OpenLB
Open Library of Bioscience
Advanced Search
Scientific reports
10 08, 2024;14 (1): 23433.

Taxonomic insights into ethereum smart contracts by linking application categories to security vulnerabilities.

Marco Ortu, Giacomo Ibba, Giuseppe Destefanis, Claudio Conversano, Roberto Tonelli
Author Information
  1. Marco Ortu: Department of Business and Economics Sciences, University of Cagliari, Viale Fra Ignazio 17, Cagliari, Italy. marco.ortu@unica.it.
  2. Giacomo Ibba: Department of Computer Science and Mathematics, University of Cagliari, Via Porcell 4, Cagliari, Italy.
  3. Giuseppe Destefanis: Department of Computer Science, Brunel University London, London, UK.
  4. Claudio Conversano: Department of Business and Economics Sciences, University of Cagliari, Viale Fra Ignazio 17, Cagliari, Italy.
  5. Roberto Tonelli: Department of Computer Science and Mathematics, University of Cagliari, Via Porcell 4, Cagliari, Italy.
PMID: 39379443 DOI: 10.1038/s41598-024-73454-0

Abstract

The expansion of smart contracts on the Ethereum blockchain has created a diverse ecosystem of decentralized applications. This growth, however, poses challenges in classifying and securing these contracts. Existing research often separately addresses either classification or vulnerability detection, without a comprehensive analysis of how contract types are related to security risks. Our study addresses this gap by developing a taxonomy of smart contracts and examining the potential vulnerabilities associated with each category. We use the Latent Dirichlet Allocation (LDA) model to analyze a dataset of over 100,040 Ethereum smart contracts, which is notably larger than those used in previous studies. Our analysis categorizes these contracts into eleven groups, with five primary categories: Notary, Token, Game, Financial, and Blockchain interaction. This categorization sheds light on the various functions and applications of smart contracts in today's blockchain environment. In response to the growing need for better security in smart contract development, we also investigate the link between these categories and common vulnerabilities. Our results identify specific vulnerabilities associated with different contract types, providing valuable insights for developers and auditors. This relationship between contract categories and vulnerabilities is a new contribution to the field, as it has not been thoroughly explored in previous research. Our findings offer a detailed taxonomy of smart contracts and practical recommendations for enhancing security. By understanding how contract categories correlate with vulnerabilities, developers can implement more effective security measures, and auditors can better prioritize their reviews. This study advances both academic knowledge of smart contracts and practical strategies for securing decentralized applications on the Ethereum platform.

