Understanding Exploitable Bugs in Smart Contracts — Research Review | Posted by ez | Coins | January 2024

By Crypto Gloom On Jan 31, 2024

A comprehensive analysis of 516 smart contract vulnerabilities reveals critical security gaps and provides advanced strategies for detection and prevention in blockchain technology.

Black and white pencil sketches of a female smart contract auditor and a male computer programmer analyzing smart contract code, showing contrasting expressions of understanding and confusion. — Sometimes you see them, sometimes you don’t. Image created using DALL-E.

publication date: July 26, 2023

A research article titled “Explanation of Exploitable Bugs in Smart Contracts,” written by Zhuo Zhang, Brian Zhang, Wen Xu, and Zhiqiang Lin of Purdue University, Harrison High School, Georgia Institute of Technology, PNM Labs, and Ohio State University, states: Explore the content. The important issue of exploitable bugs in smart contracts. Since 2008, as blockchain technology, represented by Bitcoin, has grown to a market capitalization of more than $438 billion, the penetration and diversity of blockchain-based applications have skyrocketed. The smart contracts essential to these applications are not immune to human error, leading to vulnerabilities that have resulted in significant losses reaching $1.57 billion by May 2022.

This study focuses on 516 unique real-world smart contract vulnerabilities identified between 2021 and 2022. The researchers aimed to understand how many of these vulnerabilities are exploitable and undetectable by existing tools. To achieve this, we classified undetectable bugs into seven types and analyzed their root causes, audit difficulties, consequences, and potential recovery strategies. They also sought to abstract these categories into a model to detect similar bugs in other contracts and facilitate automation.

The key finding is that a significant proportion (80%) of these exploitable bugs are undetectable by machines (referred to as Machine Unauditable Bugs, or MUBs). This may be due to the limited scope of existing tools, which typically focus on detecting access violations through the transaction origin. , (tx.origin). These limitations do not imply the ineffectiveness of these tools, but rather highlight their limitations in addressing complex governance roles in modern projects.