Modern blockchains support the execution of application-level code in the form of smart contracts, allowing developers to devise complex Distributed Applications (DApps). Smart contracts are typically written in high-level languages, such as Solidity, and after deployment on the blockchain, their code is executed in a distributed way in response to transactions or calls from other smart contracts. As a common piece of software, smart contracts are susceptible to vulnerabilities, posing security threats to DApps and their users. The community has already made many different proposals involving taxonomies related to smart contract vulnerabilities. In this paper, we try to systematize such proposals, evaluating their common traits and main discrepancies. A major limitation emerging from our analysis is the lack of a proper formalization of such taxonomies, making hard their adoption within, e.g., tools and disfavoring their improvement over time as a community-driven effort. We thus introduce a novel data model that clearly defines the key entities and relationships relevant to smart contract vulnerabilities. We then show how our data model and its preliminary instantiation can effectively support several valuable use cases, such as interactive exploration of the taxonomy, integration with security frameworks for effective tool orchestration, and statistical analysis for performing longitudinal studies.
SoK: A Unified Data Model for Smart Contract Vulnerability Taxonomies / Ruggiero, Claudia; Mazzini, Pietro; Coppa, Emilio; Lenti, Simone; Bonomi, Silvia. - (2024). (Intervento presentato al convegno International Conference on Availability, Reliability and Security (ARES 2024) tenutosi a Vienna, Austria) [10.1145/3664476.3664507].
SoK: A Unified Data Model for Smart Contract Vulnerability Taxonomies
Claudia Ruggiero
;Pietro Mazzini;Emilio Coppa;Simone Lenti;Silvia Bonomi
2024
Abstract
Modern blockchains support the execution of application-level code in the form of smart contracts, allowing developers to devise complex Distributed Applications (DApps). Smart contracts are typically written in high-level languages, such as Solidity, and after deployment on the blockchain, their code is executed in a distributed way in response to transactions or calls from other smart contracts. As a common piece of software, smart contracts are susceptible to vulnerabilities, posing security threats to DApps and their users. The community has already made many different proposals involving taxonomies related to smart contract vulnerabilities. In this paper, we try to systematize such proposals, evaluating their common traits and main discrepancies. A major limitation emerging from our analysis is the lack of a proper formalization of such taxonomies, making hard their adoption within, e.g., tools and disfavoring their improvement over time as a community-driven effort. We thus introduce a novel data model that clearly defines the key entities and relationships relevant to smart contract vulnerabilities. We then show how our data model and its preliminary instantiation can effectively support several valuable use cases, such as interactive exploration of the taxonomy, integration with security frameworks for effective tool orchestration, and statistical analysis for performing longitudinal studies.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
