Versioned Analysis of Software Quality Indicators and Self-admitted Technical Debt in Ethereum Smart Contracts with Ethstractor

TL;DR

This paper introduces Ethstractor, a tool for collecting versioned smart contracts, and evaluates code metrics as vulnerability indicators, revealing their ineffectiveness and the persistence of technical debt.

Contribution

It presents Ethstractor for dataset collection and assesses code metrics' reliability in detecting vulnerabilities in Ethereum smart contracts.

Findings

Code metrics are ineffective in signaling vulnerabilities.

Vulnerabilities in smart contracts remain consistent over versions.

Most self-admitted technical debt is never removed.

Abstract

The rise of decentralized applications (dApps) has made smart contracts imperative components of blockchain technology. As many smart contracts process financial transactions, their security is paramount. Moreover, the immutability of blockchains makes vulnerabilities in smart contracts particularly challenging because it requires deploying a new version of the contract at a different address, incurring substantial fees paid in Ether. This paper proposes Ethstractor, the first smart contract collection tool for gathering a dataset of versioned smart contracts. The collected dataset is then used to evaluate the reliability of code metrics as indicators of vulnerabilities in smart contracts. Our findings indicate that code metrics are ineffective in signalling the presence of vulnerabilities. Furthermore, we investigate whether vulnerabilities in newer versions of smart contracts are mitigated and identify that the number of vulnerabilities remains consistent over time. Finally, we examine the removal of self-admitted technical debt in contracts and uncover that most of the introduced debt has never been subsequently removed.