Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?
Authors: 
Kaixuan Li, 
Yue Xue, 
Sen Chen, Han Liu, Kairan Sun, Ming Hu, Haijun Wang, 
Yang Liu, Yixiang ChenAuthors Info & Claims
Article No.: 65, Pages 1447 - 1470
Abstract
In recent years, the importance of smart contract security has been heightened by the increasing number of attacks against them. To address this issue, a multitude of static application security testing (SAST) tools have been proposed for detecting vulnerabilities in smart contracts. However, objectively comparing these tools to determine their effectiveness remains challenging. Existing studies often fall short due to the taxonomies and benchmarks only covering a coarse and potentially outdated set of vulnerability types, which leads to evaluations that are not entirely comprehensive and may display bias. In this paper, we fill this gap by proposing an up-to-date and fine-grained taxonomy that includes 45 unique vulnerability types for smart contracts. Taking it as a baseline, we develop an extensive benchmark that covers 40 distinct types and includes a diverse range of code characteristics, vulnerability patterns, and application scenarios. Based on them, we evaluated 8 SAST tools using this benchmark, which comprises 788 smart contract files and 10,394 vulnerabilities. Our results reveal that the existing SAST tools fail to detect around 50% of vulnerabilities in our benchmark and suffer from high false positives, with precision not surpassing 10%. We also discover that by combining the results of multiple tools, the false negative rate can be reduced effectively, at the expense of flagging 36.77 percentage points more functions. Nevertheless, many vulnerabilities, especially those beyond Access Control and Reentrancy vulnerabilities, remain undetected. We finally highlight the valuable insights from our study, hoping to provide guidance on tool development, enhancement, evaluation, and selection for developers, researchers, and practitioners.
References
[1]
Sefa Akca, Chao Peng, and Ajitha Rajan. 2021. Testing Smart Contracts: Which Technique Performs Best? In Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (ESEM ’21). Association for Computing Machinery, New York, NY, USA. Article 21, 11 pages. isbn:9781450386654 https://doi.org/10.1145/3475716.3475779
[2]
Bowen Alpern, Mark N Wegman, and F Kenneth Zadeck. 1988. Detecting equality of variables in programs. In Proceedings of the 15th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 1–11.
[3]
Elli Androulaki, Artem Barger, Vita Bortnikov, Christian Cachin, Konstantinos Christidis, Angelo De Caro, David Enyeart, Christopher Ferris, Gennady Laventman, and Yacov Manevich. 2018. Hyperledger fabric: a distributed operating system for permissioned blockchains. In Proceedings of the thirteenth EuroSys conference. 1–15.
[4]
Clark Barrett and Cesare Tinelli. 2018. Satisfiability Modulo Theories. Springer International Publishing, Cham. 305–343. isbn:978-3-319-10575-8 https://doi.org/10.1007/978-3-319-10575-8_11
[5]
George S Boolos, John P Burgess, and Richard C Jeffrey. 2002. Computability and logic. Cambridge university press.
[6]
Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna. 2022. Sailfish: Vetting smart contract state-inconsistency bugs in seconds. In 2022 IEEE Symposium on Security and Privacy (SP). 161–178.
[7]
BSCScan. 2024. Pesabase: PESA Token | Address 0x4adc604A0261E3D340745533964FFf6bB130f3c3 | BscScan. https://bscscan.com/address/0x4adc604A0261E3D340745533964FFf6bB130f3c3#code (Accessed on 02/24/2024)
[8]
BNB Beacon Chain. 2023. Binance (BNB) Blockchain Explorer. https://bscscan.com/ (Accessed on 05/02/2024)
[9]
ChainSecurity. 2018. eth-sri/securify: [DEPRECATED] Security Scanner for Ethereum Smart Contracts. https://github.com/eth-sri/securify (Accessed on 05/02/2024)
[10]
ChainSecurity. 2020. eth-sri/securify2: Securify v2.0. https://github.com/eth-sri/securify2 (Accessed on 05/02/2024)
[11]
Stefanos Chaliasos, Marcos Antonios Charalambous, Liyi Zhou, Rafaila Galanopoulou, Arthur Gervais, Dimitris Mitropoulos, and Ben Livshits. 2023. Smart Contract and DeFi Security: Insights from Tool Evaluations and Practitioner Surveys. arXiv preprint arXiv:2304.02981.
[12]
Stefanos Chaliasos, Marcos Antonios Charalambous, Liyi Zhou, Rafaila Galanopoulou, Arthur Gervais, Dimitris Mitropoulos, and Benjamin Livshits. 2023. Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners? In 2024 IEEE/ACM 46th International Conference on Software Engineering (ICSE). 705–717.
