The blockchain technology has been used for recording state transitions of smart contracts - decentralized applications that can be invoked through external transactions. Smart contracts gained popularity and accrued hundreds of billions of dollars in market capitalization in recent years. Unfortunately, like all other programs, smart contracts are prone to security vulnerabilities that have incurred multimillion-dollar damages over the past decade. As a result, many automated threat mitigation solutions have been proposed to counter the security issues of smart contracts. These threat mitigation solutions include various tools and methods that are challenging to compare. This survey develops a comprehensive classification taxonomy of smart contract threat mitigation solutions within five orthogonal dimensions: defense modality, core method, targeted contracts, input-output data mapping, and threat model. We classify 133 existing threat mitigation solutions using our taxonomy and confirm that the proposed five dimensions allow us to concisely and accurately describe any smart contract threat mitigation solution. In addition to learning what the threat mitigation solutions do, we also show how these solutions work by synthesizing their actual designs into a set of uniform workflows corresponding to the eight existing defense core methods. We further create an integrated coverage map for the known smart contract vulnerabilities by the existing threat mitigation solutions. Finally, we perform the evidence-based evolutionary analysis, in which we identify trends and future perspectives of threat mitigation in smart contracts and pinpoint major weaknesses of the existing methodologies. For the convenience of smart contract security developers, auditors, users, and researchers, we deploy a regularly updated comprehensive open-source online registry of threat mitigation solutions.
翻译:链链技术被用于记录智能合同的状态过渡,即可以通过外部交易援引的分散应用软件。智能合同近年来在市场资本化中越来越受欢迎,累积了数千亿美元。不幸的是,像所有其他方案一样,智能合同容易出现安全脆弱性,过去十年中造成了数百万美元的损失。因此,提出了许多自动减轻威胁的解决方案,以对抗智能合同的安全问题。这些减轻威胁解决方案包括各种难以比较的工具和方法。这项调查开发了五个或多个层面的智能合同减轻威胁解决方案的综合分类分类学:国防模式、核心方法、有针对性的合同、投入-产出数据映射和威胁模型。我们利用我们的分类法对133个现有的减轻威胁解决方案进行了分类,并确认拟议的五个层面使我们能够简明准确地描述任何聪明的合同减轻威胁解决方案。除了了解减轻威胁解决方案的作用外,我们还展示了这些解决方案是如何将其实际设计整合成一套与现有8种防御核心方法相对应的统一工作流程。我们进一步为已知的智能合同减缓威胁解决方案绘制了综合覆盖图,通过现有威胁稳定度指标对已知的智能合同脆弱性进行了在线更新,通过现有风险稳定度分析,我们用现有风险评估了现有风险稳定度指标,我们用现有风险稳定度评估了当前趋势。