract representations into compu- fabricate some blocks to deviate from the outcome of the tational programs. Essentially, this semi-automated trans- pseudo-random generator. In this way, attackers can control lation system has been implemented according to the the probability distribution of the outcomes as shown in [82]. concept from institutional analysis [80]. In particular, 3) Overcharging. It is shown in recent work [44] that smart institution specifications can be decomposed into different contracts can be overcharged due to the under-optimization of components such as attributes, deontic, aim, smart contracts. These overcharged patterns have the features conditions and or else. These components are like dead code, expensive operations in loops consisting of then mapped into the corresponding blocks written in repeated computations. programming languages. For example, the attributes Recent advances for functional issues can be converted into structs in Solidity. Since most of smart contract programming languages are object- • Re-entrancy: Recently, several proposals attempt to solve oriented languages, [35] argues that declarative language some of the above challenges. Obsidian [38] was pro- backed by a logic programming computational model posed to address re-entrancy attacks and money leakage might be more suitable for smart contract. For example, problems. In particular, Obsidian exploits named states to the authors claim that Prolog (a type of logic language) enable consistency checking on state transitions and ver- does not requires compilation so it also avoids the in- ification so that re-entrancy vulnerability can be mended. spection on smart contract compilation. Moreover, a data flow analytical method was proposed • Human readable execution: Although many platforms to prevent the illegal digital currency stealing from the attempt to provide smart contract developers with high leakage. Ref. [39] proposed to eliminate re-entrancy level languages, these smart contracts will then be com- vulnerabilities by prohibiting the nesting calling among piled into other forms, e.g., bytecode in Ethereum Virtual functions in the contract. Liu et al. [40] proposed to Machine (EVM). In most of cases, two parties in the perform the fuzz testing on smart contracts by iteratively transaction need to understand the contracts at the level generating random but diverse transactions to detect re- that it has been stored and executed on blockchain. entrancy bugs. 6

Table III. Summary of challenges and advances in smart contracts

Phases Challenges Advances

• Recover source code [33] 1) Readability • Human readable code [34], [35] • Human readable execution [36], [37] Creation • Re-entrancy [38], [39], [40] 2) Functional issues • Block randness [41], [42], [43] • Overcharging [44], [45] • Bytecode analysis [46], [47], [48], [49], [50], [51], [52], [53] 1) Contract correctness • Source code analysis [54], [55], [56], [57] • Machine learning based analysis [58], [59], [60] Deployment • Graph based analysis [61], [62] 2) Dynamic control flow • Path-searching [63] • Execution environment [64] • Third-party involved [65] 1) Trustworthy oracle • Decentralized [66], [67] • Sequential execution [68] Execution 2) Transaction-ordering dependence • Predefining contract [69] • Execution serialization [70], [71], [72] 3) Execution efficiency • Inspection of contract [73] • Privacy [74], [75] 1) Privacy and Security • Security [76] Completion • Ponzi scheme [77] [22], [78] 2) Scam • Honeypot [79]

• Block randness: Blockchain is regarded as a promising B. Deployment challenges technology to generate public and unpredictable random After creation, smart contracts will be deployed on values. However, the random output might not be so blockchain platforms. But smart contracts need to be checked random as people expect. Miners could control the block carefully to avoid potential bugs. Furthermore, smart contract generation and release the block until they find it prof- developers need to be aware of the contract’s interaction itable. To address this issue, [41] proposed to use the patterns to mitigate potential losses due to the malicious be- delay-function to generate randomness. It means that the haviors (such as frauds and attacks [83]). We next describe the random value will be only be known to others after a challenges as well as advances in smart contract deployment. short time period since its generation. In this way, the 1) Contract correctness: Once smart contracts have been blockchain moves on and the miners could not withhold deployed on blockchains, it is nearly impossible to make any their blocks to profit. But delay functions are not suitable revisions. Therefore, it is of vital importance to evaluate the for smart contracts as most of they require instance correctness of smart contracts before the formal deployment. verification. To this end, [42] proposed the Sloth function However, it is challenging to verify the correctness of smart to allow faster verification. Based on [42], [43] proposed contracts due to the complexity of modelling smart contracts. a multi-round protocol to verify delay functions using a refereed delegation model. It reduces the cost of verifying Recent advances for contract correctness the output from $30 to $0.4. • Bytecode analysis: Bytecode level analysis only requires • Overcharging: Besides from caring the efficiency of their the compiled bytecodes of smart contracts, which are programs, developers of smart contract also need to pay much easier to obtain. How to utilize these bytecode attention to their execution costs. Ref. [44] reported to detect security threats has become a hot research that over 90% of real smart contracts suffer from gas- topic. In particular, OYENTE was proposed in [46] to costly patterns in Ethereum. Chen et al. [45] proposed identify potential security bugs including mishandled GasReducer, a tool used to detect gas-costly patterns. exceptions and timestamp-dependent problems. Based on GasReducer can replace under-optimized bytecode with the control graph generated by OYENTE, [47] produces efficient bytecode. the rule-based representations for high level bytecode analysis. Meanwhile, Knecht and Stiller [48] proposed a smart contract deployment and management platform 7

(SmartDEMAP) to address the trust problem during the by identifying irregular token sequences and optimize contract development and deployment. Moreover, other existing in-depth analyzers. Meanwhile, the work of [59] code quality control tools such as automated bug-finders translates the bytecode of smart contract into RGB color can also be equipped with SmartDEMAP. In this manner, that was transformed into images. The images were fed smart contracts can be deployed only after the trustful into a convolutional neural network (CNN) to extract conditions are fulfilled. Ref. [49] proposed MadMax to more meaningful features. Moreover, [60] applied Long predict gas-focus vulnerabilities in Ethereum smart con- Short Term Memory (LSTM) to analyze the security tracts. The combination of control-flow-analysis-based threats of smart contracts at an opcode level. decompiler and declarative program-structure queries en- ables the method detecting the vulnerabilities in high 2) Dynamic Control flow: Despite the fact that the deployed precision. Meanwhile [84] symbolically analyzed the smart contracts are immutable, the control flow of smart con- contract dependency graph to extract precise semantic tracts is not guaranteed to be immutable. In particular, a smart information from the code. Then, it checks compliance contract can interact with other contracts (e.g., transferring and violation patterns that capture sufficient conditions funds to the contract or creating a new contract). The control to prove if a property holds or not. Furthermore, [50] flow of smart contract needs to be designed carefully when proposed a method to search for certain critical paths in developing the contract. The interaction of smart contracts the control flow graph of a smart contract and identify can result in an increased number of interconnected contracts paths that may lead to a critical instruction, where the over time. Therefore, how to predict the contract behaviours arguments of instructions can be controlled by an attacker. becomes challenging. In addition, most of existing methods Ref. [51] proposed Vandal, a tool which firstly converts pay attention to the detection of potential dynamic control low level bytecode into register transfer language that flow problems in programs while the reliability of the ex- was then translated into logic semantic relations. In ecution environment is not always ensured. Therefore, it is addition, [52] proposed Gigahorse, a tool which is able to also significant to check whether the execution environment is decompile smart contract bytecode to high level 3-address reliable. code representation. The new intermediate representation of smart contracts makes the implicit data and control Recent advances for dynamic control flow flow dependencies of the EVM bytecode be explicit. Amani et al. [53] reconstructed bytecode sequences into blocks of straight-line code and created a program logic • Graph based analysis: Charlier et al. [61] proposed a to identify the security vulnerability of the contract. multi-dimensional approach to predict interactions among • Source code analysis: Compared with bytecode level smart contracts. In particular, this approach integrates analysis, source code analysis requires the availability stochastic processes and tensors to reproduce existing of smart contract source codes. Although the source interactions, consequently predicting future contract inter- code analysis contains more information, it also requires actions. Furthermore, the work in [62] presents a heuristic highly-precise analysis. There are a number of studies indicator of control flow immutability. In particular, this on source code analysis of smart contracts. In particu- approach was evaluated on a call graph of all smart lar, a formal verification method was proposed in [54] contracts on Ethereum. Through analyzing the call graph, to analyze and verify both the runtime safety and the it is shown that two smart contracts (out of five) require functional correctness of smart contracts (e.g., Ethereum a trust in at least one third party. contracts). This method first translates smart contracts • Path-searching: Nikolic´ et al. [63] proposed a method into codes written in F* [55], which is a functional namely MAIAN to detect vulnerabilities across a long programming language mainly used for program verifi- sequence of invocations of a contract. MAIAN employs cation. This translation can be used to detect abnormal inter-procedural symbolic analysis and concrete validator patterns like stack overflow (i.e., exceeding the stack for exhibiting real exploits. It searches the spaces of limit). Meanwhile, [56] proposed Zeus to verify the all execution paths in a trace with depth-first search correctness of smart contracts. Zeus firstly translates the (DFS) and checks whether the contract triggers property contracts and policy specification into low-level interme- violation. Different from above graph-based methods, diate representation and feeds the encoded representation MAIAN is designed to identify either locking funds into constrained horn clauses [57] to ascertain the safety indefinitely, leakage to arbitrary users or being killed of the smart contract. by anyone. Therefore, it does not need to model the • Machine learning based analysis: Recently, machine interactions among smart contracts. learning-based methods have been proposed to obtain a • Execution environment: EVMFuzz [64] was proposed better representation for detecting vulnerabilities in smart to detect vulnerabilities of the execution environment contracts. In particular, [58] proposed a novel semantic- of smart contract. EVMFuzz continuously generate seed aware security auditing technique called the S-gram contracts for different EVM executions, so as to find as scheme for Ethereum. The S-gram scheme that com- many inconsistencies among execution results as possi- bines the N-gram language modeling and static semantic ble. This method can eventually discover vulnerabilities labeling can be used to predict potential vulnerabilities with cross-referencing outputs. 8

