Revealing Hidden Threats: An Empirical Study of Library Misuse in Smart Contracts
Smart contracts are Turing-complete programs that execute on the blockchain. Developers can implement complex contracts, such as auctions and lending, on Ethereum using the Solidity programming language. As an object-oriented language, Solidity provides libraries within its syntax to facilitate code reusability and reduce development complexity. Library misuse refers to the incorrect writing or usage of libraries, resulting in unexpected results, such as introducing vulnerabilities during library development or incorporating an unsafe library during contract development. Library misuse could lead to contract defects that cause financial losses. Currently, there is a lack of research on library misuse. To fill this gap, we collected more than 500 audit reports from the official websites of five audit companies and 223,336 real-world smart contracts from Etherscan to measure library popularity and library misuse. Then, we defined eight general patterns for library misuse; three of them occurring during library development and five during library utilization, which covers the entire library lifecycle. To validate the practicality of these patterns, we manually analyzed 1,018 real-world smart contracts and publicized our dataset. We identified 905 misuse cases across 456 contracts, indicating that library misuse is a widespread issue. Three patterns of misuse are found in more than 50 contracts, primarily due to developers lacking security awareness or underestimating negative impacts. Additionally, our research revealed that vulnerable libraries on Ethereum continue to be employed even after they have been deprecated or patched. Our findings can assist contract developers in preventing library misuse and ensuring the safe use of libraries.
Wed 17 AprDisplayed time zone: Lisbon change
16:00 - 17:30 | Analytics 2Research Track / Journal-first Papers / Demonstrations at Sophia de Mello Breyner Andresen Chair(s): Grace Lewis Carnegie Mellon Software Engineering Institute | ||
16:00 15mTalk | LogShrink: Effective Log Compression by Leveraging Commonality and Variability of Log Data Research Track Xiaoyun Li Sun Yat-sen University, Hongyu Zhang Chongqing University, Van-Hoang Le The University of Newcastle, Pengfei Chen Sun Yat-sen University Pre-print | ||
16:15 15mTalk | Demystifying Compiler Unstable Feature Usage and Impacts in the Rust Ecosystem Research Track Chenghao Li Zhejiang University, Yifei Wu Zhejiang University, Wenbo Shen Zhejiang University, China, Zichen Zhao Zhejiang University, Rui Chang Zhejiang University, Chengwei Liu Nanyang Technological University, Yang Liu Nanyang Technological University, Kui Ren Zhejiang University DOI Pre-print Media Attached | ||
16:30 15mTalk | Resource Usage and Optimization Opportunities in Workflows of GitHub Actions Research Track Pre-print | ||
16:45 15mTalk | Revealing Hidden Threats: An Empirical Study of Library Misuse in Smart Contracts Research Track Mingyuan Huang Sun Yat-Sen University, Jiachi Chen Sun Yat-sen University, Zigui Jiang Sun Yat-sen University, Zibin Zheng Sun Yat-sen University | ||
17:00 7mTalk | A Grounded Theory of Cross-community SECOs: Feedback Diversity vs. Synchronization Journal-first Papers Armstrong Foundjem Queens University, Ellis E. Eghan University of Cape Coast, Ghana, Bram Adams Queen's University | ||
17:07 7mTalk | Studying the Characteristics of AIOps Projects on GitHub Journal-first Papers Roozbeh Aghili Polytechnique Montréal, Heng Li Polytechnique Montréal, Foutse Khomh École Polytechnique de Montréal | ||
17:14 7mTalk | A First Look at Dark Mode in Real-World Android App Journal-first Papers Suyu Ma Monash University, Chunyang Chen Technical University of Munich (TUM), Hourieh Khalajzadeh Deakin University, Australia, John Grundy Monash University Link to publication DOI Pre-print | ||
17:21 7mTalk | GitBug-Actions: Building Reproducible Bug-Fix Benchmarks with GitHub Actions Demonstrations Nuno Saavedra INESC-ID and IST, University of Lisbon, André Silva KTH Royal Institute of Technology, Martin Monperrus KTH Royal Institute of Technology |