Review
Verification of smart contracts: A survey

https://doi.org/10.1016/j.pmcj.2020.101227Get rights and content

Abstract

To achieve trust and continuity in the smart contracts-based business process execution, the verification of such smart contracts is mandatory. A blockchain-based smart contract should work as intended before using it. Due to the immutable nature of blockchain, any bugs or errors will become permanent once published and could lead to huge economic losses. To avoid such problems, verification is required to check the correctness and the security of the smart contract. In this survey, we consider the smart contracts and we investigate smart contacts formal verification methods. We also investigate the security assurance for smart contracts using vulnerabilities detection methods. In this context, we provide a detailed overview of the different approaches to verify the smart contracts and we present the used methods and tools. We show a description of each method as well as its advantages and limitations and we draw several conclusions.

Introduction

Boosted-up by the spread of ICT technologies, many new economic models are emerging in the global markets, such as demand-driven economy, virtual marketplaces and distributed supply chain. These economic and technological forces are producing more and more complex systems, where the interconnection between actors, the availability of trusted information, as well as cost and revenue sharing among the actors are the key factors to obtain sustainable and cost-effective businesses. These systems require the presence of decentralized, yet trusted, process and data management.

Distributed Legder Technology (DLT) can help addressing both, trust and decentralization problems in collaborative business processes. In this context, blockchain [1], [2] as a DLT technology, initially proposed for cryptocurrency, has recently gained a lot of interest from a variety of sectors such as government [3], finance [4], [5], industry [6], health [7], internet of thing IoT [8], [9] and research [10]. It offers key functionalities including data persistence, anonymity, fault-tolerance, auditability, resilience, and decentralized execution. For instance, a company called Everledger [11] built a blockchain based system that allows tracking diamonds from their source, in order to help stakeholders, ensure their diamonds are conflict-free. In addition, several research works [12], [13], [14], [15] have been conducted on this field to prove the feasibility of the blockchain-based collaborative business processes using a high-level notation, (such as the Business Process Model and Notation (BPMN))

More recently, the introduction of smart contracts has extended the functionalities of blockchains. A smart contract is a computer program intended to enforce the execution of a deal between two or more parties. In the context of blockchain, a smart contract is a immutable computer program stored in the blockchain and executed by some of its nodes. The smart contract is usually written in a high-level language such as Solidity or Vyper, and then it is compiled down to the bytecode that runs on the blockchain like Ethereum Virtual Machine (EVM) in Ethereum blockchain. Other blockchain platforms can create and run smart contracts written by different high-level languages. For example, the Hyperledger Fabric [16] is a permissioned blockchain infrastructure, contributed by IBM and Digital Asset. Hyperledger Fabric provides execution of Smart Contracts called “chain code”, written in a Golang and javascript [17]. Also, Tezos is a blockchain-based cryptocurrency and a smart contracts platform for building decentralized applications (dApps) [18]. Tezos-smart contracts [19] are written by Liquidity high-level language with Michelson language (it is the domain-specific language used to write smart contracts on the Tezos blockchain). According to [20], Tezos-smart contracts were designed with security and formal verification in mind.

Thus the smart contracts [21] are paramount to design and implement a business process, which greatly contributes to dependence on the use of blockchain in business process management systems (BPMSs) [22]. The correctness and security of the smart contracts are required as smart contract failures may cause millions of dollars of lost funds. Thus, a blockchain applications based on smart contracts should be checked and verified to ensure the correctness, security, and safety of the smart contract implementations. We focus in this paper on the verification of smart contracts. Given that, the Ethereum platform is the most widely used in the world, especially in smart contracts, thus we only consider the verification of smart contracts on Ethereum blockchain. We investigate two aspects of smart contracts verification, the first is related to the correctness of smart contracts and the second one focuses on the security assurance of smart contracts.

The correctness verification is about respecting the specifications that determine how users can interact with the smart contracts and how the smart contracts should behave when used correctly. There are two approaches used to verify the correctness: the formal verification and the programming correctness. The formal verification methods [23] are based on formal methods (mathematical methods [24]), while the programming correctness methods are based on ensuring the programming as code is correct, which means the program runs without entering the loop and gives correct outputs for correct inputs. We mainly focus on the formal verification approaches that is because formal verification is more rigorous and reliable.

On the other hand, the security assurance aspect is also important as the correctness aspect. In addition, the smart contracts are immutable nature, so any bugs or errors will become permanent once published and could lead to huge economic losses. To avoid this, we investigate the vulnerabilities detection methods that aim at improving the security of smart contracts by the study of vulnerabilities by verifying the smart contracts against a list of already defined and well-known vulnerabilities patterns. The vulnerabilities detection can avoid the same mistakes, which makes smart contracts more secure.

In this survey, the smart contract is the core of interest. This survey covers two aspects:

  • i

    Smart contract verification to achieve the correctness of collaboration process.

  • ii

    Vulnerabilities detection related to the security assurance of smart contracts to avoid bugs and errors.

