SmartCheck: Static Analysis of Ethereum Smart Contracts

Tikhomirov, Sergei; Voskresenskaya, Ekaterina; Ivanitskiy, Ivan; Takhaviev, Ramil; Marchenko, Evgeny; Alexandrov, Yaroslav

doi:10.1145/3194113.3194115

Reference : SmartCheck: Static Analysis of Ethereum Smart Contracts


	Document type :	Scientific congresses, symposiums and conference proceedings : Unpublished conference
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Computational Sciences
	To cite this reference:	http://hdl.handle.net/10993/35862

Title :	SmartCheck: Static Analysis of Ethereum Smart Contracts
Language :	English
Author, co-author :	Tikhomirov, Sergei [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC) >]
	Voskresenskaya, Ekaterina [SmartDec]
	Ivanitskiy, Ivan [SmartDec]
	Takhaviev, Ramil [SmartDec]
	Marchenko, Evgeny [SmartDec]
	Alexandrov, Yaroslav [SmartDec]
Publication date :	27-May-2018
Number of pages :	8
Peer reviewed :	Yes
Audience :	International
Event name :	1st International Workshop on Emerging Trends in Software Engineering for Blockchain
Event date :	2018-05-27
Event place (city) :	Gothenburg
Event country :	Sweden
Keywords :	[en] Ethereum ; Solidity ; smart contracts ; static analysis ; bug detection
Abstract :	[en] Ethereum is a major blockchain-based platform for smart contracts – Turing complete programs that are executed in a decentralized network and usually manipulate digital units of value. Solidity is the most mature high-level smart contract language. Ethereum is a hostile execution environment, where anonymous attackers exploit bugs for immediate financial gain. Developers have a very limited ability to patch deployed contracts. Hackers steal up to tens of millions of dollars from flawed contracts, a well-known example being “The DAO“, broken in June 2016. Advice on secure Ethereum programming practices is spread out across blogs, papers, and tutorials. Many sources are outdated due to a rapid pace of development in this field. Automated vulnerability detection tools, which help detect potentially problematic language constructs, are still underdeveloped in this area. We provide a comprehensive classification of code issues in Solidity and implement SmartCheck – an extensible static analysis tool that detects them. SmartCheck translates Solidity source code into an XML-based intermediate representation and checks it against XPath patterns. We evaluated our tool on a big dataset of real-world contracts and compared the results with manual audit on three contracts. Our tool reflects the current state of knowledge on Solidity vulnerabilities and shows significant improvements over alternatives. SmartCheck has its limitations, as detection of some bugs requires more sophisticated techniques such as taint analysis or even manual audit. We believe though that a static analyzer should be an essential part of contract developers’ toolbox, letting them fix simple bugs fast and allocate more effort to complex issues.
Permalink :	http://hdl.handle.net/10993/35862
DOI :	10.1145/3194113.3194115

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	smartcheck-paper.pdf		Author postprint	517.22 kB	View/Open

Additional material(s):

	File	Commentary	Size	Access
Open access	smartcheck.pdf	slides	355.65 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices