Gap between Theory and Practice : An Empirical Study of Security Patches in SolidityTechnical
Ethereum, one of the most popular blockchain platforms, provides financial transactions like payments and auctions through smart contracts. Due to the tremendous interest in smart contracts in academia, the research community of smart contract security has made a significant improvement recently. Researchers have reported various security vulnerabilities in smart contracts, and developed static analysis tools and verification frameworks to detect them. However, it is unclear whether such great efforts from academia has indeed enhanced the security of smart contracts in reality.
In this paper, we empirically studied how secure real-world smart contracts are in the case of the Solidity programming language. We first examined how many well-known vulnerabilities the Solidity compiler has patched, and how frequently the Solidity team publishes compiler releases. Unfortunately, we observed that many known vulnerabilities are not yet patched, and some patches are not even sufficient to avoid their target vulnerabilities. Subsequently, we investigated whether smart contract developers use the most recent compiler with vulnerabilities patched. We reported that developers of more than 98% of real-world Solidity contracts still use older compilers without vulnerability patches, and more than 25% of the contracts are potentially vulnerable due to the missing security patches. To understand actual impacts of the missing patches, we manually investigated potentially vulnerable contracts, and identified common mistakes by Solidity developers, which may cause serious security issues such as financial loss. We reported hundreds of vulnerable contracts: three have been assigned CVE IDs, and more are requested. About one fourth of the vulnerable contracts are used by thousands of people. We recommend the Solidity team to make patches that resolve known vulnerabilities correctly, and developers to use the latest Solidity compiler to avoid missing security patches.
Thu 9 JulDisplayed time zone: (UTC) Coordinated Universal Time change
01:05 - 02:05 | P17-Software DevelopmentJournal First / Technical Papers / Demonstrations at Goguryeo Chair(s): Minghui Zhou Peking University | ||
01:05 8mTalk | Improving the Pull Requests Review Process Using Learning-to-rank AlgorithmsJ1 Journal First Guoliang Zhao Computer Science of Queen's University, Daniel Alencar Da Costa University of Otago, Ying Zou Queen's University, Kingston, Ontario | ||
01:13 8mTalk | Understanding the motivations, challenges and needs of Blockchain software developers: a surveyJ1 Journal First Amiangshu Bosu Wayne State University, Anindya Iqbal Bangladesh University of Engineering and Technology Dhaka, Bangladesh, Rifat Shahriyar Bangladesh University of Engineering and Technology Dhaka, Bangladesh, Partho Chakraborty Bangladesh University of Engineering and Technology Dhaka, Bangladesh | ||
01:21 12mTalk | Gap between Theory and Practice : An Empirical Study of Security Patches in SolidityTechnical Technical Papers | ||
01:33 12mTalk | A Tale from the Trenches: Cognitive Biases and Software DevelopmentTechnical Technical Papers Souti Chattopadhyay Graduate Student, Nicholas Nelson Oregon State University, Audrey Au Oregon State University, Natalia Morales Oregon State University, Christopher Sanchez Oregon State University, Rahul Pandita Phase Change Software, Anita Sarma Oregon State University | ||
01:45 3mTalk | VITALSE: Visualizing Eye Tracking and Biometric DataDemo Demonstrations Devjeet Roy Washington State University, Sarah Fakhoury Washington State University, Venera Arnaoudova Washington State University Pre-print |