Empirical Analysis of Vulnerabilities in Blockchain-based Smart Contracts

Dr. Kashif Mehboob Khan; Ansha Zahid

doi:10.33317/ssurj.421

Authors

Dr. Kashif Mehboob Khan NED University of Engg. & Technology
Ms. Ansha Zahid NED University of Engineering & Technology

DOI:

https://doi.org/10.33317/ssurj.421

Keywords:

Blockchain, Smart Contracts, Ethereum

Abstract

With the evolution of technology, blockchain a swiftly impending phenomenon i.e., "decentralized computing” is observed. The emergence of Smart Contracts (SC) has resulted in advancements in the application of blockchain technology. The Ethereum network’s computing capabilities and functionalities are founded on the basis of SC. A smart contract is a self-executing agreement between buyer and seller with the terms of the settlement between them, written directly as lines of code, existing across a distributed decentralized blockchain network. It is a decentralized software that runs on a blockchain autonomously, consistently, and publicly. Conversely, due to the complex semantics of fundamental domain-specific languages and their testability, constructing reliable and secure SC can be extremely difficult. SC might contain some vulnerabilities. Security vulnerabilities can originate from financial tribulations; there are a number of notorious events that specify blockchain SC could comprise numerous code-security vulnerabilities. Security and privacy of blockchain-based SC are very important, we must first identify their vulnerabilities before implementing them widely. Therefore, the purpose of this paper is to conduct a comprehensive experimental evaluation of two current security testing tools: Remix solidity static analysis plugin and Solium which are used for static analysis of SC. We have conducted an empirical analysis of SC for finding tangible and factual evidence, controlled by the scientific approach. The methodology’s first step is to gather all of the Ethereum SC and store them in a repository. The next step is to use the Remix solidity static analysis plugin and Solium to perform vulnerability assessments. The last step is to analyze the result of both tools and evaluate them on the basis of accuracy and effectiveness. The goal of this empirical analysis is to evaluate the two FOSS tools: Remix solidity static analysis plugin and Solium on the basis of accuracy and effectiveness. Some research questions were considered to reach the stated goal: What automated tools and frameworks are proposed in supporting the state-of-the-art empirical approach to SC vulnerability detection? How accurate are security analysis tools? And which tool has more accuracy rate? How effectively security analysis tools are detecting vulnerabilities in SC? And which is the most effective security analysis tool? We investigated the effectiveness and accuracy of security code analysis tools on Ethereum by testing them on a random sample of vulnerable contracts. The results indicate that the tools have significant discrepancies when it comes to certain security characteristics. In terms of effectiveness and accuracy, the Remix plugin outperformed and beat the other tool.

Author Biography

Dr. Kashif Mehboob Khan, NED University of Engg. & Technology

Kashif Mehboob Khan is an Assistant Professor in the Department of Software Engineering at the NED University of Engineering and Technology, Karachi, Pakistan. He achieved his Ph.D. from NED University of Engineering and Technology focusing at security challenges within blockchain. His current research interests include security challenges within blockchain and emerging technologies such as IoT. He as recently been awarded with "Best Researcher Award" for the year 2021.

References

Atzei, N., Bartoletti, M., & Cimoli, T. (2017, April). A survey of attacks on ethereum smart contracts (sok). In International conference on principles of security and trust (pp. 164-186). Springer, Berlin, Heidelberg.

Parizi, R. M., & Dehghantanha, A. (2018, June). Smart contract programming languages on blockchains: An empirical evaluation of usability and security. In International Conference on Blockchain (pp. 75-91). Springer, Cham.

Epiphaniou, G., Karadimas, P., Ismail, D. K. B., Al-Khateeb, H., Dehghantanha, A., & Choo, K. K. R. (2017). Nonreciprocity compensation combined with turbo codes for secret key generation in vehicular ad hoc social IoT networks. IEEE Internet of Things Journal, 5(4), 2496-2505.

Gao, C. Z., Cheng, Q., He, P., Susilo, W., & Li, J. (2018). Privacypreserving Naive Bayes classifiers secure against the substitutionthen-comparison attack. Information Sciences, 444, 72-88.

Jhaveri, R. H., Patel, N. M., Zhong, Y., & Sangaiah, A. K. (2018). Sensitivity analysis of an attack-pattern discovery based trusted routing scheme for mobile ad-hoc networks in industrial IoT. IEEE Access, 6, 20085-20103.

Conti, M., Dehghantanha, A., Franke, K., & Watson, S. (2018). Internet of Things security and forensics: Challenges and opportunities. Future Generation Computer Systems, 78, 544-546.

