Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Thu 9 Jul 2020 01:21 - 01:33 at Goguryeo - P17-Software Development Chair(s): Minghui Zhou

Ethereum, one of the most popular blockchain platforms, provides financial transactions like payments and auctions through smart contracts. Due to the tremendous interest in smart contracts in academia, the research community of smart contract security has made a significant improvement recently. Researchers have reported various security vulnerabilities in smart contracts, and developed static analysis tools and verification frameworks to detect them. However, it is unclear whether such great efforts from academia has indeed enhanced the security of smart contracts in reality.

In this paper, we empirically studied how secure real-world smart contracts are in the case of the Solidity programming language. We first examined how many well-known vulnerabilities the Solidity compiler has patched, and how frequently the Solidity team publishes compiler releases. Unfortunately, we observed that many known vulnerabilities are not yet patched, and some patches are not even sufficient to avoid their target vulnerabilities. Subsequently, we investigated whether smart contract developers use the most recent compiler with vulnerabilities patched. We reported that developers of more than 98% of real-world Solidity contracts still use older compilers without vulnerability patches, and more than 25% of the contracts are potentially vulnerable due to the missing security patches. To understand actual impacts of the missing patches, we manually investigated potentially vulnerable contracts, and identified common mistakes by Solidity developers, which may cause serious security issues such as financial loss. We reported hundreds of vulnerable contracts: three have been assigned CVE IDs, and more are requested. About one fourth of the vulnerable contracts are used by thousands of people. We recommend the Solidity team to make patches that resolve known vulnerabilities correctly, and developers to use the latest Solidity compiler to avoid missing security patches.

Thu 9 Jul

Displayed time zone: (UTC) Coordinated Universal Time change

01:05 - 02:05
P17-Software DevelopmentJournal First / Technical Papers / Demonstrations at Goguryeo
Chair(s): Minghui Zhou Peking University
01:05
8m
Talk
Improving the Pull Requests Review Process Using Learning-to-rank AlgorithmsJ1
Journal First
Guoliang Zhao Computer Science of Queen's University, Daniel Alencar Da Costa University of Otago, Ying Zou Queen's University, Kingston, Ontario
01:13
8m
Talk
Understanding the motivations, challenges and needs of Blockchain software developers: a surveyJ1
Journal First
Amiangshu Bosu Wayne State University, Anindya Iqbal Bangladesh University of Engineering and Technology Dhaka, Bangladesh, Rifat Shahriyar Bangladesh University of Engineering and Technology Dhaka, Bangladesh, Partho Chakraborty Bangladesh University of Engineering and Technology Dhaka, Bangladesh
01:21
12m
Talk
Gap between Theory and Practice : An Empirical Study of Security Patches in SolidityArtifact ReusableTechnicalArtifact Available
Technical Papers
01:33
12m
Talk
A Tale from the Trenches: Cognitive Biases and Software DevelopmentACM SIGSOFT Distinguished Paper AwardsTechnical
Technical Papers
Souti Chattopadhyay Graduate Student, Nicholas Nelson Oregon State University, Audrey Au Oregon State University, Natalia Morales Oregon State University, Christopher Sanchez Oregon State University, Rahul Pandita Phase Change Software, Anita Sarma Oregon State University
01:45
3m
Talk
VITALSE: Visualizing Eye Tracking and Biometric DataDemo
Demonstrations
Devjeet Roy Washington State University, Sarah Fakhoury Washington State University, Venera Arnaoudova Washington State University
Pre-print