C. Execution challenges transition number, the inconsistency problem is solved. Execution phase is crucial to smart contracts as it determines • Predefining contract: To avoid such anomaly, [69] the final state of smart contracts. There are a number of issues proposed to write smart contracts instead of trans- to be addressed during the execution of smart contracts. actions. For example, if Alice wants to increase 1) Trustworthy oracle: Smart contracts cannot work with- the value of x after Bob’s operation, she writes a IncreaseIfMultiplied() out real-world information. For example, an Eurobet (i.e., a function, which avoids soccer betting smart contract) needs to know the result of the situation where Alice’s operation executes prior to European Cup. However, a smart contract is designed to run Bob’s. in a sandbox isolating from the outside network. In a smart 3) Execution Efficiency: Smart contracts are serially exe- contract, an oracle plays a role of an agent who finds and cuted by miners. In other words, a miner will not execute verifies real-world occurrences and forwards this information another contract until the current contract is completed. The to the smart contract. Thus, how to determine a trustworthy execution serialization essentially limits the system perfor- oracle becomes a challenge. mance. However, it is challenging to execute smart contracts concurrently due to the shared data between multiple smart Recent advances for trustworthy oracle contracts. In the meantime, how to inspect the contract data • Third-party involved: Town Crier (TC) [65] was proposed without prescribed interface is also important to improving the to address this challenge. In particular, TC scrapes data smart contract execution efficiency as it removes the need to from reliable web sites and feeds those data to smart redeploy a new contract. contracts. TC feeds the data in the form of datagram Recent advances for execution efficiency that is accompanied with the specific data-source web site and a concrete time frame. Meanwhile, TC executes • Execution serialization: To fill this gap, Dickerson et its core functionality in a Software Guard Extension al. [70] proposed an approach based on Software Trans- (SGE) enclave that protects TC from attacks of malicious actional Memory to allow miners or validators to execute behaviors. contracts in parallel. The main idea of this approach is to treat each invocation of a smart contract as a speculative • Decentralized: Ref. [66] proposed a decentralized oracle named ASTRAEA, which is based on a voting game atomic action. In this way, conflicts happened during the among stake-holders. In particular, voters place a rea- parallel executions can be rolled back easily. Furthermore, sonable amount of stakes to vote the random proposition the work in [71] investigated smart contracts in a concur- selected from the system. Once the weighted sum of votes rent perspective. In particular, concurrency issues such matches the vote from a voter, the voter will be rewarded, as atomicity, interference, synchronization, and resource otherwise, the voter will be penalized. Meanwhile, [67] ownership have been well studied in this paper. Ref. proposed a smart contract based solution for selecting [72] proposed to use optimistic Software Transactional trustworthy oracles. A reputation contract is used to Memory Systems to help improve the execution efficiency record each oracle-service-provider’s reputation accord- of smart contracts. While executing contract transactions ing to its previous performance. Then an aggregating concurrently using multi-threading, the miner also stores contract will calculate the final results of a query from a block graph of transactions into the block. Then the users and finalize the result. validators re-execute the smart contract concurrently with the given block graph. If the result is consistent, the block 2) Transaction-ordering dependence: Users send transac- will be appended into the blockchain. tions to invoke functions in a smart contract while miners pack • Inspection of contract: After deployment, the contract the transactions into blocks. However, the order of transactions content cannot be modified. What can developers do is not deterministic due to the uncertainty of the bisected if they are asked to observe some values that are not blockchain branches [26]. This uncertainty can cause incon- described in their initial requirements? A straightforward sistency of order-dependent transactions. For example, there solution is to amend the smart contract and re-deploy is a contract containing variant x. Alice sends a transaction it. However, the redeployment of smart contracts may to increase x by 1 while Bob sends a transaction to multiply cause additional costs. Ref. [73] proposed to exploit x by 10. Due to uncertainty of the transaction order, the final the memory layout reification to decompile the binary outcomes on variant x can either be x + 1 or x 10. It is × structure of a compiled contract. Meanwhile, the work of worth mentioning that this inconsistency has been well solved [73] proposed the decompilation capabilities encapsulated in conventional database management systems (DBMS) [85] in mirrors [86], through which the method can introspect while it is challenging to solve it in smart contracts as far as the current state of a smart contract instance without we know. redeploying it. Recent advances for transaction-ordering dependence

• Sequential execution: Ref. [68] introduced a design pat- D. Completion challenges tern of smart contract-transaction counter. Transaction After the execution of smart contract, the modification to counter expects a transition number in each function as the states in the system will be packed as a transaction and a parameter and ensures the number be increased by broadcasted to each node. However, the proliferation of smart one after each function execution. Through analyzing the contracts brings additional concerns. 9

1) Privacy and Security: Most current smart contract and blockchain platforms lack of privacy-preserving mechanisms, contract Multiplicator { ... especially for transactional privacy. In particular, the transac- function multiplicate(address receiver) tion records (i.e., the sequence of operations) are disseminated payable { throughout the whole blockchain networks. Consequently, all if (msg.value >= this.balance) the transactions are visible to everyone in the networks. Al- {receiver.transfer(this.balance+msg.value);} though some blockchain systems utilize pseudonymous public keys to improve the anonymity of the transactions, most } transaction data (such as balances) are still publicly visible. As shown in [87], it is possible to obtain useful information from the transaction data based on the transactional graph Figure 4. Example of smart contract honeypot [79] analysis. smart contract systems also have their inherent software vulnerabilities, which are susceptible to malicious attacks. In addition, smart contracts run on top of blockchain investments at an early phase to avoid the unnecessary loss. systems which are also suffering from system vulnerability. Recent advances for readability challenge For example, it is reported in [88] that attackers exploited • Ponzi scheme: Ponzi scheme is a classical fraud which Border Gateway Protocol (BGP) routing scheme to intercept promises high return rates with little risk to investors. messages in blockchains. It can cause high delay of message It pays the older investors with new investors’ funds. broadcasting and also hijack the traffic of a subset of nodes, But if there is no enough circulating money, the scheme thereby stealing digital currency. unravels those posteriors who consequently lose their Recent advances for privacy and security money. The recent work of [77] conducted a systematic study over the Ponzi schemes on Ethereum. In particular, • Privacy: To address the privacy concerns of smart con- 16,082,269 transactions were collected from July, 2015 tracts, Kosba et al. [74] proposed Hawk - a decentral- to May, 2017. It was found that 17,777 transactions were ized smart contract system to establish privacy-preserved related to Ponzi schemes, which had already collected smart contracts. In particular, the Hawk compiler will over 410,000 US dollars within only two years. Chen compile a contract into a cryptographic protocol auto- et al. [22] proposed a method to extract features from matically. The compiled Hawk program contains two both accounts and the operation codes to identify Ponzi major parts: a private portion used to execute the major schemes on Ethereum. Meanwhile, the work of [78] function and a public portion used to protect users. Hawk proposed a novel approach to detect and quantify Ponzi will encrypt the transaction information (e.g., transaction schemes on Bitcoin. In particular, to address the difficulty balance) and verify the correctness of transactions via of identifying Ponzi schemes as they often use multiple using zero-knowledge proofs (i.e., without viewing the addresses, a clustering method [78] was proposed to content of the transactions). The anonymity of the parties identify the addresses. They found that 19 out of 32 Ponzi in smart contracts can be ensured while the secrecy of schemes use more than one addresses. contract execution may not be fulfilled. Enigma [75] • Honeypot: Smart contract Honeypot implies that the offers a solution to the secrecy of smart contract ex- vulnerable-looking contracts contain hidden traps. Take ecution. Advanced cartographic algorithms are used in Figure 4 as an example. At the first glance, a naive Enigma to support zero-knowledge proofs. Moreover, user may believe that the contract will automatically Enigma distributes blockchain data in different nodes return the total amount of current balance plus extra unlike traditional blockchain redundant schemes (i.e., money after he or she sends the money to this contract. every node saves a copy of all transactions). However, the balance will increase prior to the function • Security: There are some efforts in solving the security execution and the condition of if (msg.value >= concerns. For example, the recent work of [76] pro- this.balance) will never be satisfied. The work of poses a secure relaying-network for blockchains, namely [79] developed a taxonomy of honeypot techniques and SABRE. In particular, SABRE adjusts the inter-domain use symbolic execution and heuristics to detect honeypots routing policies for BGP routing scheme. It can protect in smart contracts. In addition, [79] found that the honey- the link between clients and relays via placing relays pot contracts have made over $90,000 profit for creators. appropriately. Meanwhile, SABRE also adopts the co- design of hardware and software via software defined IV. SMART CONTRACT DEVELOPMENT PLATFORMS networking (SDN) to reduce the traffic burden at re- lays. Experimental results demonstrate the effectiveness Recently, smart contracts have been developed on block- against BGP routing attacks. chain-based platforms. These platforms provide developers with simple interfaces to build smart contract applications. 2) Scams: As a new technology, blockchain and smart con- Among a number of incumbent blockchain platforms, many of tracts are vulnerable to malicious attacks initiated by scams. them can support smart contracts. In this paper, we introduce The detection of scams is of great importance especially 5 most representative smart contract platforms: Ethereum [89], for contract users since it enables them to terminate their Hyperledger Fabric [90], Corda [91], Stellar [92], Rootstock 10

