Smart contracts are nowadays at the core of most blockchain systems, as they specify and allow an agreement between entities that wish to perform a transaction. As any computer program, smart contracts are subject to the presence of residual faults, including severe security vulnerabilities, which require that the vulnerable contract is terminated in the blockchain. In this context, research began to be developed to prevent the deployment of smart contract holding vulnerabilities, mostly in the form of vulnerability detection tools. Along with these efforts, several and heterogeneous vulnerability classification schemes arised (e.g., most notably DASP and SWC). At the time of writing, these are mostly outdated initiatives, despite the fact that smart contract vulnerabilities are continuously being discovered and the associated rich information being mostly disregarded. In this paper, we propose OpenSCV, a new and Open hierarchical taxonomy for Smart Contract Vulnerabilities, which is open to community contributions and matches the current state of the practice, while being prepared to handle future modifications and evolution. The taxonomy was built based on the analysis of research on vulnerability classification, community-maintained classification schemes, and research on smart contract vulnerability detection. We show how OpenSCV covers the announced detection ability of current vulnerability detection tools, and highlight its usefulness as a resource in smart contract vulnerability research.
翻译:智能合约目前作为大多数区块链系统的核心,规定并允许实体之间进行交易协议。与任何计算机程序一样,智能合约也存在残留缺陷,包括严重的安全漏洞,需要在区块链上终止该有漏洞的合约。在这种情况下,研究开始开发防止部署具有漏洞的智能合约的方法,主要采用漏洞检测工具的形式。随着这些工作的发展,出现了几种不同的漏洞分类方案(例如,DASP和SWC),这些方案大多过时了,尽管智能合约漏洞不断被发现,但相关的丰富信息仍然被忽略。在本文中,我们提出了一个新的、开放的智能合约漏洞层次分类——OpenSCV,该分类对社区贡献开放,与当前的实践状态相匹配,并准备好处理未来的修改和发展。该分类基于对漏洞分类研究、社区维护的分类方案以及智能合约漏洞检测研究的分析构建。我们展示了OpenSCV如何涵盖当前漏洞检测工具的已公布的检测能力,并突出其作为智能合约漏洞研究资源的用处。