This paper outlines and compares the current research into Ethereum smart contract development best practice relating to contract security. Previously hacked contracts are identified and discussed, breaking down exactly how the hack occured. A selection of the latest symbolic execution-based and static analysis tools are then used to analyze these contracts to try and identify the exploited vulnerabilities. Additional analysis tools are applied to these contracts such as linters. Three popular Ethereum code bases are then analysed, over a series of releases, with two different Solidity linters, to generate sets of code metrics. These metrics can show a quantifiable improvement in contract quality over the development life cycle of the projects. Lastly, this report aims to provide a general guideline for smart contract security testing best practices, outlining a streamlined approach aimed at making contract development safer.
An overview of the tools discussed in the paper are now broken down. Each tool's installation process is outlined and discussed in turn, including all dependencies and libraries. Some of the code and installation processes are taken from the respective tools public repo.
Symbolic Execution based Tools
Maian is a tool for automatic detection of buggy Ethereum smart contracts of three different types: prodigal, suicidal and greedy. Maian processes contract's bytecode and tries to build a trace of transactions to find and confirm bugs.
Requirments for Maian
- Go Ethereum, check https://ethereum.github.io/go-ethereum/install/
- Solidity compiler, check http://solidity.readthedocs.io/en/develop/installing-solidity.html
- Z3 Theorem prover, check https://github.com/Z3Prover/z3
- web3, try pip install web3
- PyQt5 (only for GUI Maian), try sudo apt install python-pyqt5
Installation for Maian
No direct installation is required for Maian, assuming that your system meets the requirements stipulated above. Simply clone the repo and run the scripts as depicted in the evaluating contracts section. The repo can be cloned as follows:
$ git clone email@example.com:MAIAN-tool/MAIAN.git
Maian analyzes smart contracts defined in a file with:
- Solidity source code, use -s
- Bytecode source, use -bs
- Bytecode compiled (i.e. the code sitting on the blockchain), use -b
Maian checks for three types of buggy contracts:
- Suicidal contracts (can be killed by anyone, like the Parity Wallet Library contract), use -c 0
- Prodigal contracts (can send Ether to anyone), use -c 1
- Greedy contracts (nobody can get out Ether), use -c 2
For instance, to check if the contract ParityWalletLibrary.sol given in Solidity source code with WalletLibrary as main contract is suicidal use
$ python maian.py -s ParityWalletLibrary.sol WalletLibrary -c 0
Caveats with running this script: sometimes it is hard to get web3.py to play nicely with your python version. Added to this, z3 is quite hard to install. Ensure that the python version you install z3 with is the same for web3.
Installation of Oyente
docker pull luongnguyen/oyente docker run -i -t luongnguyen/oyente
You will now enter the docker interactive terminal and can evaluate contracts from within it.
To evaluate the greeter contract inside the container, run:
cd /oyente/oyente python oyente.py -s greeter.sol
To evaluate other contracts, mount them into the docker container using a volume.
Solhint is an open source project for linting solidity code. This project provide both security and style guide validations.
Installation of Solhint
Can install directly using node package manager npm install -g solhint
# verify that it was installed correctly solhint -V
For linting Solidity files you need to run Solhint with one or more Globs as arguments. For example, to lint all files inside contracts directory, you can do:
To lint a single file:
Solium analyzes your Solidity code for style & security issues and fixes them. Standardize Smart Contract practices across your organisation. Integrate with your build system.
Instalation for Solium
npm install -g solium
Can then check if the instalation was sucessful with
If its a new project, in the root directory of your DApp:
This creates 2 files for you:
- .soliumignore - contains names of files and directories to ignore while linting
- .soliumrc.json - contains configuration that tells Solium how to lint your project. You should modify this file to configure rules, plugins and sharable configs. .soliumrc.json looks like:
To lint a contract or directory of contracts
solium -f foobar.sol solium -d contracts/
Static Analisis tools used in paper
Repositories used in the paper
The paper outlines 3 open source repositories, used in testing of the linter utilities.