Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited

TL;DR

This paper analyzes the exploitation rate of vulnerable Ethereum smart contracts, revealing that only a small fraction of reported vulnerabilities have been exploited, mainly due to fund concentration and practical exploitability issues.

Contribution

It provides the first large-scale empirical analysis of actual exploitation rates of smart contract vulnerabilities, highlighting the gap between vulnerability reports and real-world exploits.

Findings

Only 1.98% of vulnerable contracts have been exploited.

Exploited contracts hold at most 8,487 ETH (~1.7 million USD).

Funds are concentrated in a few non-exploitable contracts.

Abstract

In recent years, we have seen a great deal of both academic and practical interest in the topic of vulnerabilities in smart contracts, particularly those developed for the Ethereum blockchain. While most of the work has focused on detecting *vulnerable* contracts, in this paper, we focus on finding how many of these vulnerable contracts have actually been *exploited*. We survey the 23,327 vulnerable contracts reported by six recent academic projects and find that, despite the amounts at stake, only 1.98% of them have been exploited since deployment. This corresponds to at most 8,487 ETH (~1.7 million USD), or only 0.27% of the 3 million ETH (600 million USD) at stake. We explain these results by demonstrating that the funds are very concentrated in a small number of contracts which are *not exploitable* in practice.