ContractTrace: Retracing Smart Contract Versions for Security Analyses

TL;DR

ContractTrace is an automated tool that reconstructs smart contract version histories on blockchains, enabling security researchers to analyze vulnerability lifecycles and assess security patch effectiveness across contract versions.

Contribution

The paper introduces ContractTrace, a novel system for accurately tracing smart contract lineages, filling a critical gap in security analysis tools for blockchain environments.

Findings

ContractTrace successfully links contract versions into coherent lineages.

The tool reveals previously hidden vulnerability propagation patterns.

Validation confirms high accuracy of the lineage detection methodology.

Abstract

Due to the inherent immutability of blockchain technology, smart contract updates require their deployment at new addresses rather than modifying existing ones, thus fragmenting version histories and creating critical blind spots for analyses. Indeed, for example, this fragmentation severely hinders security researchers ability to track vulnerability lifecycles across contract versions. While platforms like Etherscan provide detailed information about Ethereum smart contracts, they lack crucial functionality to trace predecessor-successor relationships within smart contract lineages, preventing systematic analysis of how vulnerabilities emerge, propagate, and potentially remain unresolved across versions.To address the challenge of tracing smart contract lineages, we adopt a Design Science Research (DSR) approach and introduce ContractTrace, an automated infrastructure that accurately identifies and links versions of smart contracts into coherent lineages. This tool enables the construction of lineageSet, an up-to-date, open-source dataset specifically designed to support security research on vulnerability, defect or any other property evolution patterns in smart contracts. Through a security-focused case study we demonstrate how ContractTrace reveals previously obscured vulnerability life-cycles within smart contract lineages, tracking whether critical security flaws persist or get resolved across versions. This capability is essential for understanding vulnerability propagation patterns and evaluating the effectiveness of security patches in blockchain environments. In the evaluation phase of our DSR approach, we validated our lineage detection methodology against an alternative approach using Locality-Sensitive Hashing (LSH) to cluster contract versions, confirming the security relevance and accuracy of our technique.