Affiliation:
1. Imperial College London, UK
Abstract
The Solidity programming language is the most widely used language for smart contract development. Improving smart contracts’ correctness, security, and performance has been the driving force for research in vulnerability detection, program analysis, and compiler techniques for Solidity. Similar to system-level languages such as C, Solidity enables the embedding of low-level code in programs, in the form of inline assembly code. Developers use inline assembly for low-level optimizations, extending the Solidity language through libraries, and using blockchain-specific opcodes only available through inline assembly. Nevertheless, inline assembly fragments are not well understood by an average developer and can introduce security threats as well as affect the optimizations that can be applied to programs by the compiler; it also significantly limits the effectiveness of source code static analyzers that operate on the Solidity level. A better understanding of how inline assembly is used in practice could in turn increase the performance, security, and support for inline assembly in Solidity.
This paper presents a large-scale quantitative study of the use of inline assembly in 6.8M smart contracts deployed on the Ethereum blockchain. We find that 23% of the analyzed smart contracts contain inline assembly code, and that the use of inline assembly has become more widespread over time. We further performed a manual qualitative analysis for identifying usage patterns of inline assembly in Solidity smart contracts. Our findings are intended to help practitioners understand when they should use inline assembly and guide developers of Solidity tools in prioritizing which parts of inline assembly to implement first. Finally, the insights of this study could be used to enhance the Solidity language, improve the Solidity compiler, and to open up new research directions by driving future researchers to build appropriate methods and techniques for replacing inline assembly in Solidity programs when there is no real necessity to use it.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,Software
Reference34 articles.
1. x86-64 instruction usage among C/C++ applications
2. An Empirical Analysis of Smart Contracts: Platforms, Applications, and Design Patterns
3. Ethainter: a smart contract security analyzer for composite vulnerabilities
4. Lexi Brent , Anton Jurisevic , Michael Kong , Eric Liu , François Gauthier , Vincent Gramoli , Ralph Holz , and Bernhard Scholz . 2018 . Vandal: A Scalable Security Analysis Framework for Smart Contracts. ArXiv, abs/1809.03981 (2018). Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, François Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. ArXiv, abs/1809.03981 (2018).
Cited by
2 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Syntax-Aware Mutation for Testing the Solidity Compiler;Computer Security – ESORICS 2023;2024
2. Why Trick Me: The Honeypot Traps on Decentralized Exchanges;Proceedings of the 2023 Workshop on Decentralized Finance and Security;2023-11-27