1 Security Analysis Methods on Ethereum Smart Contract Vulnerabilities — A Survey Purathani Praitheeshan?, Lei Pan?, Jiangshan Yuy, Joseph Liuy, and Robin Doss? Abstract—Smart contracts are software programs featuring user [4]. In consequence of these issues of the traditional both traditional applications and distributed data storage on financial systems, the technology advances in peer to peer blockchains. Ethereum is a prominent blockchain platform with network and decentralized data management were headed up the support of smart contracts. The smart contracts act as autonomous agents in critical decentralized applications and as the way of mitigation. In recent years, the blockchain hold a significant amount of cryptocurrency to perform trusted technology is being the prominent mechanism which uses transactions and agreements. Millions of dollars as part of the distributed ledger technology (DLT) to implement digitalized assets held by the smart contracts were stolen or frozen through and decentralized public ledger to keep all cryptocurrency the notorious attacks just between 2016 and 2018, such as the transactions [1], [5], [6], [7], [8]. Blockchain is a public DAO attack, Parity Multi-Sig Wallet attack, and the integer underflow/overflow attacks. These attacks were caused by a electronic ledger equivalent to a distributed database. It can combination of technical flaws in designing and implementing be openly shared among the disparate users to create an software codes. However, many more vulnerabilities of less sever- immutable record of their transactions [7], [9], [10], [11], ity are to be discovered because of the scripting natures of the [12], [13]. Since all the committed records and transactions Solidity language and the non-updateable feature of blockchains. are immutable in the public ledger, the data are transparent Hence, we surveyed 16 security vulnerabilities in smart contract programs, and some vulnerabilities do not have a proper solution. and securely stored in the blockchian network. A blockchain This survey aims to identify the key vulnerabilities in smart network deploys and executes the programming scripts to contracts on Ethereum in the perspectives of their internal process a task autonomously. These programs are called smart mechanisms and software security vulnerabilities. By correlating contracts which are used to define the customized functions 16 Ethereum vulnerabilities and 19 software security issues, and rules invoked during the transactions [14], [15], [16]. we predict that many attacks are yet to be exploited. And we have explored many software tools to detect the security Smart contracts based blockchain technology is being em- vulnerabilities of smart contracts in terms of static analysis, bedded into a wide variety of industry applications, such as dynamic analysis, and formal verification. This survey presents finance [7], [3], [17], [18], supply chain management, [19], the security problems in smart contracts together with the [20], [21], health care [22], [23], [24], [25], energy [26], available analysis tools and the detection methods. We also [27], [28], [29], IoT [30], [31], [32], [33] and government investigated the limitations of the tools or analysis methods with respect to the identified security vulnerabilities of the smart services [7], [34], [35]. The financial technology industry has contracts. drastically increased the use of blockchain technology and smart contracts executions. It helps reduce infrastructure costs, Index Terms—Ethereum, Smart Contracts, Vulnerability De- tection, Security Analysis Tools, Formal Verification increase transparency, reduce financial fraud, and improve the time of execution and settlement [5], [16], [36], [37]. Some governments in the developing nations are assessing I. INTRODUCTION blockchain as a potential replacement for the national currency Traditional financial systems comfort with the centralized [12], [38], [39]. Because of the transparency and traceability environment where a trusted third party manages and validates features in the blockchain technology, the government can arXiv:1908.08605v3 [cs.CR] 16 Sep 2020 the transactions from one party to another [1], [2]. Having use a permissioned blockchain platform to regulate and an- an intermediary or regulator to process a valuable transaction alyze how money is flowing in the national financial system in a secured platform is essential [3]. Though a central- [11], [40], [41]. In the retail and manufacturing industries, ized environment is a reliable and trustworthy method, its blockchain technology helps deliver a better supply chain drawbacks are manifold: The processing time for transactions management and payment with digital currencies