<p>As smart contracts process digital assets, their security is essential for blockchain applications. Many approaches have been proposed to detect smart contract vulnerabilities. Studies show that few of the reported vulnerabilities are exploited and hypothesize that many of the reported vulnerabilities are false positives. However, no follow-up study is performed to confirm the hypothesis and understand why the reported vulnerabilities are not exploited. In this study, we first collect 136,969 unique real-world smart contracts and analyze them using four vulnerability detectors, namely Oyente, SmartCheck, Slither, and SolDetector. Then, we apply Strauss’ grounded theory approach to manually analyze the source code of the smart contracts reported as vulnerable to recognizing false positives and understand the reasons for false results. In addition, we analyze the transaction logs of the smart contracts reported as vulnerable to identifying and understanding their exploitations. Our results show that 75.37% of the 4,364 smart contracts reported as vulnerable are false positives, and eleven reasons are causing the false positives. After analyzing the 4,106,134 transaction logs of the contracts reported as vulnerable, we find that vulnerabilities of only 67 (0.015%) of the contracts have been exploited in history. We also identify six reasons for demotivating and preventing the attackers from exploiting the vulnerabilities. Our results reveal that state-of-the-art smart contract vulnerability detectors primarily treat the smart contracts as yet another application developed using Object Oriented (OO) languages when analyzing and reporting the smart contract vulnerabilities. Without considering the specific design principles of the Solidity programming language and the characteristics of smart contracts' application scenarios and execution environments, many of the reported vulnerabilities are not exploitable or not cost-effective to be exploited by adversaries. </p>
<p>As smart contracts process digital assets, their security is essential for blockchain applications. Many approaches have been proposed to detect smart contract vulnerabilities. Studies show that few of the reported vulnerabilities are exploited and hypothesize that many of the reported vulnerabilities are false positives. However, no follow-up study is performed to confirm the hypothesis and understand why the reported vulnerabilities are not exploited. In this study, we first collect 136,969 unique real-world smart contracts and analyze them using four vulnerability detectors, namely Oyente, SmartCheck, Slither, and SolDetector. Then, we apply Strauss’ grounded theory approach to manually analyze the source code of the smart contracts reported as vulnerable to recognizing false positives and understand the reasons for false results. In addition, we analyze the transaction logs of the smart contracts reported as vulnerable to identifying and understanding their exploitations. Our results show that 75.37% of the 4,364 smart contracts reported as vulnerable are false positives, and eleven reasons are causing the false positives. After analyzing the 4,106,134 transaction logs of the contracts reported as vulnerable, we find that vulnerabilities of only 67 (0.015%) of the contracts have been exploited in history. We also identify six reasons for demotivating and preventing the attackers from exploiting the vulnerabilities. Our results reveal that state-of-the-art smart contract vulnerability detectors primarily treat the smart contracts as yet another application developed using Object Oriented (OO) languages when analyzing and reporting the smart contract vulnerabilities. Without considering the specific design principles of the Solidity programming language and the characteristics of smart contracts' application scenarios and execution environments, many of the reported vulnerabilities are not exploitable or not cost-effective to be exploited by adversaries. </p>
<p>Smart contract security is essential for blockchain applications. Studies show that few of the reported vulnerabilities are exploited. However, no follow-up study is performed to why the reported vulnerabilities are not exploited. We aim to understand the reasons for the low exploitation rate to help improve vulnerability detection practices. We first collect 136,969 unique real-world smart contracts and analyze them using seven vulnerability detectors. Then, we apply Strauss’ grounded theory approach to understand if they are exploitable. In addition, we analyze the transaction logs of the exploitable vulnerabilities to understand their exploitations in history. Among the 4,364 smart contracts reported as vulnerable by the vulnerability detectors, 75.27% of them are unexploitable, and only 66 (0.015%) have been exploited. We uncover 11 reasons for making the detectors misidentify unexploitable vulnerabilities and six reasons for demotivating and preventing the attackers from exploiting the exploitable ones. We illustrate that: beyond treating the smart contracts as yet another Object Oriented (OO) application, it is essential to consider the Solidity programming language’s design principle, smart contracts' application scenarios, and their execution environments. Our results can help differentiate exploitable smart contracts to help allocate efforts to exploitable ones to mitigate emergent risks. </p>
<p>Smart contract security is essential for blockchain applications. Studies show that few of the reported vulnerabilities are exploited. However, no follow-up study is performed to why the reported vulnerabilities are not exploited. We aim to understand the reasons for the low exploitation rate to help improve vulnerability detection practices. We first collect 136,969 unique real-world smart contracts and analyze them using seven vulnerability detectors. Then, we apply Strauss’ grounded theory approach to understand if they are exploitable. In addition, we analyze the transaction logs of the exploitable vulnerabilities to understand their exploitations in history. Among the 4,364 smart contracts reported as vulnerable by the vulnerability detectors, 75.27% of them are unexploitable. Only 66 (0.015%) exploitable contracts have been exploited. We uncover 11 reasons for making the detectors misidentify unexploitable vulnerabilities and six reasons that may lower the possibility of exploitable contracts being exploited by attackers. We illustrate that: beyond treating the smart contracts as yet another Object Oriented (OO) application, it is essential to consider the Solidity programming language’s design principle, smart contracts' application scenarios, and their execution environments. Based on the study's insights, we provide several suggestions to improve smart contract vulnerability detection, prioritization, and mitigation. </p>
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2025 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
