Security Vulnerabilities in Ethereum Smart Contracts

摘要

Ethereum provides an open, global computing platform, that allows the exchange of value, automated and enforced workflows, and the development of general purpose applications and libraries. Smart contracts present a foundation for the computational capabilities of the Ethereum network. Motivated by the known security breaches and recurring financial losses due to smart contracts vulnerabilities, we review the field of security of smart contract programming and provide a comprehensive taxonomy of all known security issues. We achieve that by a thorough review of known vulnerabilities. In this work we also review the security code analysis tools used to identify known vulnerabilities. We conduct the investigation of security code analysis tools on Ethereum by assessing their effectiveness and accuracy on known issues on a representative sample of vulnerable contracts. We have used 21 clean, and 24 vulnerable contracts and four security tools: Oyente, Securify, Remix, and SmartCheck, to assess the quality of contemporary security analysis tools specific to Ethereum. The results indicate that there are overall inconsistencies between the tools in respect to different security properties. SmartCheck outperformed the other tools in terms of effectiveness, whereas Oyente performed the best in terms of accuracy. Furthermore, based on the limitations we identified, we propose improvements within the user interfaces, interpretation of results, and, most importantly, an enhanced list for vulnerability checks.