Vulnerability detection techniques for smart contracts: A systematic literature review

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2024-07-20 DOI:10.1016/j.jss.2024.112160

Fernando Richter Vidal, Naghmeh Ivaki, Nuno Laranjeiro

{"title":"Vulnerability detection techniques for smart contracts: A systematic literature review","authors":"Fernando Richter Vidal, Naghmeh Ivaki, Nuno Laranjeiro","doi":"10.1016/j.jss.2024.112160","DOIUrl":null,"url":null,"abstract":"<div><p>The number of applications supported by blockchain smart contracts has been greatly increasing in recent years, with smart contracts now being used across several domains, such as the music industry, finance, and retail, to name a few. Despite being used in business-critical contexts, the number of security vulnerabilities in smart contracts has also been increasing, with many of them being exploited and resulting in huge financial and reputation losses. This is despite the enormous effort that is being placed into the research and development of vulnerability detection tools and techniques, which have also greatly increased in number and type in the last few years. Motivated by the recent increase in both vulnerabilities and vulnerability detection techniques, this paper reviews the latest research in smart contract vulnerability detection, emphasizing the techniques being used, the vulnerabilities targeted, and the characteristics of the dataset used for evaluating the technique. We mapped the vulnerabilities against two common vulnerability classification schemes (DASP and SWC) and performed a consolidated analysis. We identified the current research trends and gaps in each technique and highlighted future research opportunities in the field.</p></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"217 ","pages":"Article 112160"},"PeriodicalIF":3.7000,"publicationDate":"2024-07-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S016412122400205X/pdfft?md5=7ccf6630645ebbcb7ae24a70d7a72074&pid=1-s2.0-S016412122400205X-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016412122400205X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

The number of applications supported by blockchain smart contracts has been greatly increasing in recent years, with smart contracts now being used across several domains, such as the music industry, finance, and retail, to name a few. Despite being used in business-critical contexts, the number of security vulnerabilities in smart contracts has also been increasing, with many of them being exploited and resulting in huge financial and reputation losses. This is despite the enormous effort that is being placed into the research and development of vulnerability detection tools and techniques, which have also greatly increased in number and type in the last few years. Motivated by the recent increase in both vulnerabilities and vulnerability detection techniques, this paper reviews the latest research in smart contract vulnerability detection, emphasizing the techniques being used, the vulnerabilities targeted, and the characteristics of the dataset used for evaluating the technique. We mapped the vulnerabilities against two common vulnerability classification schemes (DASP and SWC) and performed a consolidated analysis. We identified the current research trends and gaps in each technique and highlighted future research opportunities in the field.

查看原文本刊更多论文

智能合约的漏洞检测技术：系统性文献综述

近年来，区块链智能合约支持的应用数量大幅增加，目前智能合约已被用于多个领域，如音乐产业、金融和零售业等。尽管智能合约被用于关键业务环境，但其安全漏洞的数量也在不断增加，其中许多漏洞被人利用，造成了巨大的经济和声誉损失。尽管人们在研究和开发漏洞检测工具和技术方面付出了巨大努力，但在过去几年中，这些工具和技术的数量和类型也大大增加。受近期漏洞和漏洞检测技术双双增加的推动，本文回顾了智能合约漏洞检测方面的最新研究，强调了正在使用的技术、针对的漏洞以及用于评估技术的数据集的特征。我们根据两种常见的漏洞分类方案（DASP 和 SWC）对漏洞进行了映射，并进行了综合分析。我们确定了每种技术当前的研究趋势和差距，并强调了该领域未来的研究机会。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.