Analyzing the Impact of Copying-and-Pasting Vulnerable Solidity Code Snippets from Question-and-Answer Websites

OPEN ACCESS

Downloads

Full text (published version) (PDF, 3.73 MB)

Author / Producer

Weiss, Konrad Wendland, Florian

Date

2024

Publication Type

Conference Paper

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (published version) (PDF, 3.73 MB)

Data

Rights / License

Creative Commons Attribution 4.0 International north_east

Abstract

Ethereum smart contracts are executable programs deployed on a blockchain. Once deployed, they cannot be updated due to their inherent immutability. Moreover, they often manage valuable assets that are worth millions of dollars, making them attractive targets for attackers. The introduction of vulnerabilities in programs due to the reuse of vulnerable code posted on Q&A websites such as Stack Overflow is not a new issue. However, little effort has been made to analyze the extent of this issue on deployed smart contracts. In this paper, we conduct a study on the impact of vulnerable code reuse from Q&A websites during the development of smart contracts and provide tools uniquely fit to detect vulnerable code patterns in complete and incomplete Smart Contract code. This paper proposes a pattern-based vulnerability detection tool that is able to analyze code snippets (i.e., incomplete code) as well as full smart contracts based on the concept of code property graphs. We also propose a methodology that leverages fuzzy hashing to quickly detect code clones of vulnerable snippets among deployed smart contracts. Our results show that our vulnerability search, as well as our code clone detection, are comparable to state-of-the-art while being applicable to code snippets. Our large-scale study on 18,660 code snippets reveals that 4,596 of them are vulnerable, out of which 616 can be found in 17,852 deployed smart contracts. These results highlight that the reuse of vulnerable code snippets is indeed an issue in currently deployed smart contracts.

Permanent link

https://doi.org/10.3929/ethz-b-000711891

Publication status

published

External links

https://doi.org/10.1145/3646547.3688437 north_east

Editor

Book title

IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

Journal / series

Volume

Pages / Article No.

713 - 730

Publisher

Association for Computing Machinery

Event

2024 ACM on Internet Measurement Conference (IMC 2024)

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

smart contracts; code snippets; code property graph; fuzzy hashing

Organisational unit

Notes

Funding

Related publications and datasets

More

Show all metadata