References

Wood, G. et al. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper151, 1–32 (2014).
Nakamoto, S. Bitcoin: A peer-to-peer electronic cash system. Bitcoin. https://bitcoin.org/bitcoin pdf (2008).
Mackintosh, J. Defi is crypto’s wall street, without a safety net. Wall Street Journal (2021).
Alharby, M., Aldweesh, A. & Van Moorsel, A. Blockchain-based smart contracts: A systematic mapping study of academic research (2018). In 2018 International Conference on Cloud Computing, Big Data and Blockchain (ICCBB), 1–6 (IEEE, 2018).
Dannen, C. Introducing Ethereum and solidity Vol. 1 (Springer, 2017). [DOI: 10.1007/978-1-4842-2535-6]
Lyandres, E., Palazzo, B. & Rabetti, D. Initial coin offering (ICO) success and post-ICO performance. Manage. Sci.68, 8658–8679 (2022). [DOI: 10.1287/mnsc.2022.4312]
Baudier, P., Chang, V. & Arami, M. The impacts of blockchain on innovation management: Sectoral experiments. J. Innovat. Econ. Manag.37, 1–8 (2022).
Zamani, E., He, Y. & Phillips, M. On the security risks of the blockchain. J. Comput. Inf. Syst.60, 495–506 (2020).
Singh, A., Parizi, R. M., Zhang, Q., Choo, K.-K.R. & Dehghantanha, A. Blockchain smart contracts formalization: Approaches and challenges to address vulnerabilities. Comput. Secur.88, 101654 (2020). [DOI: 10.1016/j.cose.2019.101654]
Scharfman, J. Decentralized autonomous organization (dao) fraud, hacks, and controversies. In The Cryptocurrency and Digital Asset Fraud Casebook, Volume II: DeFi, NFTs, DAOs, Meme Coins, and Other Digital Asset Hacks, 65–106 (Springer, 2024).
He, D. et al. Smart contract vulnerability analysis and security audit. IEEE Netw.34, 276–282 (2020). [DOI: 10.1109/MNET.001.1900656]
Sayeed, S., Marco-Gisbert, H. & Caira, T. Smart contract: Attacks and protections. IEEE Access8, 24416–24427 (2020). [DOI: 10.1109/ACCESS.2020.2970495]
Zhuang, Y. et al. Smart contract vulnerability detection using graph neural networks. In Proceedings of the Twenty-Ninth International Conference on International Joint Conferences on Artificial Intelligence, 3283–3290 (2021).
Xing, C. et al. A new scheme of vulnerability analysis in smart contract with machine learning. Wireless Networks 1–10 (2020).
Zhou, H., Milani Fard, A. & Makanju, A. The state of ethereum smart contracts security: Vulnerabilities, countermeasures, and tool support. J. Cybersecur. Privacy2, 358–378 (2022). [DOI: 10.3390/jcp2020019]
Huang, Y., Bian, Y., Li, R., Zhao, J. L. & Shi, P. Smart contract security: A software lifecycle perspective. IEEE Access7, 150184–150202 (2019). [DOI: 10.1109/ACCESS.2019.2946988]
Wen, Y., Liu, M., Yang, X., Yang, T. & Chang, V. Bua: A blockchain-based unlinkable authentication scheme for mobile IoT. Enterprise Inf. Syst.18, 2243616 (2024). [DOI: 10.1080/17517575.2023.2243616]
Aufiero, S. et al. Dapps ecosystems: Mapping the network structure of smart contract interactions. arXiv preprint arXiv:2401.01991 (2024).
Ibba, G. et al. Mindthedapp: a toolchain for complex network-driven structural analysis of ethereum-based decentralised applications. IEEE Access (2024).
Zou, W. et al. Smart contract development: Challenges and opportunities. IEEE Trans. Software Eng.47, 2084–2106. https://doi.org/10.1109/TSE.2019.2942301 (2021). [DOI: 10.1109/TSE.2019.2942301]
Mohanta, B. K., Panda, S. S. & Jena, D. An overview of smart contract and use cases in blockchain technology. In 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT), 1–4 (IEEE, 2018).
Blei, D. M., Ng, A. Y. & Jordan, M. I. Latent dirichlet allocation. J. Mach. Learn. Res.3, 993–1022 (2003).
Wallach, H. M. Topic modeling: Beyond bag-of-words. In Proceedings of the 23rd International Conference on Machine Learning, ICML ’06, 977-984, https://doi.org/10.1145/1143844.1143967 (Association for Computing Machinery, New York, NY, USA, 2006).
Bakalov, A., McCallum, A., Wallach, H. & Mimno, D. Topic models for taxonomies. In Proceedings of the 12th ACM/IEEE-CS joint conference on Digital Libraries, 237–240 (2012).
Wang, W. et al. Neural labeled LDA: A topic model for semi-supervised document classification. Soft. Comput.25, 5633–5643. https://doi.org/10.1007/s00500-021-06310-2 (2021). [DOI: 10.1007/s00500-021-06310-2]
Wei, Y., Wang, W., Wang, B., Bo, Y. & Liu, Y. A method for topic classification of web pages using lda-svm model. In Proceedings of the 3rd International Conference on Information Science and Control Engineering (ICISCE), 318–321, https://doi.org/10.1007/978-981-10-6445-6_64 (Springer, 2017).
Liu, L., Tang, L., Dong, W., Yao, S. & Zhou, W. An overview of topic modeling and its current applications in bioinformatics. Springerplus5, 1–22 (2016). [DOI: 10.1186/s40064-016-3252-8]
Yau, C.-K., Porter, A., Newman, N. & Suominen, A. Clustering scientific documents with topic modeling. Scientometrics100, 767–786 (2014). [DOI: 10.1007/s11192-014-1321-8]
Asuncion, H. U., Asuncion, A. U. & Taylor, R. N. Software traceability with topic modeling. In 2010 ACM/IEEE 32nd International Conference on Software Engineering, vol. 1, 95–104, https://doi.org/10.1145/1806799.1806817 (2010).
Bistarelli, S., Faloci, F. & Mori, P. .chain: automatic coding of smart contracts and user interfaces for supply chains. In 2021 Third International Conference on Blockchain Computing and Applications (BCCA), 164–171, https://doi.org/10.1109/BCCA53669.2021.9656987 (2021).
Kushwaha, S. S., Joshi, S., Singh, D., Kaur, M. & Lee, H.-N. Systematic review of security vulnerabilities in ethereum blockchain smart contract. IEEE Access10, 6605–6621 (2022). [DOI: 10.1109/ACCESS.2021.3140091]
