Abstract
AbstractSmart contracts are nowadays at the core of most blockchain systems. Like all computer programs, smart contracts are subject to the presence of residual faults, including severe security vulnerabilities. However, the key distinction lies in how these vulnerabilities are addressed. In smart contracts, when a vulnerability is identified, the affected contract must be terminated within the blockchain, as due to the immutable nature of blockchains, it is impossible to patch a contract once deployed. In this context, research efforts have been focused on proactively preventing the deployment of smart contracts containing vulnerabilities, mainly through the development of vulnerability detection tools. Along with these efforts, several heterogeneous vulnerability classification schemes appeared (e.g., most notably DASP and SWC). At the time of writing, these are mostly outdated initiatives, even though new smart contract vulnerabilities are consistently uncovered. In this paper, we propose OpenSCV, a new and Open hierarchical taxonomy for Smart Contract vulnerabilities, which is open to community contributions and matches the current state of the practice while being prepared to handle future modifications and evolution. The taxonomy was built based on the analysis of the existing research on vulnerability classification, community-maintained classification schemes, and research on smart contract vulnerability detection. We show how OpenSCV covers the announced detection ability of the current vulnerability detection tools and highlight its usefulness in smart contract vulnerability research. To validate OpenSCV, we performed an expert-based analysis wherein we invited multiple experts engaged in smart contract security research to participate in a questionnaire. The feedback from these experts indicated that the categories in OpenSCV are representative, clear, easily understandable, comprehensive, and highly useful. Regarding the vulnerabilities, the experts confirmed that they are easily understandable.
Publisher
Springer Science and Business Media LLC
Reference147 articles.
1. Agbo C, Mahmoud Q, Eklund J (2019) Blockchain technology in healthcare: a systematic review. Healthcare 7(2):56. https://doi.org/10.3390/healthcare7020056. https://www.mdpi.com/2227-9032/
2. Akca S, Rajan A, Peng C (2019) SolAnalyser: a framework for analysing and testing smart contracts. In: 2019 26th Asia-Pacific software engineering conference (APSEC), IEEE, Putrajaya, Malaysia, pp 482–489. https://doi.org/10.1109/APSEC48747.2019.00071. https://ieeexplore.ieee.org/document/8945725/
3. Amiet N (2021) Blockchain vulnerabilities in practice. Digital Threats: Research and Practice 2(2):1–7. https://doi.org/10.1145/3407230
4. Amoroso EG (1994) Fundamentals of computer security technology. Prentice-Hall Inc, USA
5. Antonopoulos A, Wood G (2018) Mastering Ethereum: Building Smart Contracts and DApps. O’Reilly Media, Inc