[93] in Section IV-A. We choose them mainly due the popular- with blockchains. Once the user has registered, he/she has ity in developing community and technical maturity as implied to request transaction certificates from transaction certificate in [94]. We next summarize the common features of them in authority (TCA). The consensus can be easily reached within Section IV-B. Finally, we give an example of developing a the permissioned blockchain-network. Fabric exploits PBFT smart contract in Section IV-C. which requires the multi-round voting among authenticated users. PBFT relies on multi-round communications among A. Representative platforms nodes, which can cause time delay. More efficient consensus algorithms should be developed to resolve this problem. 1) Ethereum: Ethereum is a decentralized platform that 3) Corda: In contrast to diverse applications of Ethereum, can execute smart contracts. In contrast to Bitcoin’s Turing- Corda [91] is specialized for digital-currency applications. incomplete script system, Ethereum has developed Turing- It serves as a distributed-ledger platform for saving and 2 3 complete languages such as Solidity , Serpent , Low-level processing historical digital-asset records. Corda adopts high- 4 5 Lisp-like Language (LLL) and Mutan to support general user level programming languages such as Java and Kotlin6, which applications beyond cyptocurrency applications. Ethereum are running on top of Java Virtual Machine (JVM). Mean- compiles smart contracts written by Solidity, Serpent, LLL while, Corda is Turing incomplete to support the verifiability. and Mutan into machine codes, which will then be loaded to Moreover, the data model in Corda is the transaction-based EVM and run. Meanwhile, Ethereum adopts the account-based model. data model, in which each participant is identified by its digital Corda typically supports private platforms, in which en- wallet. terprises establish an authored network to exchange digital- Similar to Bitcoin, Ethereum adopts PoW as the consensus assets in the private manner. In private blockchain platforms, algorithm, which is also computational intensive. To com- the consensus can easily reach. Corda adopts Raft [95] as the pensate the cost of solving puzzles done by miners, Ether consensus algorithm. The consensus in Raft can be achieved (ETH) instead of coins (BTC) in Bitcoin is used. Essentially, by selecting a leader, log replication and safety assurance. gas serves as an internal price for executing a transaction to Instead of globally broadcasting in blockchains, Corda uses the overcome the unstable value of ETH. Informally, the total cost point-to-point messaging mechanism. Users have to specify of a transaction can be calculated by gas limit gas price, the message receivers and the detailed information to be sent. where gas limit denotes the maximum amount× of gas to be 4) Stellar: Similar to Corda, Stellar [92] is a specialized used to generate a block and gas price is the cost of a unit platform for digital-currency applications. Compared with of gas (in ETH). Users can pay different amounts of gas to Ethereum, Stellar is simpler and more accessible. Meanwhile, let their transactions be confirmed earlier or later (i.e., large Stellar can support a diversity of languages such as Python, amount of gas resulting in the fast confirmation). Since PoW is JavaScript, Golang and PHP. However, Stellar contracts are not computationally intensive, it can waste a number of electricity Turing complete. Similar to Fabric, Stellar executes program for meaningless block mining tasks. It is expected if the mining codes on top of Docker containers, consequently reducing the process is used for meaningful events, such as help solving overhead. For example, the execution cost of one transac- mathematical puzzles and conducting machine learning tasks. tion at Stellar is only $0.0000002, which can almost be 2) Hyperledger Fabric: Hyperledger Fabric is also a dis- ignored. Moreover, the∼ execution time for one transaction tributed ledger platform for running smart contracts [90]. in Stellar is about 5 seconds on average in contrast to 3.5 Different from Ethereum who runs smart contacts in virtual minutes in Ethereum. Therefore, Stellar is an ideal platform machines (i.e., EVM), Hyperledger adopts Docker container for digital-currency applications. Like Ethereum, Stellar adopts to execute the code. In contrast to virtual machines (VMs), the account-based model as the data model. Stellar developed containers can support smart contract applications with lower its own consensus algorithm - Stellar Consensus Protocol overhead while sacrificing the isolation (i.e., applications in (SCP) [92]. Since Stellar is permissioned, the consensus can one container are running on top of one operating system). be easily reached via SCP. Instead of developing smart contract languages of Etherum, 5) Rootstock: Rootstock (RSK) [93] runs on top of Bitcoin Fabric supports conventional high-level programming lan- while supporting faster execution of transactions. For example, guages such as Java and Go (aka Golang). Similarly, Fabric is RSK can confirm the executed transaction within 20 seconds. also Turing complete. Fabric adopts key-value pair as the data Meanwhile, RSK is compatible with Ethereum (e.g., adopting model. Solidity to implement contracts). RSK contracts are also As Fabric is designed to support general enterprise applica- Turing complete7. Furthermore, RSK developed its own virtual tions, the Fabric blockchain-network is permissioned (private machines to run smart contracts. The data model of RSK is or consortium). Users have to be authorized to join the network also account-based while RSK is a public blockchain system. by certificate authorities (CAs). Since there are different roles RSK developed its consensus scheme based on PoW while in the network, multiple types of CAs coexist. For instance, the it adopts lightweight implementation consequently reducing enrollment certificate authority (ECA) allows users to register the overhead. Like Corda and Stellar, RSK was proposed to 2https://solidity.readthedocs.io/en/develop/ mainly support digital-currency applications. RSK has a merit, 3https://github.com/ethereum/wiki/wiki/Serpent 4https://lll-docs.readthedocs.io/en/latest/lll introduction.html 6https://kotlinlang.org/ 5https://github.com/ethereum/go-ethereum/wiki 7Bitcoin is not Turing complete while Rootstock is Turing complete. 11

Table IV. Comparison of Smart Contract Platforms

Ethereum Fabric Corda Stellar Rootstock EOS

Execution EVM Docker JVM Docker VM WebAssembly environment Language Solidity, Serpent, Java, Golang Java, Kotlin Python, JavaScript, Solidity C++ LLL, Mutan Golang and PHP, etc. Turing Completeness Turing complete Turing complete Turing incomplete Turing incomplete Turing complete Turing complete Data model Account-based Key-value pair Transaction-based Account-based Account-based Account-based Consensus PoW PBFT Raft Stellar Consensus PoW BFT-DPOS Protocol (SCP) Permission Public Private Private Consortium Public Public Application General General Digital currency Digital currency Digital currency General

