Evaluation of Smart Contract Vulnerability Analysis Tools: A Domain-Specific Perspective

IF 2.4 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information (Switzerland) Pub Date : 2023-09-29 DOI:10.3390/info14100533

Bahareh Lashkari, Petr Musilek

{"title":"Evaluation of Smart Contract Vulnerability Analysis Tools: A Domain-Specific Perspective","authors":"Bahareh Lashkari, Petr Musilek","doi":"10.3390/info14100533","DOIUrl":null,"url":null,"abstract":"With the widespread adoption of blockchain platforms across various decentralized applications, the smart contract’s vulnerabilities are continuously growing and evolving. Consequently, a failure to optimize conventional vulnerability analysis methods results in unforeseen effects caused by overlooked classes of vulnerabilities. Current methods have difficulty dealing with multifaceted intrusions, which calls for more robust approaches. Therefore, overdependence on environment-defined parameters in the contract execution logic binds the contract to the manipulation of such parameters and is perceived as a security vulnerability. Several vulnerability analysis tools have been identified as insufficient to effectively identify certain types of vulnerability. In this paper, we perform a domain-specific evaluation of state-of-the-art vulnerability detection tools on smart contracts. A domain can be defined as a particular area of knowledge, expertise, or industry. We use a perspective specific to the area of energy contracts to draw logical and language-dependent features to advance the structural and procedural comprehension of these contracts. The goal is to reach a greater degree of abstraction and navigate the complexities of decentralized applications by determining their domains. In particular, we analyze code embedding of energy smart contracts and characterize their vulnerabilities in transactive energy systems. We conclude that energy contracts can be affected by a relatively large number of defects. It also appears that the detection accuracy of the tools varies depending on the domain. This suggests that security flaws may be domain-specific. As a result, in some domains, many vulnerabilities can be overlooked by existing analytical tools. Additionally, the overall impact of a specific vulnerability can differ significantly between domains, making its mitigation a priority subject to business logic. As a result, more effort should be directed towards the reliable and accurate detection of existing and new types of vulnerability from a domain-specific point of view.","PeriodicalId":38479,"journal":{"name":"Information (Switzerland)","volume":null,"pages":null},"PeriodicalIF":2.4000,"publicationDate":"2023-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information (Switzerland)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3390/info14100533","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the widespread adoption of blockchain platforms across various decentralized applications, the smart contract’s vulnerabilities are continuously growing and evolving. Consequently, a failure to optimize conventional vulnerability analysis methods results in unforeseen effects caused by overlooked classes of vulnerabilities. Current methods have difficulty dealing with multifaceted intrusions, which calls for more robust approaches. Therefore, overdependence on environment-defined parameters in the contract execution logic binds the contract to the manipulation of such parameters and is perceived as a security vulnerability. Several vulnerability analysis tools have been identified as insufficient to effectively identify certain types of vulnerability. In this paper, we perform a domain-specific evaluation of state-of-the-art vulnerability detection tools on smart contracts. A domain can be defined as a particular area of knowledge, expertise, or industry. We use a perspective specific to the area of energy contracts to draw logical and language-dependent features to advance the structural and procedural comprehension of these contracts. The goal is to reach a greater degree of abstraction and navigate the complexities of decentralized applications by determining their domains. In particular, we analyze code embedding of energy smart contracts and characterize their vulnerabilities in transactive energy systems. We conclude that energy contracts can be affected by a relatively large number of defects. It also appears that the detection accuracy of the tools varies depending on the domain. This suggests that security flaws may be domain-specific. As a result, in some domains, many vulnerabilities can be overlooked by existing analytical tools. Additionally, the overall impact of a specific vulnerability can differ significantly between domains, making its mitigation a priority subject to business logic. As a result, more effort should be directed towards the reliable and accurate detection of existing and new types of vulnerability from a domain-specific point of view.

查看原文本刊更多论文

智能合约漏洞分析工具的评估:特定领域视角

随着区块链平台在各种去中心化应用程序中的广泛采用，智能合约的漏洞也在不断增长和演变。因此，传统漏洞分析方法的优化失败，会导致由于忽略了漏洞类别而导致不可预见的后果。目前的方法难以处理多方面的入侵，这需要更强大的方法。因此，在合约执行逻辑中过度依赖于环境定义的参数会将合约绑定到对这些参数的操作，并被视为安全漏洞。一些漏洞分析工具已经被认为不足以有效地识别某些类型的漏洞。在本文中，我们对智能合约上最先进的漏洞检测工具进行了特定领域的评估。一个领域可以被定义为一个特定的知识、专业知识或行业领域。我们使用特定于能源合同领域的视角来绘制逻辑和语言依赖特征，以推进对这些合同的结构和程序理解。我们的目标是达到更高的抽象程度，并通过确定分散的应用程序的域来处理它们的复杂性。特别是，我们分析了能源智能合约的代码嵌入，并描述了它们在交易能源系统中的漏洞。我们得出结论，能量契约可以受到相对大量缺陷的影响。此外，工具的检测精度也因领域而异。这表明安全缺陷可能是特定于领域的。因此，在某些领域，许多漏洞可能被现有的分析工具所忽略。此外，特定漏洞的总体影响在不同的域之间可能存在显著差异，因此对其缓解的优先级取决于业务逻辑。因此，应从特定领域的角度可靠和准确地检测现有的和新的脆弱性类型，应作出更多努力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information (Switzerland) Computer Science-Information Systems

CiteScore

6.90

自引率

0.00%

发文量

515

审稿时长

11 weeks