Where Do Smart Contract Security Analyzers Fall Short?
Tamer Abdelaziz, Salma Alsaghir, Karim Ali
TL;DR
This study evaluates six popular smart contract security analyzers on real-world contracts, revealing significant accuracy and usability issues that hinder adoption despite their potential to detect vulnerabilities.
Contribution
It provides a comprehensive benchmarking of analyzers on real contracts and links their performance gaps to developer perceptions, offering targeted improvement recommendations.
Findings
Accuracy varies widely among analyzers (F1 scores 31.2% to 94.6%)
High false-positive rates up to 32.6% impact trust
Long runtimes (>700 seconds) hinder practical use
Abstract
Smart contracts underpin high-value ecosystems such as decentralized finance (DeFi), yet recurring vulnerabilities continue to cause losses worth billions of dollars. Although numerous security analyzers that detect such flaws exist, real-world attacks remain frequent, raising the question of whether these tools are truly effective or simply under-used due to low developer trust. Prior benchmarks have evaluated analyzers on synthetic or vulnerable-only contract datasets, limiting their ability to measure false positives, false negatives, and usability factors that drive adoption. To close this gap, we present a mixed-methods study that combines large-scale benchmarking with practitioner insights. We evaluate six widely used analyzers (i.e., Confuzzius, Dlva, Mythril, Osiris, Oyente, and Slither) on 653 real-world smart contracts that cover three high-impact vulnerability classes from…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsBlockchain Technology Applications and Security · FinTech, Crowdfunding, Digital Finance · Business Law and Ethics