Vulnerability anti-patterns in Solidity: Increasing smart contracts security by reducing false alarms

TL;DR

This paper introduces lightweight static checks for Solidity smart contracts to reduce false positives in vulnerability detection, significantly improving practical security analysis in blockchain development.

Contribution

It presents a novel developer-centric static analysis approach that verifies and flags false alarms from existing tools, with an open-source prototype implementation.

Findings

Reduces false positives by up to 100% for key vulnerabilities

Flags 324 false alarms across 60 smart contracts

Enhances security analysis efficiency in blockchain development

Abstract

Turing completeness has made Ethereum smart contracts attractive to blockchain developers and attackers alike. To increase code security, many tools can now spot most known vulnerabilities$-$at the cost of production efficiency. Recent studies show false-positive ratios over 99% in state-of-the-art technologies: this makes them impractical for use in industry and have raised questions on the direction of academic research. In this work we show how integrating and extending current analyses is not only feasible, but also a next logical step in smart-contract security. We propose light-weight static checks on the morphology and dynamics of Solidity code, stemming from a developer-centric notion of vulnerability, that we use to verify the output of other tools, flag potential false alarms, and suggest verifications. Besides technical details we implemented an open-source prototype. For three top-10 vulnerabilities it flags 324 warnings of other tools as false-positives, in 60 verified de-duplicated smart contracts selected from the blockchain by the presence of true (and false) vulnerabilities. This amounts to a 92%- to 100%-reduction in the number of false-positives for these vulnerabilities.