i.e., much safer than those systems independent of blockchains • Turing completeness. Smart contracts on Ethereum, EOS, since it runs on top of Bitcoin. However, it can cause extra Fabric and RSK are all Turing complete while Corda and burden on Bitcoin blockchain. How to resolve this problem is Stellar are Turing incomplete. Turing-complete contracts crucial to RSK. are typically more expressive than Turing-incomplete 6) EOS: EOS [96] is designed to enable the scalability of contracts. However, the Turing completeness also brings decentralized applications. Instead of using one type of con- the potential software bugs being susceptible to malicious sensus algorithms only, EOS combines Byzantine Fault Toler- attacks (as illustrated in Section III). ance (BFT) and Delegated Proof of Stake (DPOS), thereby • Data Model. Corda adopts the unspent transaction output obtaining the advantages of both consensus algorithms. At (UTXO) model as Bitcoin does. In UTXO model, each each round, delegates (i.e., block producers) will be selected payment has to specify the previous unspent transaction by stake holders to produce a new block and BFT will proceed as the input. Then the specified transaction becomes among those selected delegates to make the block irreversible. spent. The changes will be made on new unspent trans- Similar to Bitcoin, EOS is also account-based but it also actions. Ethereum, Stellar, EOS and RSK adopt account- allows all accounts to be referenced by human readable names. based model, in which the balance of an address is Instead of customizing a virtual machine for code execution recorded directly instead of calculating all the unspent like Ethereum, EOS chooses to use WebAssembly (Wasm) so transaction amounts. Fabric exploits key-value model, in that it is possible to write a smart contract in various languages which data is represented in key-value pairs stored in as long as it can be compiled into Wasm (e.g., EOS supports blockchains. C++). • Consensus Algorithms. Ethereum and RSK adopt PoW, in which the validation of the trustfulness of a block B. Comparison of Smart Contract Platforms is equivalent to the solution of a computationally diffi- Table IV compares Ethereum, Fabric, Corda, Stella, Root- cult problem (i.e., a puzzle). PoW consensus algorithms stock (RSK) and EOS from the following aspects such as are typically computational-intensive. Fabric chooses to execution environment, supporting language, Turing com- PBFT consensus algorithm [24], in which several rounds pleteness, data model, consensus protocols, permission and of voting among authenticated nodes are taken to reach application. We next summarize the main characteristics of the consensus. Therefore, PBFT is network-intensive. these representative smart contract platforms as follows. In contrast, Corda adopts a simple consensus algorithm • Execution Environment. Contracts in Ethereum are ex- namely Raft to achieve the consensus between different ecuted in EVM. Similarly, Corda and Rootstock adopt sectors at the level of individual deals instead of a global JVM and RSK virtual machines, respectively. In contrast, system. Similarly, Stellar develops a simply consensus Fabric and Stellar run smart contracts on top of Docker algorithm named SCP to reach the consensus. EOS uses containers, consequently reducing the overhead while the combination of BFT and DPOS. sacrificing the isolation of applications. EOS chooses to • Permission. Ethereum, EOS and RSK are public use Wasm to support more smart contract languages. (i.e.permissionless) smart contract platforms and each • Supported Languages. Ethereum supports Solidity, Ser- user can arbitrarily join the network while Corda and pent and Mutan, which are specially designed for Hyperledger are private platforms only allowing authen- Ethereum. Fabric currently supports Java and Golang ticated users to access. Stellar sitting between public and while Corda adopts Java and Kotlin. Stellar can support a private blockchains is a consortium blockchain across diversity of languages such as Python, Javascript, Golang different enterprise sectors (or organizations). and PHP. To be compatible with Ethereum, RSK adopts • Applications of smart contract. Unlike Corda, Stellar and Solidity as the contract language while EOS currently RSK only support digital-currency while Ethereum and only supports C++. Fabric cater for a wider diversity of applications ranging 12

0 Smart contract Development 1 The validated transaction is Virtual Machine 4 Deployment then appended to other 01001000 01100101 01101100 (or Docker container) 01101100 01101111 00101100 Address transactions to form a block Compiler 00100000 01010011 01101101 01100001 01110010 01110100 Host OS 00100000 01000011 01101111 01101110 01110100 01110010 Interaction via 2 The node broadcasts the 01100001 01100011 01110100 Hash of block ii Hardware transactions transaction to the P2P network Smart-contract Machine Code Timestamp Nonce Smart-contract Client Code (Bytecode) MerkleRoot

TX 1 TX 2 TX nn

Block i + 1

newly added Alice Bob Money Transfer

3 The P2P network validates the transcaction Figure 5. Workflow of a smart contract

from digital currency, digital-asset management, capital amount of money in Bob’s wallet). It is worth mentioning that investment, public sector to sharing economy. In the each transaction needs to be validated across the blockchain future, Corda, EOS, Stellar and RSK and their derivatives network via the consensus algorithms as shown in Figure may support more general applications. 5. The validated transaction is then appended to the list of transactions. Since every node has a copy of the updated blockchain, it is difficulty to falsify the blockchain data. C. Example of developing a smart contract Coding Sample. The syntax of Solidity is similar to We next show how to develop and deploy a smart contract. JavaScript and it also supports inheritance and user-defined Take a contract of money transfer between Alice and Bob as types. Figure 6 shows an example of a smart contract written an example as shown in Figure 5. After several rounds of in Solidity. negotiations, the agreement between Alice and Bob reaches. Then the agreement is implemented by a smart contract V. APPLICATIONS OF SMART CONTRACT language (e.g., Solidity in Ethereum and Golang in Fabric). Smart contracts have a broad spectrum of applications rang- The smart contract code is next compiled via a compiler (e.g., ing from Internet of Things to sharing economy. In particular, solc for Solidity), which generates machine code (or bytecode) we roughly categorize major smart contract applications into running on top of either virtual machines (e.g., EVM, JVM) or six types as shown in Figure 7. We next describe them in Docker containers at a smart contract client. The smart contract details. client is essentially connected through a peer-to-peer network. After the smart contract is deployed across the blockchain A. Internet of Things network, a unique contract address is returned to the client to Internet of things (IoT) that is one of the most promising support the future interactions. Thereafter, users can interact technologies can support numerous applications including with the blockchain network via executing transactions in the supply chain management, inventory control systems, retailers, smart contract (e.g., deducting the specified amount of money access control, libraries, e-health systems, industrial Internet from Alice’s digital wallet and increasing the corresponding [97], [98], [99]. The main initiative of IoT is to integrate “smart” objects (i.e., “things”) into the Internet and to provide various services to users [100]. IoT has been proposed to // mortal.sol automate various business transactions in an implicit way. pragma solidity ˆ0.4.0; With the integration with smart contracts, the potentials contract mortal { of IoT can be unleashed. Take industrial manufacturing as /* Define variable owner of the type address an example. Most current manufacturers maintain their IoT */ address owner; ecosystems in a centralized manner. For instance, firmware /* This function is executed at updates can only be obtained at the central server manually initialization */ constructor() internal { owner = by various IoT devices through querying from devices to msg.sender; } the server. Smart contracts offer an automatic solution to /* Function to send 500 wei to receiver’s this problem [101]. Manufacturers can place firmware update address; 10ˆ18 wei=1 ether; */ function fundtransfer(address receiver) hashes on smart contracts deployed on blockchains distributed public{ if (msg.sender == owner) throughout the whole network. Devices can then obtain the {receiver.transfer(500);} } firmware hashes from smart contracts automatically. In this } way, resources are greatly saved. Smart contracts can also bring benefits to IoT e-business model. For example, the traditional e-business model often Figure 6. Example of smart contract written in Solidity in requires a third party serving as an agent to complete the pay- Ethereum ment. However, this centralized payment is costly and cannot 13

Distributed System Security Finance

Blockchain Data provenance Internet of Things

sensor Smart Contract

Public sector Sharing economy

Figure 7. Smart contract applications fully utilize advantages of IoT. In [4], Distributed autonomous Cloud computing is a promising technology to offer a Corporations (DACs) were proposed to automate transactions, ubiquitous access of a shared pool of computing and stor- in which there are no traditional roles like governments or age resources to users [104]. Generally, users can purchase companies involved with the payment. Being implemented by cloud services from trustful cloud service providers (CSPs). smart contracts, DACs can work automatically without human However, how to verify the trustfulness of CSPs becomes a intervention. Moreover, smart contracts can also help to speed challenge since CSPs often collude with each other to earn up conventional supply chains. For example, the marriage of more profits. Dong et al. [105] proposed a solution based supply chains with smart contracts can automate contractual on game theory and smart contracts. The main idea of this rights and obligations during the payment and the delivery of approach is to let a client ask two cloud servers to compute goods while all the parties in the whole process are trustful. the same task. During this process, smart contracts are used to stimulate tension, betrayal and distrust between the clouds. In this way, users can easily determine the rational clouds that B. Distributed system security will not collude and cheat. Experiments based on the contracts Smart contracts can bring benefits in improving the security written in Solidity on the official Ethereum network were also of distributed systems. Distributed Denial-of-Service (DDoS) conducted to verify the effectiveness of this proposal. attacks are one of major security threats in computer networks. Attackers flood the targeted machine with superfluous requests Moreover, brokers are typically used in cloud comput- to overload systems, consequently interrupting or suspending ing. Users’ requests are checked by a broker to match Internet services [102]. Recently, a collaborative mechanism with providers’ services. However, both users and service was proposed to mitigate DDoS attacks [103]. Compared providers must trust the broker. Once the broker is hijacked with traditional solutions, this scheme that is based on smart or compromised, both the parties become untrustful. Recently, contracts can tackle the attacks in a fully decentralized manner. Scoca et al. [9] proposed to use smart contracts to avoid In particular, once a server is attacked, the IP addresses of the usage of brokers. The main idea of their approach is to attackers will be automatically stored in a smart contract. In use distributed Service-Level-Agreements for Clouds (dSLAC) this manner, other nodes will be informed of the addresses of [106] to specify the needs via smart contracts. Meanwhile, a attackers. Furthermore, other security polices will be imme- utility function that evaluates the agreements according to both diately enforced, e.g., filtering the traffic from the malicious parties’ preferences was proposed to solve the mismatching users. problem. 14

