To Healthier Ethereum: A Comprehensive and Iterative Smart Contract Weakness Enumeration

TL;DR

This paper presents SWE, a comprehensive, up-to-date, and iterative vulnerability list for Ethereum smart contracts, addressing gaps in existing lists by including recent vulnerabilities and proposing mechanisms for ongoing maintenance.

Contribution

It introduces SWE, a new systematic vulnerability enumeration for smart contracts, with a scalable update process to keep it current and comprehensive.

Findings

Collected 273 vulnerabilities from 86 papers

Identified 40 common contract weaknesses

Classified weaknesses into 20 sub-research fields

Abstract

With the increasing popularity of cryptocurrencies and blockchain technology, smart contracts have become a prominent feature in developing decentralized applications. However, these smart contracts are susceptible to vulnerabilities that hackers can exploit, resulting in significant financial losses. In response to this growing concern, various initiatives have emerged. Notably, the SWC vulnerability list played an important role in raising awareness and understanding of smart contract weaknesses. However, the SWC list lacks maintenance and has not been updated with new vulnerabilities since 2020. To address this gap, this paper introduces the Smart Contract Weakness Enumeration (SWE), a comprehensive and practical vulnerability list up until 2023. We collect 273 vulnerability descriptions from 86 top conference papers and journal papers, employing open card sorting techniques to deduplicate and categorize these descriptions. This process results in the identification of 40 common contract weaknesses, which are further classified into 20 sub-research fields through thorough discussion and analysis. SWE provides a systematic and comprehensive list of smart contract vulnerabilities, covering existing and emerging vulnerabilities in the last few years. Moreover, SWE is a scalable, continuously iterative program. We propose two update mechanisms for the maintenance of SWE. Regular updates involve the inclusion of new vulnerabilities from future top papers, while irregular updates enable individuals to report new weaknesses for review and potential addition to SWE.