Related papers: Copy-and-Paste? Identifying EVM-Inequivalent Code Smells in Multi-chain Reuse Contracts

Copy-and-Paste? Identifying EVM-Inequivalent Code Smells in Multi-chain Reuse Contracts

URL: http://arxiv.org/abs/2504.07589v2
Date: Fri, 11 Apr 2025 14:06:19 GMT
Title: Copy-and-Paste? Identifying EVM-Inequivalent Code Smells in Multi-chain Reuse Contracts
Authors: Zexu Wang, Jiachi Chen, Tao Zhang, Yu Zhang, Weizhe Zhang, Yuming Feng, Zibin Zheng,
Abstract summary: More developers are reusing Solidity contracts on other compatible blockchains.<n>This inconsistency reveals design flaws in reused contracts, exposing code smells that hinder code reusability.<n>In this paper, we conducted the first empirical study to reveal the causes and characteristics of EVM-Inequivalent Code Smells.
Score: 30.94426976245966
License: http://creativecommons.org/licenses/by/4.0/
Abstract: As the development of Solidity contracts on Ethereum, more developers are reusing them on other compatible blockchains. However, developers may overlook the differences between the designs of the blockchain system, such as the Gas Mechanism and Consensus Protocol, leading to the same contracts on different blockchains not being able to achieve consistent execution as on Ethereum. This inconsistency reveals design flaws in reused contracts, exposing code smells that hinder code reusability, and we define this inconsistency as EVM-Inequivalent Code Smells. In this paper, we conducted the first empirical study to reveal the causes and characteristics of EVM-Inequivalent Code Smells. To ensure the identified smells reflect real developer concerns, we collected and analyzed 1,379 security audit reports and 326 Stack Overflow posts related to reused contracts on EVM-compatible blockchains, such as Binance Smart Chain (BSC) and Polygon. Using the open card sorting method, we defined six types of EVM-Inequivalent Code Smells. For automated detection, we developed a tool named EquivGuard. It employs static taint analysis to identify key paths from different patterns and uses symbolic execution to verify path reachability. Our analysis of 905,948 contracts across six major blockchains shows that EVM-Inequivalent Code Smells are widespread, with an average prevalence of 17.70%. While contracts with code smells do not necessarily lead to financial loss and attacks, their high prevalence and significant asset management underscore the potential threats of reusing these smelly Ethereum contracts. Thus, developers are advised to abandon Copy-and-Paste programming practices and detect EVM-Inequivalent Code Smells before reusing Ethereum contracts.

Related papers

OpDiffer: LLM-Assisted Opcode-Level Differential Testing of Ethereum Virtual Machine [15.034031075384174]
Security issues in Virtual Machine could lead to inconsistent behaviors among smart contracts. We propose OpDiffer, a differential testing framework for EVM. Compared to state-of-the-art baselines, OpDiffer can improve code coverage by at most 71.06%, 148.40% and 655.56%, respectively.
arXiv Detail & Related papers (2025-04-16T12:48:00Z)
BlockFound: Customized blockchain foundation model for anomaly detection [47.04595143348698]
BlockFound is a customized foundation model for anomaly blockchain transaction detection. We introduce a series of customized designs to model the unique data structure of blockchain transactions. BlockFound is the only method that successfully detects anomalous transactions on Solana with high accuracy.
arXiv Detail & Related papers (2024-10-05T05:11:34Z)
Theorem-Carrying-Transaction: Runtime Certification to Ensure Safety for Smart Contract Transactions [8.32630869646569]
We present a viable technological roadmap for the community toward this ambitious goal. Our technology, called Theorem-Carrying-Transaction (TCT), combines the benefits of concrete execution and symbolic proofs. Our prototype incurs a negligible runtime overhead, two orders of magnitude lower than a state-of-the-art approach.
arXiv Detail & Related papers (2024-08-12T20:27:41Z)
Dual-view Aware Smart Contract Vulnerability Detection for Ethereum [5.002702845720439]
We propose a Dual-view Aware Smart Contract Vulnerability Detection Framework named DVDet. The framework initially converts the source code and bytecode of smart contracts into weighted graphs and control flow sequences. Comprehensive experiments on the dataset show that our method outperforms others in detecting vulnerabilities.
arXiv Detail & Related papers (2024-06-29T06:47:51Z)
Security Analysis of Smart Contract Migration from Ethereum to Arbitrum [6.814035037486222]
This study is the first to conduct an in-depth analysis of the migration of smart contracts from secure to Arbitrum. The research shows that smart contracts deployed on Arbitrum may face certain potential security risks during migration to Arbitrum.
arXiv Detail & Related papers (2023-07-27T11:05:29Z)
CONCORD: Clone-aware Contrastive Learning for Source Code [64.51161487524436]
Self-supervised pre-training has gained traction for learning generic code representations valuable for many downstream SE tasks. We argue that it is also essential to factor in how developers code day-to-day for general-purpose representation learning. In particular, we propose CONCORD, a self-supervised, contrastive learning strategy to place benign clones closer in the representation space while moving deviants further apart.
arXiv Detail & Related papers (2023-06-05T20:39:08Z)
Secure compilation of rich smart contracts on poor UTXO blockchains [0.8192907805418581]
We present ILLUM, an Intermediate-Level Language for the UTXO Model. We define a compiler from ILLUM to a bare-bone UTXO blockchain with loop-free scripts. We exploit covenants, a mechanism for preserving scripts along chains of transactions.
arXiv Detail & Related papers (2023-05-16T15:40:18Z)
Blockchain Large Language Models [65.7726590159576]
This paper presents a dynamic, real-time approach to detecting anomalous blockchain transactions. The proposed tool, BlockGPT, generates tracing representations of blockchain activity and trains from scratch a large language model to act as a real-time Intrusion Detection System.
arXiv Detail & Related papers (2023-04-25T11:56:18Z)
Smart Contract Vulnerability Detection: From Pure Neural Network to Interpretable Graph Feature and Expert Pattern Fusion [48.744359070088166]
Conventional smart contract vulnerability detection methods heavily rely on fixed expert rules. Recent deep learning approaches alleviate this issue but fail to encode useful expert knowledge. We develop automatic tools to extract expert patterns from the source code. We then cast the code into a semantic graph to extract deep graph features.
arXiv Detail & Related papers (2021-06-17T07:12:13Z)
ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable. We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts. We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z)
Eth2Vec: Learning Contract-Wide Code Representations for Vulnerability Detection on Ethereum Smart Contracts [0.0]
We propose Eth2Vec, a machine-learning-based static analysis tool for vulnerability detection, with robustness against code rewrites in smart contracts. Eth2Vec automatically learns features of vulnerable bytecodes with knowledge through a neural network for language processing.
arXiv Detail & Related papers (2021-01-07T05:28:26Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.