Assessing Smart Contracts Security Technical Debts

TL;DR

This paper introduces a debt-aware assessment approach for identifying and understanding security vulnerabilities in smart contracts, helping developers prioritize fixes and improve contract security.

Contribution

It presents a novel method combining security analysis with technical debt concepts to evaluate the impact of vulnerabilities in smart contracts.

Findings

Increases visibility of security design issues.

Enables prioritization of vulnerabilities based on technical debt impact.

Demonstrates applicability with examples of vulnerable contracts.

Abstract

Smart contracts are self-enforcing agreements that are employed to exchange assets without the approval of trusted third parties. This feature has encouraged various sectors to make use of smart contracts when transacting. Experience shows that many deployed contracts are vulnerable to exploitation due to their poor design, which allows attackers to steal valuable assets from the involved parties. Therefore, an assessment approach that allows developers to recognise the consequences of deploying vulnerable contracts is needed. In this paper, we propose a debt-aware approach for assessing security design vulnerabilities in smart contracts. Our assessment approach involves two main steps: (i) identification of design vulnerabilities using security analysis techniques and (ii) an estimation of the ramifications of the identified vulnerabilities leveraging the technical debt metaphor, its principal and interest. We use examples of vulnerable contracts to demonstrate the applicability of our approach. The results show that our assessment approach increases the visibility of security design issues. It also allows developers to concentrate on resolving smart contract vulnerabilities through technical debt impact analysis and prioritisation. Developers can use our approach to inform the design of more secure contracts and for reducing unintentional debts caused by a lack of awareness of security issues.