ContractTrace: Retracing Smart Contract Versions for Security Analyses

[en] Due to the inherent immutability of blockchain technology, smart contract updates require their deployment at new addresses rather than modifying existing ones, thus fragmenting version histories and creating critical blind spots for analyses. Indeed, for example, this fragmentation severely hinders security researchers ability to track vulnerability lifecycles across contract versions. While platforms like Etherscan provide detailed information about Ethereum smart contracts, they lack crucial functionality to trace predecessor-successor relationships within smart contract lineages, preventing systematic analysis of how vulnerabilities emerge, propagate, and potentially remain unresolved across versions.To address the challenge of tracing smart contract lineages, we adopt a Design Science Research (DSR) approach and introduce ContractTrace, an automated infrastructure that accurately identifies and links versions of smart contracts into coherent lineages. This tool enables the construction of lineageSet, an up-to-date, open-source dataset specifically designed to support security research on vulnerability, defect or any other property evolution patterns in smart contracts. Through a security-focused case study we demonstrate how ContractTrace reveals previously obscured vulnerability life-cycles within smart contract lineages, tracking whether critical security flaws persist or get resolved across versions. This capability is essential for understanding vulnerability propagation patterns and evaluating the effectiveness of security patches in blockchain environments. In the evaluation phase of our DSR approach, we validated our lineage detection methodology against an alternative approach using Locality-Sensitive Hashing (LSH) to cluster contract versions, confirming the security relevance and accuracy of our technique.

Disciplines :

Computer science

Author, co-author :

MBODJI, Fatou Ndiaye ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

ADJIBI, Vinny ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > TruX > Team Tegawendé François d A BISSYANDE

DIOUF, Moustapha Awwalou ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Mendy, Gervais

LIU, Kui ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > SerVal > Team Yves LE TRAON

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

BISSYANDE, Tegawendé ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

ContractTrace: Retracing Smart Contract Versions for Security Analyses

Original title :

[en] ContractTrace: Retracing Smart Contract Versions for Security Analyses

Publication date :

18 August 2025

Event name :

Cybersecurity4D

Event organizer :

PAICTA

Event place :

Port elizabeth, South Africa

Event date :

2025-08

Audience :

International

Main work title :

Cybersecurity4D 2025

Publisher :

C4D

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust
Computational Sciences

Data Set :

https://anonymous.4open.science/r/sclineages-A9A2

Commentary :

10 pages, 4 figures, 4 tables

Available on ORBilu :

since 22 October 2025

Statistics

Number of views

117 (19 by Unilu)

Number of downloads

97 (18 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenAlex citations

Bibliography

J. Chen, X. Xia, D. Lo, and J. Grundy, “Why do smart contracts self-destruct? investigating the selfdestruct function on ethereum,” ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 31, no. 2, pp. 1-37, 2021.
Y. Huang, Q. Kong, N. Jia, X. Chen, and Z. Zheng, “Recommending differentiated code to support smart contract update,” in 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC). IEEE, 2019, pp. 260-270.
N. He, L. Wu, H. Wang, Y. Guo, and X. Jiang, “Characterizing code clones in the ethereum smart contract ecosystem,” in Financial Cryptography and Data Security: 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10-14, 2020 Revised Selected Papers 24. Springer, 2020, pp. 654-675.
G. A. Pierro, R. Tonelli, and M. Marchesi, “An organized repository of ethereum smart contracts’ source codes and metrics,” Future internet, vol. 12, no. 11, p. 197, 2020.
N. Szabo, “Formalizing and securing relationships on public networks,” First monday, 1997.
S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Decentralized Business Review, p. 21260, 2008.
V. Buterin et al., “A next-generation smart contract and decentralized application platform,” white paper, vol. 3, no. 37, pp. 2-1, 2014.
J. Chen, X. Xia, D. Lo, J. Grundy, and X. Yang, “Maintenance-related concerns for post-deployed ethereum smart contract development: issues, techniques, and future challenges,” Empirical Software Engineering, vol. 26, no. 6, p. 117, 2021.
Z. Gao, V. Jayasundara, L. Jiang, X. Xia, D. Lo, and J. Grundy, “Smartembed: A tool for clone and bug detection in smart contracts through structural code embedding,” in 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 2019, pp. 394-397.
L. Jiang, G. Misherghi, Z. Su, and S. Glondu, “Deckard: Scalable and accurate tree-based detection of code clones,” in 29th International Conference on Software Engineering (ICSE’07). IEEE, 2007, pp. 96-105.
C. K. Roy and J. R. Cordy, “Nicad: Accurate detection of near-miss intentional clones using flexible pretty-printing and code normalization,” in 2008 16th iEEE international conference on program comprehension. IEEE, 2008, pp. 172-181.
A. Gionis, P. Indyk, R. Motwani et al., “Similarity search in high dimensions via hashing,” in Vldb, vol. 99, no. 6, 1999, pp. 518-529.
Y. Wang, X. Chen, Y. Huang, H.-N. Zhu, J. Bian, and Z. Zheng, “An empirical study on real bug fixes from solidity smart contract projects,” Journal of Systems and Software, vol. 204, p. 111787, 2023.
J. Feist, G. Grieco, and A. Groce, “Slither: a static analysis framework for smart contracts,” in 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 2019, pp. 8-15.
https://github.com/ConsenSys/mythril.
https://github.com/nveloso/conkas.
T. Durieux, J. F. Ferreira, R. Abreu, and P. Cruz, “Empirical review of automated analysis tools on 47,587 ethereum smart contracts,” in Proceedings of the ACM/IEEE 42nd International conference on software engineering, 2020, pp. 530-541.
M. Monperrus, M. Martinez, H. Ye, F. Madeiral, T. Durieux, and Z. Yu, “Megadiff: A dataset of 600k java source code changes categorized by diff size,” arXiv preprint arXiv:2108.04631, 2021.
H. Ye, “Improving the precision of automatic program repair with machine learning,” Ph.D. dissertation, KTH Royal Institute of Technology, 2023.
J. Fan, Y. Li, S. Wang, and T. N. Nguyen, “Ac/c++ code vulnerability dataset with code changes and cve summaries,” in Proceedings of the 17th International Conference on Mining Software Repositories, 2020, pp. 508-512.