Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Thu 9 Jul 2020 01:21 - 01:33 at Goguryeo - P17-Software Development Chair(s): Minghui Zhou

Ethereum, one of the most popular blockchain platforms, provides financial transactions like payments and auctions through smart contracts. Due to the tremendous interest in smart contracts in academia, the research community of smart contract security has made a significant improvement recently. Researchers have reported various security vulnerabilities in smart contracts, and developed static analysis tools and verification frameworks to detect them. However, it is unclear whether such great efforts from academia has indeed enhanced the security of smart contracts in reality.

In this paper, we empirically studied how secure real-world smart contracts are in the case of the Solidity programming language. We first examined how many well-known vulnerabilities the Solidity compiler has patched, and how frequently the Solidity team publishes compiler releases. Unfortunately, we observed that many known vulnerabilities are not yet patched, and some patches are not even sufficient to avoid their target vulnerabilities. Subsequently, we investigated whether smart contract developers use the most recent compiler with vulnerabilities patched. We reported that developers of more than 98% of real-world Solidity contracts still use older compilers without vulnerability patches, and more than 25% of the contracts are potentially vulnerable due to the missing security patches. To understand actual impacts of the missing patches, we manually investigated potentially vulnerable contracts, and identified common mistakes by Solidity developers, which may cause serious security issues such as financial loss. We reported hundreds of vulnerable contracts: three have been assigned CVE IDs, and more are requested. About one fourth of the vulnerable contracts are used by thousands of people. We recommend the Solidity team to make patches that resolve known vulnerabilities correctly, and developers to use the latest Solidity compiler to avoid missing security patches.

Thu 9 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

01:05 - 02:05
P17-Software DevelopmentJournal First / Technical Papers / Demonstrations at Goguryeo
Chair(s): Minghui ZhouPeking University
01:05
8m
Talk
Improving the Pull Requests Review Process Using Learning-to-rank AlgorithmsJ1
Journal First
Guoliang ZhaoComputer Science of Queen's University, Daniel Alencar Da CostaUniversity of Otago, Ying ZouQueen's University, Kingston, Ontario
01:13
8m
Talk
Understanding the motivations, challenges and needs of Blockchain software developers: a surveyJ1
Journal First
Amiangshu BosuWayne State University, Anindya IqbalBangladesh University of Engineering and Technology Dhaka, Bangladesh, Rifat ShahriyarBangladesh University of Engineering and Technology Dhaka, Bangladesh, Partho ChakrabortyBangladesh University of Engineering and Technology Dhaka, Bangladesh
01:21
12m
Talk
Gap between Theory and Practice : An Empirical Study of Security Patches in SolidityArtifact ReusableTechnicalArtifact Available
Technical Papers
01:33
12m
Talk
A Tale from the Trenches: Cognitive Biases and Software DevelopmentACM SIGSOFT Distinguished Paper AwardsTechnical
Technical Papers
Souti ChattopadhyayGraduate Student, Nicholas NelsonOregon State University, Audrey AuOregon State University, Natalia MoralesOregon State University, Christopher SanchezOregon State University, Rahul PanditaPhase Change Software, Anita SarmaOregon State University
01:45
3m
Talk
VITALSE: Visualizing Eye Tracking and Biometric DataDemo
Demonstrations
Devjeet RoyWashington State University, Sarah FakhouryWashington State University, Venera ArnaoudovaWashington State University
Pre-print