[13]
Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2022. Defining Smart Contract Defects on Ethereum. IEEE Transactions on Software Engineering, 48, 1 (2022), 327–345. https://doi.org/10.1109/TSE.2020.2989002
[14]
Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2022. Defining Smart Contract Defects on Ethereum. IEEE Transactions on Software Engineering, 48, 1 (2022), 327–345. https://doi.org/10.1109/TSE.2020.2989002
[15]
Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang Kil Cha. 2021. Smartian: Enhancing smart contract fuzzing with static and dynamic data-flow analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 227–239.
[16]
ConsenSys. 2018. ConsenSys/mythril: Security analysis tool for EVM bytecode. https://github.com/ConsenSys/mythril (Accessed on 05/02/2024)
[17]
Contractlogix. 2022. Smart Contract Security in 2023: A Simple Checklist. https://www.contractlogix.com/contract-management/smart-contract-security/ (Accessed on 05/02/2024)
[18]
Ron Cytron, Jeanne Ferrante, Barry K Rosen, Mark N Wegman, and F Kenneth Zadeck. 1989. An efficient method of computing static single assignment form. In Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 25–35.
[19]
Ardit Dika and Mariusz Nowostawski. 2018. Security Vulnerabilities in Ethereum Smart Contracts. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 955–962. https://doi.org/10.1109/Cybermatics_2018.2018.00182
[20]
Thomas Durieux, João F. Ferreira, Rui Abreu, and Pedro Cruz. 2020. Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20). Association for Computing Machinery, New York, NY, USA. 530–541. isbn:9781450371216 https://doi.org/10.1145/3377811.3380364
[21]
Ethlint. 2024. duaraghav8/Ethlint. https://github.com/duaraghav8/Ethlint (Accessed on 05/02/2024)
[22]
Yuzhou Fang, Daoyuan Wu, Xiao Yi, Shuai Wang, Yufan Chen, Mengjie Chen, Yang Liu, and Lingxiao Jiang. 2023. Beyond “Protected” and “Private”: An Empirical Security Analysis of Custom Function Modifiers in Smart Contracts.
[23]
Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 8–15.
[24]
Matthew Fluet. 2021. MLton. http://www.mlton.org/ (Accessed on 10/09/2023)
[25]
Asem Ghaleb and Karthik Pattabiraman. 2020. How Effective Are Smart Contract Analysis Tools? Evaluating Smart Contract Static Analysis Tools Using Bug Injection. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2020). Association for Computing Machinery, New York, NY, USA. 415–427. isbn:9781450380089 https://doi.org/10.1145/3395363.3397385
[26]
Asem Ghaleb, Julia Rubin, and Karthik Pattabiraman. [n. d.]. AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities.
[27]
Asem Ghaleb, Julia Rubin, and Karthik Pattabiraman. 2022. ETainter: Detecting Gas-Related Vulnerabilities in Smart Contracts. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022). Association for Computing Machinery, New York, NY, USA. 728–739. isbn:9781450393799 https://doi.org/10.1145/3533767.3534378
[28]
Jerónimo Hernández-González, Daniel Rodriguez, Inaki Inza, Rachel Harrison, and Jose A Lozano. 2018. Learning to classify software defects from crowds: a novel approach. Applied Soft Computing, 62 (2018), 579–591.
[29]
Bo Jiang, Ye Liu, and Wing Kwong Chan. 2018. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. 259–269.
[30]
Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. 2018. Zeus: analyzing safety of smart contracts. In Ndss. 1–12.
[31]
Johannes Krupp and Christian Rossow. 2018. teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association. https://publications.cispa.saarland/2612/
[32]
Zeqin Liao, Zibin Zheng, Xiao Chen, and Yuhong Nan. 2022. SmartDagger: A Bytecode-Based Static Analysis Approach for Detecting Cross-Contract Vulnerability. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022). Association for Computing Machinery, New York, NY, USA. 752–764. isbn:9781450393799 https://doi.org/10.1145/3533767.3534222
[33]
Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. Reguard: finding reentrancy bugs in smart contracts. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings. 65–68.
[34]
Ye Liu, Yi Li, Shang-Wei Lin, and Rong Zhao. 2020. Towards automated verification of smart contract fairness. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 666–677.
[35]
António Pedro Cruz Monteiro. 2019. A study of static analysis tools for ethereum smart contracts.
[36]
Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 1186–1189. https://doi.org/10.1109/ASE.2019.00133
[37]
MythX. 2023. MythX: Smart contract security service for Ethereum. https://mythx.io/ (Accessed on 05/02/2024)
[38]
NCC Group. 2016. DASP - TOP 10. https://dasp.co/ (Accessed on 05/02/2024)
[39]
Trail of Bits. 2023. Trail of Bits. https://www.trailofbits.com/ (Accessed on 05/02/2024)
[40]
Website of Our Study. 2024. RQ2. https://sites.google.com/view/sc-sast-study-fse2024/rq2 (Accessed on 01/03/2024)
[41]
Terence J. Parr and Russell W. Quong. 1995. ANTLR: A predicated-LL (k) parser generator. Software: Practice and Experience, 25, 7 (1995), 789–810.
