Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis

TL;DR

This study investigates how software complexity metrics can serve as diagnostic tools to identify vulnerable smart contracts, revealing that collective analysis of multiple metrics effectively distinguishes secure from vulnerable code.

Contribution

It provides an empirical evaluation of 21 complexity metrics, demonstrating their combined utility in security assessment of Solidity smart contracts.

Findings

Complexity metrics show redundancy and low individual correlation with vulnerabilities.

Vulnerable contracts tend to have higher mean complexity scores.

Metrics are indicators, not direct causes, of vulnerabilities.

Abstract

Software built on poor structural patterns often shows higher exposure to security defects. When code differs from established best practices, verification and maintenance become increasingly difficult, thereby raising the risk of unintentional vulnerabilities. In the context of blockchain technology, where immutable smart contracts handle high-value transactions, the need for strict security assurance is important. This research analyzes the utility of software complexity metrics as diagnostic tools for identifying vulnerable Solidity smart contracts. We evaluate the hypothesis that complexity measures serve as vital, complementary signals for security assessment. Through an empirical examination of 21 distinct metrics, we analyzed their inter-dependencies, statistical association with vulnerabilities, and discriminative capabilities. Our findings indicate a significant degree of redundancy among certain metrics and a relatively low correlation between any single metric and the presence of vulnerabilities. However, the data demonstrates that these metrics possess strong power to distinguish between secure and vulnerable code when analyzed collectively. Notably, with only three exceptions, vulnerable contracts consistently exhibited higher mean complexity scores than their neutral counterparts. While our results show a statistical association, we emphasize that complexity is an indicator rather than a direct cause of vulnerability.