Copy-and-Paste? Identifying EVM-Inequivalent Code Smells in Multi-chain Reuse Contracts
As the development of \textit{Solidity} contracts on \textit{Ethereum}, more developers are reusing them on other compatible blockchains. However, developers may overlook the differences between the designs of the blockchain system, such as the \textit{Gas Mechanism} and \textit{Consensus Protocol}, leading to the same contracts on different blockchains not being able to achieve consistent execution as on \textit{Ethereum}. This inconsistency reveals design flaws in reused contracts, exposing code smells that hinder code reusability, and we define this inconsistency as \textit{EVM-Inequivalent Code Smells}.
In this paper, we conducted the first empirical study to reveal the causes and characteristics of \textit{EVM-Inequivalent Code Smells}. To ensure the identified smells reflect real developer concerns, we collected and analyzed 1,379 security audit reports and 326 \textit{Stack Overflow} posts related to reused contracts on EVM-compatible blockchains, such as \textit{Binance Smart Chain} (BSC) and \textit{Polygon}. Using the \textit{open card sorting} method, we defined six types of \textit{EVM-Inequivalent Code Smells}. For automated detection, we developed a tool named \textit{EquivGuard}. It employs static taint analysis to identify key paths from different patterns and uses symbolic execution to verify path reachability. Our analysis of 905,948 contracts across six major blockchains shows that \textit{EVM-Inequivalent Code Smells} are widespread, with an average prevalence of 17.70%. While contracts with code smells do not necessarily lead to financial loss and attacks, their high prevalence and significant asset management underscore the potential threats of reusing these smelly \textit{Ethereum} contracts. Thus, developers are advised to abandon \textit{Copy-and-Paste} programming practices and detect \textit{EVM-Inequivalent Code Smells} before reusing \textit{Ethereum} contracts.