[42]
Anton Permenev, Dimitar Dimitrov, Petar Tsankov, Dana Drachsler-Cohen, and Martin Vechev. 2020. Verx: Safety verification of smart contracts. In 2020 IEEE symposium on security and privacy (SP). 1661–1677.
[43]
Heidelinde Rameder. 2021. Systematic review of ethereum smart contract security vulnerabilities, analysis methods and tools.
[44]
Meng Ren, Zijing Yin, Fuchen Ma, Zhenyang Xu, Yu Jiang, Chengnian Sun, Huizhong Li, and Yan Cai. 2021. Empirical Evaluation of Smart Contract Testing: What is the Best Choice? In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021). Association for Computing Machinery, New York, NY, USA. 566–579. isbn:9781450384599 https://doi.org/10.1145/3460319.3464837
[45]
Microsoft Research. 2023. The Z3 Theorem Prover. https://github.com/Z3Prover/z3 (Accessed on 05/02/2024)
[46]
Michael Rodler, Wenting Li, Ghassan O Karame, and Lucas Davi. 2018. Sereum: Protecting existing smart contracts against re-entrancy attacks. arXiv preprint arXiv:1812.05934.
[47]
BK RWZ88 and MN Rosen. 1988. Wegman, and FK Zadeck. Global value numbers and redundant computations. In Conference Record of the Fifteenth ACM Symposium on the Principles of Programming Languages.
[48]
Securify2. 2020. securify2/securify/ir. https://github.com/eth-sri/securify2/tree/master/securify/ir (Accessed on 10/09/2023)
[49]
Securify2. 2020. securify2/securify/staticanalysis/souffle_analysis/patterns/mul-after-div.dl. https://github.com/eth-sri/securify2/blob/def1e30ba9198828d048fbba5fbb6cd27f7e1b04/securify/staticanalysis/souffle_analysis/patterns/mul-after-div.dl (Accessed on 10/09/2023)
[50]
Christoph Sendner, Huili Chen, Hossein Fereidooni, Lukas Petzi, Jan König, Jasper Stang, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Farinaz Koushanfar. 2023. Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning. In NDSS.
[51]
Slither. 2023. slither/slither/slithir. https://github.com/crytic/slither/tree/e5f2a86f0906fd62c6c4eccb9dbfa5ab30671a78/slither/slithir (Accessed on 10/09/2023)
[52]
Slither. 2024. crytic/slither. https://github.com/crytic/slither/tree/e3dcf1ecd3e9de60da046de471c5663ab637993a/slither/detectors/reentrancy (Accessed on 01/03/2024)
[53]
Slither. 2024. slither/slither/detectors/operations/bad_prng.py at efed98327a7553badfd1c56720136637885b9207 · crytic/slither · GitHub. https://github.com/crytic/slither/blob/efed98327a7553badfd1c56720136637885b9207/slither/detectors/operations/bad_prng.py (Accessed on 25/02/2024)
[54]
Smartbugs. 2020. SmartBugs: A Framework to Analyze Ethereum Smart Contracts. https://github.com/smartbugs/smartbugs (Accessed on 05/02/2024)
[55]
SmartBugs. 2020. smartbugs-wild. https://github.com/smartbugs/smartbugs-wild (Accessed on 05/02/2024)
[56]
SmartBugs. 2022. smartbugs-curated. https://github.com/smartbugs/smartbugs-curated (Accessed on 31/03/2023)
[57]
SmartDec. 2023. SmartDec. https://smartdec.net/ (Accessed on 05/02/2024)
[58]
Sunbeom So, Seongjoon Hong, and Hakjoo Oh. 2021. $SmarTest$: Effectively hunting vulnerable transaction sequences in smart contracts through language $Model-Guided$ symbolic execution. In 30th USENIX Security Symposium (USENIX Security 21). 1361–1378.
[59]
Sunbeom So, Myungho Lee, Jisu Park, Heejo Lee, and Hakjoo Oh. 2020. VeriSmart: A highly precise safety verifier for Ethereum smart contracts. In 2020 IEEE Symposium on Security and Privacy (SP). 1678–1694.
[60]
Solhint. 2024. protofire/solhint. https://github.com/protofire/solhint (Accessed on 05/02/2024)
[61]
Solidity. 2024. Solidity v0.8.0 Breaking Changes — Solidity 0.8.25 documentation. https://docs.soliditylang.org/en/latest/080-breaking-changes.html (Accessed on 29/02/2024)
[62]
Jon Stephens, Kostas Ferles, Benjamin Mariano, Shuvendu Lahiri, and Isil Dillig. 2021. SmartPulse: automated checking of temporal properties in smart contracts. In 2021 IEEE Symposium on Security and Privacy (SP). 555–571.