C. Finance Illegal file Smart contracts can potentially reduce financial risks, cut Acquire down administration and service costs and improve the effi- Original Law enforcement officers file Buyer address & commodity ID ciency of financial services. We next explain the benefits of Decode smart contracts in the following typical financial services. Get Decode process Compare • Capital markets and investment banking. The traditional capital markets have suffered from the long settlement cycles. Smart contracts can significantly shorten the set- Punish Illegal file

tlement period from 20 days or more to 6 to 10 days Offender Blockchain User database consequently increasing attractiveness to customers. As a result, it is predicted in [107] that it can bring 5% to Figure 8. Smart contract to protect intellectual property 6% demand growth in the future and lead to additional income. • Commercial and retail banking. In additional to capi- Module (TPM) [114] store data activities along with privacy- tal markets, the adoption of smart contracts can also sensitive information (e.g., user ID, accessing time and user bring benefits to the mortgage loan industry [108]. Con- roles). How to preserve the privacy information is a chal- ventional mortgage loans are typically complicated in lenge. Ramachandran and Kantarcioglu [115] proposed a data the origination, funding and servicing processes, conse- provenance system based on smart contracts and blockchains. quently causing extra costs and delays. Smart contracts Researchers can submit their encrypted data to this system. can potentially reduce the costs and the delays through When there are any data changes, smart contracts will be automating the mortgage processes with the digitization invoked to track the transformations made to the data. In this of legal documents in blockchains. manner, any malicious falsifications of data can be captured. • Insurance. The application of smart contracts in the insur- In addition, Liang et al. [116] proposed ProvChain to collect ance industry can also reduce the processing overheads and verify cloud data provenance. The main idea of ProvChain and save the costs especially in claim handling [109]. is to embed provenance data into blockchain transactions so Take the motor insurance as an example. There are that any data modifications are traceable. ProvChain consists multiple parties in a motor insurance: insurer, customers, of three procedures: provenance data collection, provenance garages, transport providers and hospitals [110]. Smart data storage and provenance data validation. Experimental contracts can automate the settlement of claims by shar- results demonstrate that ProvChain offers tamper-proof data ing legal documents in the distributed ledger consequently provenance, privacy-preservation and data reliability. improving the efficiency, reducing the claim processing Moreover, smart contract can be used to protect intellectual time and saving costs. For another example, the insurance property of creative digital media. For example, Figure 8 gaint AXA has launched its insurance for flight delay shows an example of this application. Each digital product based on Ethereum smart contracts. Passengers who is embedded with a unique digital watermark (such as buyer’s purchase flight insurances will automatically sign a smart digital wallet address and product ID). If there is any infringe- contract, which connects to the global air traffic database. ment (e.g., the buyer sells the digital product to others without If the system notices a flight delay of over two hours, the permission from the creator), the law enforcement officer it will trigger a function in the smart contract, thereby can trace the illegal file with the original file via extracting passengers being paid immediately. the digital watermark and comparing the digital wallet address with buyer’s. As a result, the infringement of property-right D. Data provenance can be easily identified. The whole procedure can be achieved through smart contracts and blockchains. In addition to financial services, smart contracts can also be used to ensure information quality in scientific research and public health. It is reported in [111] that fabrication or E. Sharing economy falsification of data in clinical trials have occurred frequently The sharing economy brings many benefits such as reducing in recent years. For another example, one paper published consumer costs by borrowing and recycling items, improving in Nature in 2009 was reported to contain fraud data con- resource usage, enhancing quality of service, lowering the ducted by Haruko Obokata [112]. The fabricated data can environment impacts [119]. However, most current sharing either mislead the ongoing research directions or hamper the economy platforms are suffering from high transaction costs recovery of patients. Consequently, it can seriously undermine of customers, privacy exposure and unreliability of trusted the scientific and public trust. third parties due to the centralization. Smart contracts can Data provenance has been subsequently proposed to mit- potentially reshape sharing economy by decentralizing sharing igate this problem. The main idea of data provenance is to economy platforms. store the meta-data information of data origin, derivation and Bogner et al. [3] proposed a novel sharing economy plat- transformation. However, there are a number of challenges form based on Ethereum smart contracts. In particular, this in enforcing data provenance. For example, most provenance system allows users to register and share their items without logging tools such as Progger [113] and Trusted Platform a trusted third party. Meanwhile, personal information is also 15