Chang, V. et al. How blockchain can impact financial services-the overview, challenges and recommendations from expert interviewees. Technol. Forecast. Soc. Chang.158, 120166 (2020). [DOI: 10.1016/j.techfore.2020.120166]
Hanif, H., Nasir, M. H. N. M., Ab Razak, M. F., Firdaus, A. & Anuar, N. B. The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches. J. Netw. Comput. Appl.179, 103009 (2021). [DOI: 10.1016/j.jnca.2021.103009]
Vacca, A., Fredella, M., Di Sorbo, A., Visaggio, C. A. & Piattini, M. Functional suitability assessment of smart contracts: A survey and first proposal. J. Softw. Evolut. Process https://doi.org/10.1002/smr.2636 (2023). [DOI: 10.1002/smr.2636]
Hu, T. et al. Transaction-based classification and detection approach for ethereum smart contract. Inf. Process. Manage.58, 102462. https://doi.org/10.1016/j.ipm.2020.102462 (2021). [DOI: 10.1016/j.ipm.2020.102462]
Tian, G. et al. Smart contract classification with a bi-lstm based approach. IEEE Access8, 43806–43816. https://doi.org/10.1109/ACCESS.2020.2977362 (2020). [DOI: 10.1109/ACCESS.2020.2977362]
Shi, C. et al. A bytecode-based approach for smart contract classification. arXiv preprint arXiv:2106.15497 (2021).
Ferreira Torres, C., Baden, M., Norvill, R. & Jonker, H. Ægis: Smart shielding of smart contracts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2589–2591 (2019).
Dingman, W. et al. Classification of smart contract bugs using the nist bugs framework. In 2019 IEEE 17th International Conference on Software Engineering Research, Management and Applications (SERA), 116–123, https://doi.org/10.1109/SERA.2019.8886793 (2019).
Camino, R., Torres, C. F. & State, R. A data science approach for honeypot detection in ethereum. CoRRabs/1910.01449 (2019). arXiv:1910.01449 .
Taghavi, M., Bentahar, J., Otrok, H. & Bakhtiyari, K. A reinforcement learning model for the reliability of blockchain oracles. Expert Syst. Appl.214, 119160. https://doi.org/10.1016/j.eswa.2022.119160 (2023). [DOI: 10.1016/j.eswa.2022.119160]
Geng, Z., Cao, Y., Li, J. & Han, Y. Novel blockchain transaction provenance model with graph attention mechanism. Expert Syst. Appl.209, 118411. https://doi.org/10.1016/j.eswa.2022.118411 (2022). [DOI: 10.1016/j.eswa.2022.118411]
Liu, C. et al. Reguard: Finding reentrancy bugs in smart contracts. In 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion), 65–68 (2018).
Jiang, B., Liu, Y. & Chan, W. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE), 259–269 (IEEE, 2018).
Tang, X., Du, Y., Lai, A., Zhang, Z. & Shi, L. Deep learning-based solution for smart contract vulnerabilities detection. Sci. Rep.13, 20106 (2023). [DOI: 10.1038/s41598-023-47219-0]
Zhang, Q., Wang, Y., Li, J. & Ma, S. Ethploit: From fuzzing to efficient exploit generation against smart contracts. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), 116–126 (IEEE, 2020).
Zhang, S., Wang, M., Liu, Y., Zhang, Y. & Yu, B. Multi-transaction sequence vulnerability detection for smart contracts based on inter-path data dependency. In 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS), 616–627 (IEEE, 2022).
Xue, Y. et al. xfuzz: Machine learning guided cross-contract fuzzing. IEEE Trans. Dependable Secure Comput.21, 515–529 (2022). [DOI: 10.1109/TDSC.2022.3182373]
Bartoletti, M. & Pompianu, L. An empirical analysis of smart contracts: platforms, applications, and design patterns. In International Conference on Financial Cryptography and Data Security, 494–509 (Springer, 2017).
Vidal, F. R., Ivaki, N. & Laranjeiro, N. Openscv: An open hierarchical taxonomy for smart contract vulnerabilities. Empir. Softw. Eng.29, 101 (2024). [DOI: 10.1007/s10664-024-10446-8]
Zhang, P., Xiao, F. & Luo, X. A framework and dataset for bugs in ethereum smart contracts. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), 139–150 (IEEE, 2020).
Pierro, G. A., Tonelli, R. & Marchesi, M. Smart-corpus: an organized repository of ethereum smart contracts source code and metrics. arXiv preprint arXiv:2011.01723 (2020).
Ortner, M. & Eskandari, S. Smart contract sanctuary.
Ali, O. et al. A review of the key challenges of non-fungible tokens. Technol. Forecast. Soc. Chang.187, 122248 (2023). [DOI: 10.1016/j.techfore.2022.122248]
Ibba, G., Pierro, G. A. & Di Francesco, M. Evaluating machine-learning techniques for detecting smart ponzi schemes. In 2021 IEEE/ACM 4th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 34–40, https://doi.org/10.1109/WETSEB52558.2021.00012 (2021).
Jagarlamudi, J., Daumé III, H. & Udupa, R. Incorporating lexical priors into topic models. In Proceedings of the 13th Conference of the European Chapter of the Association for Computational Linguistics, 204–213 (2012).
Hong, L. & Davison, B. D. Empirical study of topic modeling in twitter. In Proceedings of the First Workshop on Social Media Analytics, SOMA ’10, 80-88, https://doi.org/10.1145/1964858.1964870 (Association for Computing Machinery, New York, NY, USA, 2010).
Rameder, H., Di Angelo, M. & Salzer, G. Review of automated vulnerability analysis of smart contracts on ethereum. Front. Blockchain5, 814977 (2022). [DOI: 10.3389/fbloc.2022.814977]
Ibba, G., Ortu, M. & Tonelli, R. Smart contracts categorization with topic modeling techniques (2021).
Torres, C. F., Schütte, J. & State, R. Osiris: Hunting for integer bugs in ethereum smart contracts. In Proceedings of the 34th annual computer security applications conference, 664–676 (2018).

MeSH Term

Computer Security
Blockchain
Contracts
Humans
Journal Article

Word Cloud

Similar Articles

Cited By