Smart contracts on modern blockchains pave the way to the development of novel application design paradigms, such as Distributed Applications (DApps). Interestingly, even some safety-critical systems are starting to adopt such a technology to devise new functionalities. However, being software, smart contracts are susceptible to flaws, posing a risk to the security of their users and thus making crucial the development of automatic tools able to spot such flaws. In this paper, we examine 11 real-world DApps that participated in security auditing contests on the Code4rena platform. We first conduct a manual analysis of the vulnerabilities reported during the contests and then assess whether state-of-the-art analysis tools can identify them. Our findings suggest that current tools are unable to reason on business logic flaws. Additionally, for other root causes, the detectors in these tools may be ineffective in some cases due to a lack of generality or accuracy. Overall, there is a significant gap between auditors’ findings and the results provided by these tools.

Evaluating the Vulnerability Detection Efficacy of Smart Contracts Analysis Tools / Bonomi, Silvia; Cappai, Stefano; Coppa, Emilio. - 14988:(2024), pp. 200-217. (Intervento presentato al convegno International Conference on Computer Safety, Reliability and Security tenutosi a Florence; Italy) [10.1007/978-3-031-68606-1_13].

Evaluating the Vulnerability Detection Efficacy of Smart Contracts Analysis Tools

Bonomi, Silvia
;
Cappai, Stefano;Coppa, Emilio
2024

Abstract

Smart contracts on modern blockchains pave the way to the development of novel application design paradigms, such as Distributed Applications (DApps). Interestingly, even some safety-critical systems are starting to adopt such a technology to devise new functionalities. However, being software, smart contracts are susceptible to flaws, posing a risk to the security of their users and thus making crucial the development of automatic tools able to spot such flaws. In this paper, we examine 11 real-world DApps that participated in security auditing contests on the Code4rena platform. We first conduct a manual analysis of the vulnerabilities reported during the contests and then assess whether state-of-the-art analysis tools can identify them. Our findings suggest that current tools are unable to reason on business logic flaws. Additionally, for other root causes, the detectors in these tools may be ineffective in some cases due to a lack of generality or accuracy. Overall, there is a significant gap between auditors’ findings and the results provided by these tools.
2024
International Conference on Computer Safety, Reliability and Security
Blockchain; Smart Contract; Testing Tools; Vulnerability
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Evaluating the Vulnerability Detection Efficacy of Smart Contracts Analysis Tools / Bonomi, Silvia; Cappai, Stefano; Coppa, Emilio. - 14988:(2024), pp. 200-217. (Intervento presentato al convegno International Conference on Computer Safety, Reliability and Security tenutosi a Florence; Italy) [10.1007/978-3-031-68606-1_13].
File allegati a questo prodotto
File Dimensione Formato  
Bonomi_Evaluating_2024.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 476.6 kB
Formato Adobe PDF
476.6 kB Adobe PDF   Contatta l'autore
Bonomi_preprint_Evaluating_2024.pdf

accesso aperto

Note: DOI https://doi.org/10.1007/978-3-031-68606-1_13
Tipologia: Documento in Pre-print (manoscritto inviato all'editore, precedente alla peer review)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 212.77 kB
Formato Adobe PDF
212.77 kB Adobe PDF

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1720984
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact