Research : Most Ethereum-based Smart Contracts Are Using Potentially Vulnerable Code

  • 1.2 million Ethereum-based smart contracts can be "reduced" to 5,877 clusters as most contain similar code.
  • High level of code reuse may be problematic as research shows smart contracts potentially have critical vulnerabilities. 

Researchers at the University of Maryland and the Northeastern University recently analyzed Ethereum-based smart contracts to determine “how users and contracts interact with one another.”

The collaborative research effort involved making modifications to Ethereum’s Geth client in order to retrieve bytecodes from all contracts issued on the Ethereum blockchain. Bytecodes are “compact numeric codes, constants, and references” that can be “efficiently executed.”

Using Bytecodes To Analyze Smart Contracts

According to TheBlock, the information obtained from the bytecodes “covered nearly three years worth of blocks” and it came from the “first five million blocks” produced and logged on the Ethereum network.

After carefully examining the bytecodes, the researchers found that the majority, 60%, of all the smart contracts issued on Ethereum had “never been interacted with.” This indicates that there may be a large amount of dormant (or unused) code and crypto tokens on Ethereum’s mainnet.

Moreover, the data from the bytecodes revealed “an extremely high level of code reuse and code similarity on Ethereum.” In fact, the researchers were able to reduce the 1.2 million smart contracts created on Ethereum to 5,877 contract ‘clusters’ as they contain “highly-similar bytecodes.”

Reusing Bad, Insecure Code

Although reusing code is a very common practice as there are templates for routine procedures, the “high-level of code reuse” (in this case) suggests that potential bugs or security vulnerabilities found in certain contracts could also affect “thousands of similar contracts that have reused their code.”

The researchers noted that in 2017, the number of transactions on Ethereum increased significantly from about 40,000 per day to over 1 million every 24 hours. Importantly, the Ethereum network is still processing a large number of transactions despite the drop in price of its native token, ether (ETH).

At present, the transaction failure rate on Ethereum is about 0.01%-0.1% and about one-third of all smart contracts are only executed by other contracts - instead of being initiated by users.

Serious Vulnerabilties, Common Misconception

As CryptoGlobe reported in June, a smart contract bug on the ICON (ICX) network allowed anyone, except the contract’s owner, to suspend transactions on the cryptocurrency platform’s blockchain.

Although the software glitch was fixed later on, users on social media criticized ICON’s developers for not being more careful. At the time, the market capitalization of the platform’s native token, ICX, was around $800 million.

Notably, there is a common misconception that smart contracts are able to reduce transaction costs and eliminate intermediaries, or third-parties. As explained by Bitcoin developer, Jimmy Song, “the execution of the agreed-to consequences are what make smart contracts powerful, not in the contract’s innate intelligence.”

Song added that smart contracts were being written mostly by people who were not lawyers, or qualified legal experts. These “newbies” usually do not understand how to write proper contracts - which can potentially lead to vulnerabilities, or flaws, in their construction.