Table V. Comparison of smart contract applications

Application Benefits Use Cases

XReducing the cost for maintaining central server (1) IoT device firmware auto-updating Internet of Things [101], [4] XAutomating P2P business trading (2) Supply chains speeding up XReducing cost for trusted third parties XSharing attack list quickly and reliably (1) Mitigating DDoS attack in computer networks Distributed Systems Security [103], [105], [9] XVerifying the trustfulness of cloud service providers (2) Cloud computing XAvoiding usage of brokers XReducing financial risks (1) Capital markets and investment banking Finance [107], [108], [109] XLowering administration and service costs (2) Commercial and retail banking XImproving efficiency of financial services (3) Insurance XCapturing malicious data falsification (1) Scientific research Data Provenance [115], [116] XImproving data reliability (2) Public health XPreserving privacy (3) Cloud data provenance XReducing consumer costs (1) Item sharing Sharing Economy [3], [117], [118] XReducing cost for trusted third parties (2) P2P automatic payment systems XPreserving privacy (3) Currency exchange platforms XPreventing data fraudulence (1) E-voting systems Public sector [5], [8], [7] XData transparency of public information (2) Personal reputation systems XPreserving privacy (3) Smart property exchange platforms privacy-preserved. The practical implementation also verifies the disclosure of user privacy. However, it still relies on a the effectiveness of the system. In addition, the fusion of trusted third authority to shuffle the voters so as not to reveal Internet of Things (IoT) and smart contracts can also advance user privacy. McCorry et al. [5] utilized the knowledge of sharing economy applications. Huckle et al. [117] discussed self-tallying voting protocols (i.e., voters can count the votes the integration of IoT with blockchains to develop sharing without a trusted third party) to build a fair voting system economy applications such as peer-to-peer automatic payment based on smart contracts. In this way, votes can be kept systems, traveling systems, digital assets management and privately while user identities are verifiable at the same time. currency exchange platforms. Smart contracts can also be used to establish personal digital Meanwhile, a privacy respecting approach was proposed identity and reputation. For example, Tsinghua University in [118] for blockchain-based sharing economy applications. User Reputation System (TURS) [8] is an online identity This scheme mainly solves the privacy leakage problem of management system based on smart contracts. The TURS blockchain-based systems due to the public openness of profile of a person is based on three aspects: personal reputa- blockchains. In particular, a zero-knowledge approach was tion, online reputation and professional reputation. Users can applied to this system. Realistic implementation also demon- protect their private information via smart contracts that grant strates the effectiveness of the proposed mechanism. access permissions to other users by programmable clauses (statements). Meanwhile, all the transactions that are recorded F. Public sector into blockchains cannot be tampered with or removed. Smart contracts along with blockchain technology are also Hillbom and Tillstrom¨ [7] proposed a smart property own- reshaping the public sector management. Blockchain can es- ership exchange protocol based on the smart property con- sentially prevent data fraudulence and provide the transparency cept firstly proposed by Szabo [120]. In this protocol, each of public information. Take a public bidding as an example. party in the transaction communicates with each other via The integration of blockchains and smart contracts can prove Bitmessage [121]. After the negotiation of the trading details identities of both bidders and bidding entities, automate the (e.g., a car’s digital certificate issued by its manufacturer), the bidding process, provide auditing and reviewing supports. buyer constructs and signs a raw transaction that reassigns There are several challenges in e-voting systems, such as the property ownership to the buyer himself/herself. After user identity verification and user privacy preservation (or the signed transaction is sent to the seller, the seller then voting anonymity). Smart contracts also offer the solution to checks the transaction information. If it is correct, the seller e-voting systems. A blockchain-based voting system named signs on the received transaction and broadcasts it publicly. Follow My Vote8 was proposed to verify user identities without Moreover, to ensure the consistency, the whole ownership transfer process has to be conducted in an atomic way. In 8Follow My Vote https://followmyvote.com/ other words, any failure during the whole process will abort 16 the whole ownership transfer process. For example, if the seller REFERENCES does not sign the transaction, he/she will not get the funds from [1] Nick Szabo. The idea of smart contracts. Nick Szabo’s Papers and the buyer. Moreover, Li et al. [122] proposed a secure energy Concise Tutorials, 1997. trading system based on consortium blockchain technology. [2] Hong-Ning Dai, Zibin Zheng, and Yan Zhang. Blockchain for internet of things: A survey. IEEE Internet of Things Journal, 2019. In particular, a credit-based payment scheme was proposed to [3] Andreas Bogner, Mathieu Chanson, and Arne Meeuw. A decentralised support fast energy trading without a trusted intermediary. sharing app running a smart contract on the ethereum blockchain. In Summary. Table V compares the smart contract applications. Proceedings of the 6th International Conference on the Internet of Things, pages 177–178, 2016. As shown in Table V, smart contracts can bring numerous [4] Yu Zhang and Jiangtao Wen. An IoT electric business model based on benefits for the aforementioned applications. In summary, the protocol of bitcoin. In Proceedings of 18th International Conference smart contracts have the merits like reducing the dependence on Intelligence in Next Generation Networks (ICIN), pages 184–191, 2015. on the trusted third parties, lowering the cost, improving the [5] Patrick McCorry, Siamak F Shahandashti, and Feng Hao. A smart data reliability and offering privacy-preservation. contract for boardroom voting with maximum voter privacy. IACR Cryptology ePrint Archive, 2017:110, 2017. [6] Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena. SMART VI.CONCLUSION POOL: Practical Decentralized Pooled Mining. In 26th USENIX This article presents an overview on the state-of-the-art of Security Symposium (USENIX Security), pages 1409–1426, 2017. [7] Erik Hillbom and Tobias Tillstrom.¨ Applications of smart contracts and smart contracts. In particular, we first provide a brief review smart property utilizing blockchains. Msc thesis in computer science, on smart contract and blockchain technologies. We then point Chalmers University of Technology and University of Gothenburg, out the challenges in smart contracts in different aspects of Sweden, 2016. [8] Affan Yasin and Lin Liu. An online identity and smart contract man- creation, deployment, execution, completion of smart con- agement system. In Proceedings of 40th Annual Computer Software tracts. Meanwhile, we also discuss the recent advances in and Applications Conference (COMPSAC), volume 2, pages 192–198, solving these challenges. We next compare several major smart 2016. [9] Vincenzo Scoca, Rafael Brundo Uriarte, and Rocco De Nicola. Smart contract platforms. Moreover, we categorize smart contract contract negotiation in cloud computing. In Cloud Computing applications and enumerate several typical use cases in each (CLOUD), 2017 IEEE 10th International Conference on, pages 592– category of applications. In summary, we hope this paper 599. IEEE, 2017. [10] Jiafu Wan, Jiapeng Li, Muhammad Imran, Di Li, et al. A blockchain- will serve as a guidance to developing secure and scalable based solution for enhancing security and privacy in smart factory. smart contract applications and promote the evolvement of IEEE Transactions on Industrial Informatics, 2019. blockchain technologies. [11] Sana Moin, Ahmad Karim, Zanab Safdar, Kalsoom Safdar, Ejaz Ahmed, and Muhammad Imran. Securing iots in distributed blockchain: On top of blockchains, smart contract is developing rapidly Analysis, requirements and open issues. Future Generation Computer albeit there are still a number of challenges to be addressed. Systems, 2019. Most of current research topics on smart contract focus on [12] Zibin Zheng, Shaoan Xie, Hongning Dai, Xiangping Chen, and Huaimin Wang. An overview of blockchain technology: Architecture, programming language, security and privacy issues while the consensus, and future trends. In 2017 IEEE International Congress on proliferation of blockchain and smart contract applications also Big Data (BigData Congress), pages 557–564. IEEE, 2017. poses new challenges. Like other computer software tools, [13] Steve Omohundro. Cryptocurrencies, smart contracts, and artificial intelligence. AI matters, 1(2):19–21, 2014. smart contracts also contain a number of bugs which are gen- [14] Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo, and Qiaoyan Wen. erated unintentionally or mischievously. However, detecting A survey on the security of blockchain systems. Future Generation and identifying these bugs will require extensive efforts in Computer Systems, 2017. [15] Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A Survey aspects of software engineering and data analytics. In addition, of Attacks on Ethereum Smart Contracts (SoK). In Proceddings of although enterprise practitioners lack of knowledge in com- International Conference on Principles of Security and Trust, pages puting programming, they have the expertise in operational 164–186, 2017. [16] Kevin Delmolino, Mitchell Arnett, Ahmed Kosba, Andrew Miller, and technology and law making (i.e., making contracts), which Elaine Shi. Step by step towards creating a safe smart contract: Lessons however is the deficiency of computer programmers. How to and insights from a cryptocurrency lab. In Proceedings of International fill the gap between operational technology (OT) and informa- Conference on Financial Cryptography and Data Security, pages 79– 94, 2016. tion technology (IT) is of great importance to the development [17] Dominik Harz and William Knottenbelt. Towards safer smart contracts: of smart contracts. The integration of software technology, A survey of languages and verification methods. arXiv preprint natural language processing and artificial intelligence is a arXiv:1809.09805, 2018. [18] Massimo Bartoletti and Livio Pompianu. An empirical analysis of possible remedy to this challenge in the future. smart contracts: platforms, applications, and design patterns. In International Conference on Financial Cryptography and Data Security, pages 494–509. Springer, 2017. ACKNOWLEDGEMENT [19] Maher Alharby and Aad van Moorsel. Blockchain-based smart con- The work described in this paper was supported by the tracts: A systematic mapping study. arXiv preprint arXiv:1710.06372, 2017. National Key Research and Development Program (2016- [20] Daniel Macrinici, Cristian Cartofeanu, and Shang Gao. Smart contract YFB1000101), the National Natural Science Foundation of applications within blockchain technology: A systematic mapping China under (61472338) and the Fundamental Research Funds study. Telematics and Informatics, 2018. [21] Shuai Wang, Yong Yuan, Xiao Wang, Juanjuan Li, Rui Qin, and Fei- for the Central Universities. Imran’s work is supported by Yue Wang. An overview of smart contract: architecture, applications, the Deanship of Scientific Research at King Saud University and future trends. In 2018 IEEE Intelligent Vehicles Symposium (IV), through the research group project number RG-1435-051. The pages 108–113. IEEE, 2018. [22] Weili Chen, Zibin Zheng, Jiahui Cui, Edith Ngai, Peilin Zheng, and authors would like to thank anonymous reviewers who have Yuren Zhou. Detecting ponzi schemes on ethereum: Towards healthier provided constructive comments greatly improving the paper. blockchain technology. In Proceedings of the 2018 World Wide 17

