Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts
Technical
Over the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research. To address this, we present an empirical evaluation of 9 state-of-the-art automated analysis tools using two new datasets: i) a dataset of 69 annotated vulnerable smart contracts that can be used to evaluate the precision of analysis tools; and ii) a dataset with all the smart contracts in the Ethereum Blockchain that have Soliditysource code available on Etherscan (a total of 47,518 contracts). The datasets are part of SmartBugs, a new extendable execution frame-work that we created to facilitate the integration and comparison between multiple analysis tools and the analysis of Ethereum smart contracts. We used SmartBugs to execute the 9 automated analysis tools on the two datasets. In total, we ran 428,337 analyses that took approximately 564 days and 3 hours, being the largest experimental setup to date both in the number of tools and in execution time. We found that only 42% of the vulnerabilities from our annotated dataset are detected by all the tools, with the toolMythrilhavingthe higher accuracy (27%). When considering the largest dataset, we observed that 97% of contracts are tagged as vulnerable, thus suggesting a considerable number of false positives. Indeed, only a small number of vulnerabilities (and of only two categories) were detected simultaneously by four or more tools.
Thu 9 JulDisplayed time zone: (UTC) Coordinated Universal Time change
08:05 - 09:05 | I17-Contracts and AnalysisDemonstrations / Technical Papers / Software Engineering in Practice / Journal First at Goguryeo Chair(s): Jaechang Nam Handong Global University | ||
08:05 10mTalk | How to reduce risk effectively in fixed price software developmentSEIP Software Engineering in Practice | ||
08:15 10mTalk | Seraph: Enabling Cross-Platform Security Analysis For EVM and WASM Smart ContractsDemo Demonstrations Zhiqiang Yang Oxford-Hainan Blockchain Research Institute, Han Liu Tsinghua University, Yue Li Oxford-Hainan Blockchain Research Institute, Huixuan Zheng Oxford-Hainan Blockchain Research Institute, Lei Wang Oxford-Hainan Blockchain Research Institute, Bangdao Chen Oxford-Hainan Blockchain Research Institute | ||
08:25 10mTalk | Escape from Escape Analysis of GolangSEIP Software Engineering in Practice Cong Wang Tsinghua University, Mingrui Zhang Tsinghua University, Beijing, China, Yu Jiang , Huafeng Zhang Huawei Technologies, Hangzhou, China, Zhenchang Xing Australia National University, Ming Gu | ||
08:35 10mTalk | Smart Contract Development: Challenges and OpportunitiesJ1 Journal First Weiqin Zou Nanjing University, David Lo Singapore Management University, Pavneet Singh Kochhar Microsoft, Xuan-Bach D. Le Singapore Management University, Singapore, Xin Xia Monash University, Yang Feng Nanjing University, Zhenyu Chen Nanjing University, Baowen Xu Nanjing University | ||
08:45 10mTalk | Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts Technical Papers Thomas Durieux KTH Royal Institute of Technology, Sweden, João F. Ferreira INESC-ID and IST, University of Lisbon, Rui Abreu Instituto Superior Técnico, U. Lisboa & INESC-ID, Pedro Cruz IST, University of Lisbon, Portugal Pre-print | ||
08:55 10mTalk | An Extended Abstract of “METRIC+: A Metamorphic Relation Identification Technique Based on Input Plus Output Domains”J1 Journal First Chang-ai Sun University of Science and Technology Beijing, An Fu University of Science and Technology Beijing, Pak-Lok Poon School of Engineering & Technology, Central Queensland University, Australia, Xiaoyuan Xie School of Computer Science, Wuhan University, China, Huai Liu Swinburne University of Technology, Tsong Yueh Chen Swinburne University of Technology | ||