A Comparative Evaluating Auditing Tools for Unverified Smart Contracts on Ethereum Blockchain

Nashaib Akbar; Muhammad Saleem Vighio

Authors

Nashaib Akbar Department of Computer Science Quaid-e-Awam University of Engineering, Sciences & Technology Nawabshah, Pakistan
Muhammad Saleem Vighio Department of Computer Science Quaid-e-Awam University of Engineering, Sciences & Technology Nawabshah, Pakistan

Keywords:

Ethereum Blockchain, Smart Contract, ERC20 token, security risks, vulnerabilities, runtime bytecode

Abstract

The Ethereum blockchain has transformed decentralized finance (DeFi) and is widely used to issue ERC20 tokens. However, many of these tokens rely on unverified smart contracts, which pose serious security risks. Hackers can take advantage of vulnerabilities in these unverified ERC20 tokens, leading to scams, financial losses, and a decline in user trust. Although several tools are available to audit smart contracts, their effectiveness in analyzing unverified ERC20 tokens remains uncertain. This study examines three auditing tools HoneyBadger, Maian, and Mythril by testing how well they detect security issues in unverified ERC20 tokens. The SmartBugs framework was used to support the auditing process, enabling parallel execution, standardized reports, and bulk auditing of contracts. For a thorough evaluation, two datasets were used: one from 50,581 Ethereum blockchain blocks and another from the DappRadar list of blacklisted ERC20 tokens. These datasets were chosen to provide a broad and realistic view of how the tools perform on both typical and high-risk contracts. The tools were compared based on their ability to detect issues, their execution speed, and their overall effectiveness. The results revealed clear differences in performance: some tools were better at finding vulnerabilities accurately, while others focused more on speed than depth. This study emphasizes the need to improve smart contract auditing methods and highlights the importance of developing more effective security tools to strengthen the Ethereum blockchain.

References

V. Buterin, “Ethereum white paper,” gitHub Repos., pp. 22–23, 2013.

A. Ghaleb and K. Pattabiraman, “How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection,” ISSTA 2020 - Proc. 29th ACM SIGSOFT Int. Symp. Softw. Test. Anal., pp. 415–427, Jul. 2020, doi: 10.1145/3395363.3397385;SUBPAGE:STRING:ABSTRACT;TOPIC:TOPIC:CONFERENCE-COLLECTIONS>ISSTA;CSUBTYPE:STRING:CONFERENCE.

B. A. Dahri, K. A., Vighio, M. S., & Zardari, “Detection and prevention of malware in the Android operating system,” Mehran Univ. Res. J. Eng. Technol., vol. 40, no. 4, pp. 847–859, 2021, [Online]. Available: https://www.researchgate.net/publication/355269909_Detection_and_Prevention_of_Malware_in_Android_Operating_System

DappRadar, “Tokens Blacklist,” GitHub Repos., 2024, [Online]. Available: https://github.com/dappradar/tokens-blacklist/tree/main

R. Torres, C. F., Steichen, M., & State, “The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts,” Adv. Comput. Syst. Assoc., 2019, [Online]. Available: http://usenix.org/system/files/sec19-torres.pdf

A. H. Ivica Nikolić,, Aashish Kolluri, Ilya Sergey, Prateek Saxena, “Finding The Greedy, Prodigal, and Suicidal Contracts at Scale,” ACSAC ’18 Proc. 34th Annu. Comput. Secur. Appl. Conf., pp. 653–663, 2018, doi: https://doi.org/10.1145/3274694.3274743.

B. Mueller, “Smashing Ethereum Smart Contracts for Fun and ACTUAL Profit,” HITB SECCONF, 2018, [Online]. Available: https://archive.conference.hitb.org/hitbsecconf2018ams/sessions/smashing-ethereum-smart-contracts-for-fun-and-actual-profit/

M. Di Angelo, T. Durieux, J. F. Ferreira, and G. Salzer, “SmartBugs 2.0: An Execution Framework for Weakness Detection in Ethereum Smart Contracts,” Proc. - 2023 38th IEEE/ACM Int. Conf. Autom. Softw. Eng. ASE 2023, pp. 2102–2105, 2023, doi: 10.1109/ASE56229.2023.00060.

T. Durieux, J. F. Ferreira, R. Abreu, and P. Cruz, “Empirical review of automated analysis tools on 47,587 ethereum smart contracts,” Proc. - Int. Conf. Softw. Eng., pp. 530–541, Jun. 2020, doi: 10.1145/3377811.3380364;PAGE:STRING:ARTICLE/CHAPTER.

Nashaib Akbar, “Unverified Smart Contracts,” GitHub, [Online]. Available: https://github.com/Nashaibakbar/Unverified-Smart-Contracts-

M. Ren et al., “Empirical evaluation of smart contract testing: What is the best choice?,” ISSTA 2021 - Proc. 30th ACM SIGSOFT Int. Symp. Softw. Test. Anal., pp. 566–579, Jul. 2021, doi: 10.1145/3460319.3464837.

Etherscan API, “Etherscan API Documentation,” Etherscan, [Online]. Available: https://etherscan.io/

Google Colab, “Google Colaboratory: Python in the Cloud”, [Online]. Available: https://colab.research.google.com

G. S. Heidelinde Rameder, Monika di Angelo, “Review of Automated Vulnerability Analysis of Smart Contracts on Ethereum,” Front. Blockchain, vol. 5, 2022, doi: https://doi.org/10.3389/fbloc.2022.814977.