Web Conference on World Wide Web, pages 1409–1418. International [46] Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas World Wide Web Conferences Steering Committee, 2018. Hobor. Making smart contracts smarter. In Proceedings of the [23] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2016 ACM SIGSAC Conference on Computer and Communications 2008. Security, pages 254–269, 2016. [24] Miguel Castro, Barbara Liskov, et al. Practical byzantine fault toler- [47] Elvira Albert, Pablo Gordillo, Benjamin Livshits, Albert Rubio, and ance. In OSDI, volume 99, pages 173–186, 1999. Ilya Sergey. Ethir: A framework for high-level analysis of ethereum [25] Sunny King and Scott Nadal. Ppcoin: Peer-to-peer crypto-currency bytecode. In International Symposium on Automated Technology for with proof-of-stake. Self-Published Paper, August, 19, 2012. Verification and Analysis, pages 513–520. Springer, 2018. [26] Zibin Zheng, Shaoan Xie, Hong-Ning Dai, Xiangping Chen, and [48] Markus Knecht and Burkhard Stiller. Smartdemap: A smart contract Huaimin Wang. Blockchain challenges and opportunities: A survey. deployment and management platform. In Proceedings of International International Journal of Web and Grid Services, 14(4):352–375, 2018. Conference on Autonomous Infrastructure, Management and Security, [27] Don Tapscott and Alex Tapscott. Blockchain Revolution: How the pages 159–164, 2017. technology behind Bitcoin is changing money, business, and the world. [49] Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Penguin, 1 edition, 2016. Scholz, and Yannis Smaragdakis. Madmax: Surviving out-of-gas [28] Ming Li, Jian Weng, Anjia Yang, Wei Lu, Yue Zhang, Lin Hou, Jia-Nan conditions in ethereum smart contracts. Proceedings of the ACM on Liu, Yang Xiang, and Robert H. Deng. CrowdBC: A Blockchain-based Programming Languages, 2(OOPSLA):116, 2018. Decentralized Framework for Crowdsourcing. IEEE Transactions on [50] Johannes Krupp and Christian Rossow. teether: Gnawing at ethereum Parallel and Distributed Systems, 2018. to automatically exploit smart contracts. In 27th {USENIX} Security [29] John Ream, Yang Chu, and David Schatsky. Upgrading blockchains: Symposium ({USENIX} Security 18), pages 1317–1333, 2018. Smart contract use cases in industry. Deloitte Press, 2016. [51] Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, Francois Gau- [30] Florian Idelberger, Guido Governatori, Regis´ Riveret, and Giovanni thier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. Vandal: A Sartor. Evaluation of logic-based smart contracts for blockchain scalable security analysis framework for smart contracts. arXiv preprint systems. In International Symposium on Rules and Rule Markup arXiv:1809.03981, 2018. Languages for the Semantic Web (RuleML), pages 167–183. Springer, [52] Neville Grech, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2016. Gigahorse: Thorough, declarative decompilation of smart contracts. [31] Christian Sillaber and Bernhard Waltl. Life cycle of smart contracts [53] Sidney Amani, Myriam Begel,´ Maksym Bortin, and Mark Staples. in blockchain ecosystems. Datenschutz und Datensicherheit - DuD, Towards verifying ethereum smart contract bytecode in isabelle/hol. 41(8):497–500, Aug 2017. In Proceedings of the 7th ACM SIGPLAN International Conference [32] Riikka Koulu. Blockchains and online dispute resolution: smart on Certified Programs and Proofs, pages 66–77. ACM, 2018. contracts as an alternative to enforcement. SCRIPTed, 13:40, 2016. [54] Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric´ Fournet, [33] Yi Zhou, Deepak Kumar, Surya Bakshi, Joshua Mason, Andrew Miller, Anitha Gollamudi, Georges Gonthier, Nadim Kobeissi, Natalia Kula- and Michael Bailey. Erays: reverse engineering ethereum’s opaque tova, Aseem Rastogi, Thomas Sibut-Pinote, Nikhil Swamy, and San- smart contracts. In 27th {USENIX} Security Symposium ({USENIX} tiago Zanella-Beguelin.´ Formal verification of smart contracts: Short Security 18), pages 1371–1385, 2018. paper. In Proceedings of the 2016 ACM Workshop on Programming [34] Christopher K Frantz and Mariusz Nowostawski. From institutions to Languages and Analysis for Security, PLAS, 2016. code: towards automated generation of smart contracts. In Proceedings [55] Nikhil Swamy, Cat˘ alin˘ Hrit¸cu, Chantal Keller, Aseem Rastogi, An- of IEEE International Workshops on Foundations and Applications of toine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cedric´ Self Systems, pages 210–215, 2016. Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzin- [35] Giovanni Ciatto, Roberta Calegari, Stefano Mariani, Enrico Denti, and dohoue, and Santiago Zanella-Beguelin.´ Dependent types and Andrea Omicini. From the blockchain to logic programming and back: multi-monadic effects in f*. In Proceedings of the 43rd Annual Research perspectives. WOA, 2018. ACM SIGPLAN-SIGACT Symposium on Principles of Programming [36] Theodoros Kasampalis, Dwight Guth, Brandon Moore, Traian Ser- Languages, POPL, pages 256–270, 2016. banuta, Virgil Serbanuta, Daniele Filaretti, Grigore Rosu, and Ralph [56] Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. Zeus: Johnson. Iele: An intermediate-level blockchain language designed Analyzing safety of smart contracts. In 25th Annual Network and and implemented using formal semantics. Technical report, 2018. Distributed System Security Symposium, NDSS, pages 18–21, 2018. [37] Chris Lattner and Vikram Adve. Llvm: A compilation framework for lifelong program analysis & transformation. In Proceedings of [57] Kenneth L McMillan. Interpolants and symbolic model checking. In the international symposium on Code generation and optimization: International Workshop on Verification, Model Checking, and Abstract feedback-directed and runtime optimization, page 75. IEEE Computer Interpretation, pages 89–90. Springer, 2007. Society, 2004. [58] Han Liu, Chao Liu, Wenqi Zhao, Yu Jiang, and Jiaguang Sun. S-gram: [38] Michael Coblenz. Obsidian: A safer blockchain programming lan- towards semantic-aware security auditing for ethereum smart contracts. guage. In Proceedings of the 39th International Conference on Software In Proceedings of the 33rd ACM/IEEE International Conference on Engineering Companion, ICSE-C ’17, pages 97–99, 2017. Automated Software Engineering, pages 814–819. ACM, 2018. [39] Anastasia Mavridou and Aron Laszka. Tool demonstration: Fsolidm for [59] TonTon Hsien-De Huang. Hunting the ethereum smart con- designing secure ethereum smart contracts. In International Conference tract: Color-inspired inspection of potential attacks. arXiv preprint on Principles of Security and Trust, pages 270–277. Springer, 2018. arXiv:1807.01868, 2018. [40] Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and [60] A Tann, Xing Jie Han, Sourav Sen Gupta, and Yew-Soon Ong. Towards Bill Roscoe. Reguard: finding reentrancy bugs in smart contracts. safer smart contracts: A sequence learning approach to detecting In Proceedings of the 40th International Conference on Software vulnerabilities. arXiv preprint arXiv:1811.06632, 2018. Engineering: Companion Proceeedings, pages 65–68. ACM, 2018. [61]J er´ emy´ Charlier, Sofiane Lagraa, Radu State, and Jer´ omeˆ Franc¸ois. [41] Joseph Bonneau, Jeremy Clark, and Steven Goldfeder. On bitcoin Profiling smart contracts interactions tensor decomposition and graph as a public randomness source. IACR Cryptology ePrint Archive, mining. In Proceedings of the Second Workshop on MIning DAta for 2015:1015, 2015. financial applicationS (MIDAS 2017), pages 31–42, 2017. [42] Arjen K Lenstra and Benjamin Wesolowski. A random zoo: sloth, [62] Michael Frowis¨ and Rainer Bohme.¨ In code we trust? In Data unicorn, and trx. IACR Cryptology ePrint Archive, 2015:366, 2015. Privacy Management, Cryptocurrencies and Blockchain Technology, [43] Benedikt Bunz,¨ Steven Goldfeder, and Joseph Bonneau. Proofs-of- pages 357–372. Springer, 2017. delay and randomness beacons in ethereum. IEEE Security and Privacy [63] Ivica Nikolic,´ Aashish Kolluri, Ilya Sergey, Prateek Saxena, and on the blockchain (IEEE S&B), 2017. Aquinas Hobor. Finding the greedy, prodigal, and suicidal contracts [44] Ting Chen, Xiaoqi Li, Xiapu Luo, and Xiaosong Zhang. Under- at scale. In Proceedings of the 34th Annual Computer Security optimized smart contracts devour your money. In Proceedings of Applications Conference, pages 653–663. ACM, 2018. 24th International Conference on Software Analysis, Evolution and [64] Ying Fu, Meng Ren, Fuchen Ma, Yu Jiang, Heyuan Shi, and Jiaguang Reengineering (SANER), pages 442–446, 2017. Sun. Evmfuzz: Differential fuzz testing of ethereum virtual machine. [45] Ting Chen, Zihao Li, Hao Zhou, Jiachi Chen, Xiapu Luo, Xiaoqi arXiv preprint arXiv:1903.08483, 2019. Li, and Xiaosong Zhang. Towards saving money in using smart [65] Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine contracts. In 2018 IEEE/ACM 40th International Conference on Shi. Town crier: An authenticated data feed for smart contracts. In Software Engineering: New Ideas and Emerging Technologies Results Proceedings of the 2016 ACM SIGSAC Conference on Computer and (ICSE-NIER), pages 81–84. IEEE, 2018. Communications Security, pages 270–282, 2016. 18

