Litcius/Paper detail

Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited

Daniel Pérez, Benjamin Livshits

2021USENIX Security Symposium23 citations

Abstract

In recent years, we have seen a great deal of both academic and practical interest in the topic of vulnerabilities in smart contracts, particularly those developed for the Ethereum blockchain. While most of the work has focused on detecting *vulnerable* contracts, in this paper, we focus on finding how many of these vulnerable contracts have actually been *exploited*. We survey the 23,327 vulnerable contracts reported by six recent academic projects and find that, despite the amounts at stake, only 1.98% of them have been exploited since deployment. This corresponds to at most 8,487 ETH (~1.7 million USD), or only 0.27% of the 3 million ETH (600 million USD) at stake. We explain these results by demonstrating that the funds are very concentrated in a small number of contracts which are *not exploitable* in practice.

Topics & Concepts

Smart contractSoftware deploymentComputer securityBlockchainWork (physics)Focus (optics)BusinessComputer scienceEngineeringSoftware engineeringOpticsMechanical engineeringPhysicsBlockchain Technology Applications and SecurityCryptography and Data Security
Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited | Litcius