Demystifying the Characteristics for Smart Contract Upgrades

• URL: http://arxiv.org/abs/2406.05712v1
• Date: Sun, 9 Jun 2024 10:09:49 GMT
• Title: Demystifying the Characteristics for Smart Contract Upgrades
• Authors: Ye Liu, Shuo Li, Xiuheng Wu, Yi Li, Zhiyang Chen, David Lo,
• Abstract summary: We conduct an empirical study on proxy-based upgradable smart contracts to understand the characteristics of contract upgrading. We found that 583 contracts have ever been upgraded on functionality, involving 973 unique contract versions. The results demonstrate that there are 4,334 ABI breaking changes due to the upgrades of 276 proxies, causing real-world broken usages within 584 transactions witnessed by the blockchain.
• Score: 16.242723608028573
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Upgradable smart contracts play an important role in the decentralized application ecosystem, to support routine maintenance, security patching, and feature additions. In this paper, we conduct an empirical study on proxy-based upgradable smart contracts to understand the characteristics of contract upgrading. Through our study on 57,118 open source proxy contracts, we found that 583 contracts have ever been upgraded on Ethereum, involving 973 unique implementation contract versions. The results show that developers often intend to improve usability of contracts if upgrading, where functionality addition and update are the most frequent upgrade intentions. We investigated the practical impacts of contract upgrades, e.g., breaking changes causing compatibility issues, storage collisions and initialization risks leading to security vulnerabilities. The results demonstrate that there are 4,334 ABI breaking changes due to the upgrades of 276 proxies, causing real-world broken usages within 584 transactions witnessed by the blockchain; 36 contract upgrades had storage collisions and five proxies with 59 implementation contracts are vulnerable to initialization attacks.

Related papers

• AegisLLM: Scaling Agentic Systems for Self-Reflective Defense in LLM Security [74.22452069013289]
  AegisLLM is a cooperative multi-agent defense against adversarial attacks and information leakage. We show that scaling agentic reasoning system at test-time substantially enhances robustness without compromising model utility. Comprehensive evaluations across key threat scenarios, including unlearning and jailbreaking, demonstrate the effectiveness of AegisLLM.
  arXiv  Detail & Related papers  (2025-04-29T17:36:05Z)
• Bridging Immutability with Flexibility: A Scheme for Secure and Efficient Smart Contract Upgrades [0.1759252234439348]
  FlexiContracts+ reimagines smart contracts by enabling secure, in-place upgrades while preserving historical data. We show that FlexiContracts+ achieves a practical balance between immutability and flexibility, advancing the capabilities of smart contract systems.
  arXiv  Detail & Related papers  (2025-04-13T16:59:28Z)
• Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
  Apache Log4J was found to be vulnerable to remote code execution attacks. More than 35,000 packages were forced to update their Log4J libraries with the latest version. It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
  arXiv  Detail & Related papers  (2024-11-12T01:55:51Z)
• Proxion: Uncovering Hidden Proxy Smart Contracts for Finding Collision Vulnerabilities in Ethereum [6.544211171664063]
  We present Proxion, an automated cross-contract analyzer that identifies all proxy smart contracts and their collisions. What sets Proxion apart is its ability to analyze hidden smart contracts that lack both source code and past transactions. We apply Proxion to analyze over 36 million alive contracts from 2015 to 2023, revealing that 54.2% of them are proxy contracts.
  arXiv  Detail & Related papers  (2024-09-20T15:03:19Z)
• Versioned Analysis of Software Quality Indicators and Self-admitted Technical Debt in Ethereum Smart Contracts with Ethstractor [2.052808596154225]
  This paper proposes Ethstractor, the first smart contract collection tool for gathering a dataset of versioned smart contracts. The collected dataset is then used to evaluate the reliability of code metrics as indicators of vulnerabilities in smart contracts.
  arXiv  Detail & Related papers  (2024-07-22T18:27:29Z)
• Immutable in Principle, Upgradeable by Design: Exploratory Study of Smart Contract Upgradeability [0.717789756063617]
  This study identifies upgradeable contracts and examines their upgrade history to uncover trends, preferences, and challenges associated with modifications. The evidence from analyzing over 44 million contracts shows that only 3% have upgradeable characteristics, with only 0.34% undergoing upgrades. The relationship between upgrades and user activity is complex, suggesting that additional factors significantly affect the use of smart contracts beyond their evolution.
  arXiv  Detail & Related papers  (2024-07-01T17:35:37Z)
• Contract Usage and Evolution in Android Mobile Applications [45.44831696628473]
  We present the first large-scale empirical study on the presence and use of contracts in Android applications, written in Java or Kotlin. We analyzed 2,390 Android applications from the F-Droid repository and processed more than 51,749 KLOC. Our findings show that it would be desirable to have libraries that standardize contract specifications in Java and Kotlin.
  arXiv  Detail & Related papers  (2024-01-25T15:36:49Z)
• A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
  The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure. This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus. We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
  arXiv  Detail & Related papers  (2024-01-19T14:52:04Z)
• Gradual Verification for Smart Contracts [0.4543820534430522]
  Algos facilitate secure resource transactions through smart contracts, yet these digital agreements are prone to vulnerabilities. Traditional verification techniques fall short in providing comprehensive security assurances. This paper introduces an incremental approach: gradual verification.
  arXiv  Detail & Related papers  (2023-11-22T12:42:26Z)
• CONTRACTFIX: A Framework for Automatically Fixing Vulnerabilities in Smart Contracts [12.68736241704817]
  ContractFix is a framework that automatically generates security patches for vulnerable smart contracts. Users can use it as a security fix-it tool that automatically applies patches and verifies the patched contracts.
  arXiv  Detail & Related papers  (2023-07-18T01:14:31Z)
• Formally Verifying a Real World Smart Contract [52.30656867727018]
  We search for a tool capable of formally verifying a real-world smart contract written in a recent version of Solidity. In this article, we present our search for a tool capable of formally verifying a real-world smart contract written in a recent version of Solidity.
  arXiv  Detail & Related papers  (2023-07-05T14:30:21Z)
• Enhancing Smart Contract Security Analysis with Execution Property Graphs [48.31617821205042]
  We introduce Clue, a dynamic analysis framework specifically designed for a runtime virtual machine. Clue captures critical information during contract executions, employing a novel graph-based representation, the Execution Property Graph. evaluation results reveal Clue's superior performance with high true positive rates and low false positive rates, outperforming state-of-the-art tools.
  arXiv  Detail & Related papers  (2023-05-23T13:16:42Z)
• RoFL: Attestable Robustness for Secure Federated Learning [59.63865074749391]
  Federated Learning allows a large number of clients to train a joint model without the need to share their private data. To ensure the confidentiality of the client updates, Federated Learning systems employ secure aggregation. We present RoFL, a secure Federated Learning system that improves robustness against malicious clients.
  arXiv  Detail & Related papers  (2021-07-07T15:42:49Z)
• ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning [80.85273827468063]
  Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable. We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts. We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
  arXiv  Detail & Related papers  (2021-03-23T15:04:44Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.