[63]
Kairan Sun, Zhengzi Xu, Chengwei Liu, Kaixuan Li, and Yang Liu. 2023. Demystifying the Composition and Code Reuse in Solidity Smart Contracts. In Proceedings of the 31th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2023). Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3611643.3616270
[64]
SWC-114. 2024. SWC-114 - Smart Contract Weakness Classification (SWC). https://swcregistry.io/docs/SWC-114/ (Accessed on 29/02/2024)
[65]
SWC Registry. 2018. Overview · Smart Contract Weakness Classification and Test Cases. https://swcregistry.io/ (Accessed on 05/02/2024)
[66]
Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. SmartCheck: Static Analysis of Ethereum Smart Contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB ’18). Association for Computing Machinery, New York, NY, USA. 9–16. isbn:9781450357265 https://doi.org/10.1145/3194113.3194115
[67]
Christof Ferreira Torres, Julian Schütte, and Radu State. 2018. Osiris: Hunting for integer bugs in ethereum smart contracts. In Proceedings of the 34th Annual Computer Security Applications Conference. 664–676.
[68]
Trail of Bits. 2017. crytic/not-so-smart-contracts: Examples of Solidity security issues. https://github.com/crytic/not-so-smart-contracts (Accessed on 05/02/2024)
[69]
Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 67–82.
[70]
Shuai Wang, Chengyu Zhang, and Zhendong Su. 2019. Detecting nondeterministic payment bugs in ethereum smart contracts. Proceedings of the ACM on Programming Languages, 3, OOPSLA (2019), 1–29.
[71]
Website of Our Study. 2023. Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? https://sites.google.com/view/sc-sast-study-fse2024/home (Accessed on 05/02/2024)
[72]
Website of Our Study. 2023. Tool Selection. https://sites.google.com/view/sc-sast-study-fse2024/tool-selection (Accessed on 05/02/2024)
[73]
Yinxing Xue, Mingliang Ma, Yun Lin, Yulei Sui, Jiaming Ye, and Tianyong Peng. 2021. Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering (ASE ’20). Association for Computing Machinery, New York, NY, USA. 1029–1040. isbn:9781450367684 https://doi.org/10.1145/3324884.3416553
[74]
yxliang01. 2020. oyente/oyente.py at enzymefinance/oyente GitHub. https://github.com/enzymefinance/oyente/blob/69dc0a905d37ae27e9055ccae930e30752b398fb/oyente/oyente.py#L63 (Accessed on 05/02/2024)
[75]
Wuqi Zhang, Lili Wei, Shing-Chi Cheung, Yepang Liu, Shuqing Li, Lu Liu, and Michael R Lyu. 2022. Front-Running Attack Benchmark Construction and Vulnerability Detection Technique Evaluation. arXiv preprint arXiv:2212.12110.
[76]
Zhuo Zhang, Brian Zhang, Wen Xu, and Zhiqiang Lin. 2023. Demystifying Exploitable Bugs in Smart Contracts. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). 615–627. https://doi.org/10.1109/ICSE48619.2023.00061
[77]
Liyi Zhou, Xihan Xiong, Jens Ernstberger, Stefanos Chaliasos, Zhipeng Wang, Ye Wang, Kaihua Qin, Roger Wattenhofer, Dawn Song, and Arthur Gervais. 2022. SoK: Decentralized Finance (DeFi) Attacks. Cryptology ePrint Archive, Paper 2022/1773. https://eprint.iacr.org/2022/1773
Index Terms
- Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?
Recommendations
Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java
ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software EngineeringStatic application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting ...
Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools
EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software EngineeringVulnerabilities in code should be detected and patched quickly to reduce the time in which they can be exploited. There are many automated approaches to assist developers in detecting vulnerabilities, most notably Static Application Security Testing (...
A Comprehensive Java Benchmark Study on Memory and Garbage Collection Behavior of DaCapo, DaCapo Scala, and SPECjvm2008
ICPE '17: Proceedings of the 8th ACM/SPEC on International Conference on Performance EngineeringBenchmark suites are an indispensable part of scientific research to compare different approaches against each another. The diversity of benchmarks is an important asset to evaluate novel approaches for effectiveness and weaknesses. In this paper, we ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
2770 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 July 2024
Published in PACMSE Volume 1, Issue FSE
Badges
Distinguished Paper
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key R&D Program of China
- ECNU & Huawei Trustworthiness Innovation Center
- National Research Foundation, Singapore
- the Cyber Security Agency under its National Cybersecurity R&D Programme
- National Research Foundation Singapore and DSO National Laboratories under the AI Singapore Programme
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 233Total Downloads
- Downloads (Last 12 months)233
- Downloads (Last 6 weeks)120
Reflects downloads up to 01 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in