Andersen, M. P., Kolb, J., Chen, K., Fierro, G., Culler, D. E., & Popa, R. A. (2017). Wave: A decentralized authorization system for iot via blockchain smart contracts. University of California at

Berkeley, Tech. Rep. Retrieved from

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-

html

Christidis, K., & Devetsikiotis, M. (2016). Blockchains and smart contracts for the internet of things. IEEE Access, 4, 2292-2303.

Azmoodeh, A., Dehghantanha, A., & Choo, K. K. R. (2018). Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE transactions on Sustainable Computing, 4(1), 88-95.

Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE security & privacy, 2(6), 76-79.

Parizi, R. M., Qian, K., Shahriar, H., Wu, F., & Tao, L. (2018, July). Benchmark requirements for assessing software security vulnerability testing tools. In 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC) (Vol. 1, pp. 825-826). IEEE.

Chen, X., Zhao, S., Qi, J., Jiang, J., Song, H., Wang, C., ... & Cui, H. (2022). Efficient and DoS-resistant Consensus for Permissioned Blockchains. Performance Evaluation, 153, 102244.

Wang, W., Song, J., Xu, G., Li, Y., Wang, H., & Su, C. (2020). Contractward: Automated vulnerability detection models for ethereum smart contracts. IEEE Transactions on Network Science and Engineering, 8(2), 1133-1144.

Ankit. E. (2019). Solidity Static Analysis. Retrieved From:

https://github.com/ethereum/remixide/blob/master/docs/static_analysis.md [15] Wood, G. (2014). Solium: analyzes your Solidity code for style & security issues and fixes them. Retrieved From: URL

https://github.com/iost-official/Solium

Ethereum-Wiki. (2022). Safety. Retrieved From: https://github.com/ethereum/wiki/wiki/Safety

Aldweesh, A., Alharby, M., Mehrnezhad, M., & van Moorsel, A. (2021). The OpBench Ethereum opcode benchmark framework: Design, implementation, validation and experiments. Performance Evaluation, 146, 102168.

Baliga, A. (2017). Understanding blockchain consensus models. Persistent, 4, 1-14.

Kremenova, I., & Gajdos, M. (2019). Decentralized networks: The future internet. Mobile Networks and Applications, 24(6), 20162023.

Valenta, M., & Sandner, P. (2017). Comparison of ethereum, hyperledger fabric and corda. Frankfurt School Blockchain

Center, 8, 1-8.

Buterin, V. (2014). A next-generation smart contract and decentralized application platform. white paper, 3(37), 2-1.

Parizi, R. M., Dehghantanha, A., Choo, K. K. R., & Singh, A. (2018). Empirical vulnerability analysis of automated smart contracts security testing on blockchains. arXiv preprint arXiv:1809.02702.

Wang, H., Li, Y., Lin, S. W., Ma, L., & Liu, Y. (2019, May). VULTRON: catching vulnerable smart contracts once and for all. In 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER) (pp. 1-4). IEEE.

Liu, Z., Wu, L., Meng, W., Wang, H., & Wang, W. (2021). Accurate

Range Query With Privacy Preservation for Outsourced LocationBased Service in IoT. IEEE Internet of Things Journal, 8(18), 14322-14337.

Feist, J., Grieco, G., & Groce, A. (2019, May). Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB) (pp. 8-15). IEEE.

Praitheeshan, P., Pan, L., Yu, J., Liu, J., & Doss, R. (2019). Security analysis methods on ethereum smart contract vulnerabilities: a survey. arXiv preprint arXiv:1908.08605.

Kalra, S., Goel, S., Dhawan, M., & Sharma, S. (2018, February). Zeus: analyzing safety of smart contracts. In Ndss (pp. 1-12).

Luu, L., Chu, D. H., Olickel, H., Saxena, P., & Hobor, A. (2016, October). Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security (pp. 254-269).

Dika, A., & Nowostawski, M. (2018, July). Security vulnerabilities in ethereum smart contracts. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) (pp. 955-962). IEEE.

Chen, T., Li, X., Luo, X., & Zhang, X. (2017, February). Underoptimized smart contracts devour your money. In 2017 IEEE 24th international conference on software analysis, evolution and reengineering (SANER) (pp. 442-446). IEEE.

Brent, L., Jurisevic, A., Kong, M., Liu, E., Gauthier, F., Gramoli, V., ... & Scholz, B. (2018). Vandal: A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981.

Albert, E., Gordillo, P., Livshits, B., Rubio, A., & Sergey, I. (2018, October). Ethir: A framework for high-level analysis of ethereum bytecode. In International symposium on automated technology for verification and analysis (pp. 513-520). Springer, Cham.

github.com. (2022). ConsenSys/mythril. Retrieved From: https://github.com/ConsenSys/mythril