ContractTrace: Retracing Smart Contract Versions for Security Analyses

Due to the inherent immutability of blockchain technology, smart contract
updates require their deployment at new addresses rather than modifying
existing ones, thus fragmenting version histories and creating critical blind
spots for analyses. Indeed, for example, this fragmentation severely hinders
security researchers ability to track vulnerability lifecycles across contract
versions. While platforms like Etherscan provide detailed information about
Ethereum smart contracts, they lack crucial functionality to trace
predecessor-successor relationships within smart contract lineages, preventing
systematic analysis of how vulnerabilities emerge, propagate, and potentially
remain unresolved across versions.To address the challenge of tracing smart
contract lineages, we adopt a Design Science Research (DSR) approach and
introduce ContractTrace, an automated infrastructure that accurately identifies
and links versions of smart contracts into coherent lineages. This tool enables
the construction of lineageSet, an up-to-date, open-source dataset specifically
designed to support security research on vulnerability, defect or any other
property evolution patterns in smart contracts. Through a security-focused case
study we demonstrate how ContractTrace reveals previously obscured
vulnerability life-cycles within smart contract lineages, tracking whether
critical security flaws persist or get resolved across versions. This
capability is essential for understanding vulnerability propagation patterns
and evaluating the effectiveness of security patches in blockchain
environments. In the evaluation phase of our DSR approach, we validated our
lineage detection methodology against an alternative approach using
Locality-Sensitive Hashing (LSH) to cluster contract versions, confirming the
security relevance and accuracy of our technique.