[66] John Adler, Ryan Berryhill, Andreas Veneris, Zissis Poulos, Neil Veira, [93] Sergio Demian Lerner. Rootstock whitepaper. 2015. and Anastasia Kastania. Astraea: A decentralized blockchain oracle. [94] Thomas Bocek and Burkhard Stiller. Smart Contracts – Blockchains arXiv preprint arXiv:1808.00528, 2018. in the Wings, pages 169–184. Springer, Berlin, Heidelberg, 2018. [67] Steve Ellis. A decentralized oracle network steve ellis, ari juels, and [95] Heidi Howard, Malte Schwarzkopf, Anil Madhavapeddy, and Jon sergey nazarov. 2017. Crowcroft. Raft refloated: Do we have consensus? SIGOPS Oper. [68] Anastasia Mavridou and Aron Laszka. Designing secure ethereum Syst. Rev., 49(1):12–21, January 2015. smart contracts: A finite state machine based approach. arXiv preprint [96] EOS IO. Eos. io technical white paper. EOS. IO (accessed 18 arXiv:1711.09327, 2017. December 2017) https://github. com/EOSIO/Documentation, 2017. [69] Christopher Natoli and Vincent Gramoli. The blockchain anomaly. In [97] Riyaz Ahamed Ariyaluran Habeeb, Fariza Nasaruddin, Abdullah Gani, 2016 IEEE 15th International Symposium on Network Computing and Ibrahim Abaker Targio Hashem, Ejaz Ahmed, and Muhammad Im- Applications (NCA), pages 310–317. IEEE, 2016. ran. Real-time big data processing for anomaly detection: A survey. [70] Thomas Dickerson, Paul Gazzillo, Maurice Herlihy, and Eric Koskinen. International Journal of Information Management, 2018. Adding concurrency to smart contracts. In Proceedings of the ACM [98] Hasan Ali Khattak, Munam Ali Shah, Sangeen Khan, Ihsan Ali, and Symposium on Principles of Distributed Computing, PODC, pages Muhammad Imran. Perception layer security in internet of things. 303–312. ACM, 2017. Future Generation Computer Systems, 2019. [71] Ilya Sergey and Aquinas Hobor. A concurrent perspective on smart [99] Ibrar Yaqoob, Ejaz Ahmed, Muhammad Habib ur Rehman, Abdelmut- contracts. In International Conference on Financial Cryptography and tlib Ibrahim Abdalla Ahmed, Mohammed Ali Al-garadi, Muhammad Data Security, 2017. Imran, and Mohsen Guizani. The rise of ransomware and emerging [72] Parwat Singh Anjana, Sweta Kumari, Sathya Peri, Sachin Rathor, and security challenges in the internet of things. Computer Networks, Archit Somani. An efficient framework for concurrent execution of 129:444–458, 2017. smart contracts. arXiv preprint arXiv:1809.01326, 2018. [100] Daniele Miorandi, Sabrina Sicari, Francesco De Pellegrini, and Im- [73] Santiago Bragagnolo, Henrique Rocha, Marcus Denker, and Stephane´ rich Chlamtac. Internet of things: Vision, applications and research Ducasse. Smartinspect: solidity smart contract inspector. In 2018 challenges. Ad Hoc Networks, 10(7):1497 – 1516, 2012. International Workshop on Blockchain Oriented Software Engineering [101] Konstantinos Christidis and Michael Devetsikiotis. Blockchains and (IWBOSE), pages 9–18. IEEE, 2018. smart contracts for the internet of things. IEEE Access, 4:2292–2303, [74] Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalam- 2016. pos Papamanthou. Hawk: The blockchain model of cryptography [102] Steve Mansfield-Devine. The growth and evolution of ddos. Network and privacy-preserving smart contracts. In Proceedings of 2016 IEEE Security, 2015(10):13–20, 2015. Symposium on Security and Privacy (SP), pages 839–858, 2016. [103] Bruno Rodrigues, Thomas Bocek, Andri Lareida, David Hausheer, [75] Guy Zyskind, Oz Nathan, and Alex Pentland. Enigma: Decentral- Sina Rafati, and Burkhard Stiller. A blockchain-based architecture for ized computation platform with guaranteed privacy. arXiv preprint collaborative ddos mitigation with smart contracts. In Proceedings of arXiv:1506.03471, 2015. International Conference on Autonomous Infrastructure, Management [76] Maria Apostolaki, Gian Marti, Jan Mller, and Laurent Vanbever. and Security, pages 16–29, 2017. SABRE: Protecting Bitcoin against Routing Attacks. arXiv preprint [104] H. Wang, P. Shi, and Y. Zhang. JointCloud: A Cross-Cloud Cooperation arXiv:1808.06254, 2018. Architecture for Integrated Internet Service Customization. In 2017 [77] Massimo Bartoletti, Salvatore Carta, Tiziana Cimoli, and Roberto Saia. IEEE 37th International Conference on Distributed Computing Systems Dissecting ponzi schemes on ethereum: identification, analysis, and (ICDCS), pages 1846–1855, June 2017. impact. arXiv preprint arXiv:1703.03779, 2017. [105] Changyu Dong, Yilei Wang, Amjad Aldweesh, Patrick McCorry, and [78] Massimo Bartoletti, Barbara Pes, and Sergio Serusi. Data mining for Aad van Moorsel. Betrayal, distrust, and rationality: Smart counter- detecting bitcoin ponzi schemes. In 2018 Crypto Valley Conference collusion contracts for verifiable cloud computing. In Proceedings of on Blockchain Technology (CVCBT), pages 75–84. IEEE, 2018. the 2017 ACM SIGSAC Conference on Computer and Communications [79] Christof Ferreira Torres and Mathis Steichen. The art of the scam: Security (CCS), pages 211–227. ACM, 2017. Demystifying honeypots in ethereum smart contracts. arXiv preprint arXiv:1902.06976, 2019. [106] Rafael Brundo Uriarte, Francesco Tiezzi, and Rocco De Nicola. Dy- [80] Elinor Ostrom. Collective action and the evolution of social norms. namic slas for clouds. In Proceedings of European Conference on Journal of Natural Resources Policy Research, 6(4):235–252, 2014. Service-Oriented and Cloud Computing, pages 34–49, 2016. [81] Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo, and Qiaoyan Wen. [107] Bart Cant, Amol Khadikar, Antal Ruiter, Jakob Bolgen Bronebakk, A survey on the security of blockchain systems. Future Generation Jean Coumaros, Jerome Buvat, and Abhishek Gupta. Smart contracts in Computer Systems, 2017. financial services: Getting from hype to reality. Capgemini Consulting, [82] Joseph Bonneau, Jeremy Clark, and Steven Goldfeder. On bitcoin pages 1–26, 2016. as a public randomness source. IACR Cryptology ePrint Archive, [108] Ye Guo and Chen Liang. Blockchain application and outlook in the 2015:1015, 2015. banking industry. Financial Innovation, 2(1):24, 2016. [83] The DAO, The Hack, The Soft Fork and The Hard Fork, 2017. [109] A Tapscott and D Tapscott. How blockchain is changing finance. [84] Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Harvard Business Review, 1, 2017. Florian Buenzli, and Martin Vechev. Securify: Practical security [110] Wenliang Du and Mikhail J Atallah. Secure multi-party computation analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC problems and their applications: a review and open problems. In Conference on Computer and Communications Security, pages 67–82. Proceedings of the 2001 workshop on New security paradigms, pages ACM, 2018. 13–22, 2001. [85] Abraham Silberschatz, Henry F. Korth, and S. Sudarshan. Database [111] Stephen L George. Research misconduct and data fraud in clinical System Concepts. McGraw-Hill Education, 6 edition, 2010. trials: prevalence and causal factors. International journal of clinical [86] Gilad Bracha and David Ungar. Mirrors: design principles for meta- oncology, 21(1):15–21, 2016. level facilities of object-oriented programming languages. In ACM [112] John Rasko and Carl Power. What pushes scientists to lie? the SIGPLAN Notices, volume 39, pages 331–344. ACM, 2004. disturbing but familiar story of haruko obokata. The Guardian, 18, [87] Dorit Ron and Adi Shamir. Quantitative analysis of the full bitcoin 2015. transaction graph. In Financial Cryptography and Data Security: [113] Ryan KL Ko and Mark A Will. Progger: An efficient, tamper-evident 17th International Conference, FC 2013, Okinawa, Japan, pages 6–24. kernel-space logger for cloud data provenance tracking. In Cloud Springer Berlin Heidelberg, 2013. Computing (CLOUD), 2014 IEEE 7th International Conference on, [88] Maria Apostolaki, Aviv Zohar, and Laurent Vanbever. Hijacking pages 881–889. IEEE, 2014. Bitcoin: Routing attacks on cryptocurrencies. In Security and Privacy [114] M. M. B. Taha, S. Chaisiri, and R. K. L. Ko. Trusted tamper-evident (SP), IEEE Symposium on, pages 375–392. IEEE, 2017. data provenance. In 2015 IEEE Trustcom/BigDataSE/ISPA, pages 646– [89] Vitalik Buterin et al. Ethereum white paper, 2013. 653, 2015. [90] Christian Cachin. Architecture of the Hyperledger blockchain Fabric. [115] Aravind Ramachandran, Dr Kantarcioglu, et al. Using blockchain and In Workshop on Distributed Cryptocurrencies and Consensus Ledgers, smart contracts for secure data provenance management. arXiv preprint 2016. arXiv:1709.10000, 2017. [91] Richard Gendal Brown. The corda platform: An introduction. 2018. [116] X. Liang, S. Shetty, D. Tosh, C. Kamhoua, K. Kwiat, and L. Njilla. [92] David Mazieres. The stellar consensus protocol: A federated model Provchain: A blockchain-based data provenance architecture in cloud for internet-level consensus. 2016. environment with enhanced privacy and availability. In 2017 17th 19

IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), pages 468–477, 2017. [117] Steve Huckle, Rituparna Bhattacharya, Martin White, and Natalia Beloff. Internet of things, blockchain and shared economy applications. Procedia Computer Science, 98:461–466, 2016. [118] Lei Xu, Nolan Shah, Lin Chen, Nour Diallo, Zhimin Gao, Yang Lu, and Weidong Shi. Enabling the sharing economy: Privacy respecting contract based on public blockchain. In Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts, pages 15– 21. ACM, 2017. [119] Araz Taeihagh. Crowdsourcing, sharing economies and development. Journal of Developing Societies, 33(2):191–222, 2017. [120] Nick Szabo. Formalizing and securing relationships on public net- works. First Monday, 2(9), 1997. [121] Jonathan Warren. Bitmessage: A peer-to-peer message authentication and delivery system. White Paper, 2012. [122] Z. Li, J. Kang, R. Yu, D. Ye, Q. Deng, and Y. Zhang. Consortium blockchain for secure energy trading in industrial internet of things. IEEE Transactions on Industrial Informatics, PP(99):1–1, 2017.