in a secure may vary from one hour to a few days; the transaction cost manner [42], [43]. Blockchain allows patients to access their charged by the third party service provider, such as banks or healthcare records securely without a third party verifier [22], non-financial institutions, is an unnecessary expense for the [44]. By digitizing the maritime network, the shipping industry can use a blockchain-based ledger to track millions of shipping Corresponding authors: Lei Pan and Jiangshan Yu, email: containers in the ocean [45], [46], [47]. [email protected] and [email protected] There are only specific blockchain platforms support smart ? School of Information Technology, Deakin University, Geelong, VIC 3220, Australia contracts: Ethereum [48] was the first to support smart con- y Faculty of Information Technology, Monash University, Clayton, VIC tracts; other blockchain platforms, such as EOS [49], Lisk Australia [50], Bitcoin [51], RootStock [52], and Hyperledger Fabric This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may [53], are compatible to deploy and execute the smart contracts. no longer be accessible. A script type language called Solidity is used to develop 2 Dependencies on Smart Contract Vulnerabilities Blockchain Vulnerabilities Software Security Issues Ethereum and Solidity Vulnerabilities Security Analysis Tools 1. Buffer overflows 1. Re-entrancy problem 1. Immutability 2. Command Injection 2. Transaction ordering 1. Oyente 2. Transparency 3. Cross-site scripting 3. Block timestamp dependency 2. ZEUS 3. Sequencial Execution 4. Format string problems 4. Exception handling 3. Vandal 4. Complexity 5. Integer range errors 5. Call stack depth limitation 4. Ethir 5. Transaction cost 6. SQL injection 6. Integer overflow/underflow 5. Securify 6. Human Errors 7. Trusting network address information 7. Unchecked and Failed send 6. MAIAN 8. Failing to protect network traffic 8. Destroyable / Suicidal contract 7. GASPER 9. Failing to store and protect data 9. Unsecurred balance 8. F* framework 10. Failing to use cryptographically strong 10. Use of origin 9. Isabelle/HOL random numbers 11. No restricted write 10. FEther using Coq 11. Improper file access 12. No restricted transfer 11. KEVM framework 12. Improper use of SQL 13. Non-validated arguments 13. Use of weak password-based systems 14. Greedy contracts 14. Unauthenticated key exchange 15. Prodegal contracts 15. Signal race conditions 16. Gas costly patterns exist 16. Use of ?magic? URLs and hidden forms 17. Failure to handle errors 18. Poor usability 19. Information leakage Fig. 1. The taxonomy of dependencies in smart contract vulnerabilities smart contracts in Ethereum platform. This paper focuses on contracts applications, which caused significant worth of smart contracts on the Ethereum network. Smart contracts loss in crypto assets? facilitate to develop decentralized applications and perform • How are the vulnerabilities in smart contracts affect the credible transactions without third parties. Following the pre- systems and how are they exploited by the attackers defined rules, smart contracts provide trustworthy services during the attacks? as an intermediary during the execution of the transactions. • What are the security analysis methods available to vali- All smart contracts are stored in a distributed consensus date and verify the problems in smart contract programs? environment. That is, once they are deployed to the network, There are several security analysis tools and formal veri- nobody can modify them so that the functions in the deployed fication methods for identifying the vulnerabilities in smart smart contracts are immutable. In Ethereum, smart contracts contracts in Ethereum [62], [63], [64], [65], [66], [67], [68], are considered as an account — they can hold cryptocurrency [69], [70], [71], [72], [69], [73], [74], [75]. They used different and transfer between externally owned user accounts and types of technical methods to implement their security analysis other smart contracts [54], [55]. Since the deployed smart on smart contracts bytecode or source code. The existing contracts often hold a significant amount of coins [9] and surveys were often conducted in general with the comparison perform critical functions [15], they should be tested and of a limited number of software tools with their coverage of analysed before the deployment [56], [57]. However, there important vulnerabilities [76], [77], [78], [79], [80], [81], [82]. are several challenges in smart contracts development using Only very few surveys investigate the challenges and security Solidity language: problems in the whole blockchain system [83], [78]. The three • Users and developers have lack of knowledge about the