| Popis: |
Turing completeness has made Ethereum smart contracts attractive to blockchain developers and attackers alike. To increase code security, many tools can now spot most known vulnerabilities$-$at the cost of production efficiency. Recent studies show false-positive ratios over 99% in state-of-the-art technologies: this makes them impractical for use in industry and have raised questions on the direction of academic research. In this work we show how integrating and extending current analyses is not only feasible, but also a next logical step in smart-contract security. We propose light-weight static checks on the morphology and dynamics of Solidity code, stemming from a developer-centric notion of vulnerability, that we use to verify the output of other tools, flag potential false alarms, and suggest verifications. Besides technical details we implemented an open-source prototype. For three top-10 vulnerabilities it flags 324 warnings of other tools as false-positives, in 60 verified de-duplicated smart contracts selected from the blockchain by the presence of true (and false) vulnerabilities. This amounts to a 92%- to 100%-reduction in the number of false-positives for these vulnerabilities. |