For the formal verification, we investigate the methods based on Theorem Proving, Model Checking and Runtime Verification as well as the existing platforms based on these methods. And for the vulnerabilities detection methods, we present Symbolic Execution, Fuzzing and Abstract Interpretation as well as the existing platforms based on these methods. This work is helpful for researchers that would start working with the formal verification and the vulnerabilities detection of smart contracts.

In Fig. 1, we illustrate the taxonomy of smart contract verification and vulnerability detections methods adopted in this survey.

The rest of this paper is organized as follows; in Section 2, we give required background about smart contracts and the verification requirements. Then we consider the verification of correctness including the different models and platforms in Section 3. The vulnerabilities detection and their tools are presented in Section 4. Section 5 presents the discussion and future directions. Finally, Section 6 concludes the survey.

Section snippets

Theoretical background and definitions

In this section, we briefly provide the theoretical background related to blockchain and smart contracts in addition to the notions typically used.

Verification of correctness: Formal verification for smart contracts

Based on the formal methods, the formal verification of smart contracts provides the correctness of smart contracts in a rigorous and reliable mathematical model [23], [24]. In order to perform formal verification, formal specifications could be used. By using mathematical methods, formal verification can attest that the final program behaves exactly as described in its specification. Formal verification is used in the fields where errors can be quite significant as it eliminates human error.

The vulnerabilities analysis in SC: vulnerabilities detection

Vulnerabilities detection aims to improve the security of smart contracts. This can be done by studying the possible vulnerabilities and verifying the smart contracts against a list of already defined and well-known vulnerabilities patterns. The vulnerabilities detection can also avoid mistakes, which makes smart contracts more secure. On other hand, the Vulnerabilities detection is inefficient to analyze the complex smart contracts. Moreover, it is easy to ignore some vulnerabilities, this is

Discussion and future directions

After investigating a set of tools related to the verification of the smart contracts, we summarize the different characteristics in Table 2, Table 3 and then, we draw some conclusions. In Table 2 there are six model-checking based tools, five theorem proving based tools, and one runtime verification tool. Where theorem proving is unable to perform without human intervention (the high skill of users are required), model checking requires no human oversight. In contrast, theorem proving can hand

Conclusion

In this survey, we show a detailed overview of the smart contracts verification methods. Due to the immutable nature of distributed ledger technology on the blockchain, a smart contract should work as intended before using it. Any bugs or errors will become permanent once published and could lead to huge economic losses. Thus, ensuring the security of smart contracts is important to achieve trust and continuity in the Blockchain-based business process execution. To avoid such problems,

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (90)

  • ZhangC. et al.

    A review of research relevant to the emerging industry trends: Industry 4.0, iot, block chain, and business analytics

    J. Ind. Integr. Manag.

    (2020)
  • ViriyasitavatW. et al.

    New blockchain-based architecture for service interoperations in internet of things

    IEEE Trans. Comput. Soc. Syst.

    (2019)
  • LuY.

    Blockchain and the related issues: a review of current research topics

    J. Manag. Anal.

    (2018)
  • Everledger company,...
  • DumasM. et al.

    Blockchain technology for collaborative information systems (dagstuhl seminar 18332)

    Dagstuhl Rep.

    (2018)
  • von RosingM. et al.

    Business process model and notation - BPMN

  • CiccioC.D. et al.

    Blockchain support for collaborative business processes

    Inform. Spektrum

    (2019)
  • AndroulakiE. et al.

    Hyperledger fabric: a distributed operating system for permissioned blockchains

  • IBMHyperledger Projects,...
  • GoodmanL.

    Tezos—a self-amending crypto-ledger white paper

    (2014)
  • Tezos documentation,...
  • Tezos Technology,...
  • WoodD.D.

    Ethereum: a secure decentralised generalised transaction ledger

    (2014)
  • López-PintadoO. et al.

    Caterpillar: A blockchain-based business process management system

  • DrechslerR.
  • PeledD.A.

    Formal methods

  • BashirI.

    Mastering Blockchain: Distributed Ledger Technology, Decentralization, and Smart Contracts Explained

    (2018)
  • GatteschiV. et al.

    To blockchain or not to blockchain: That is the question

    IT Prof.

    (2018)
  • AlmakhourM. et al.

    Trustless blockchain-based access control in dynamic collaboration

  • GelvezM.

    Explaining the DAO exploit for beginners in solidity

    (2016)
  • LahiriS.K. et al.

    Formal specification and verification of smart contracts for azure blockchain

    (2018)
  • KalraS. et al.

    ZEUS: analyzing safety of smart contracts

  • ChenH. et al.

    A survey on ethereum systems security: Vulnerabilities, attacks and defenses

    (2019)
  • AngeloM.D. et al.

    A survey of tools for analyzing ethereum smart contracts

  • PraitheeshanP. et al.

    Security analysis methods on ethereum smart contract vulnerabilities: a survey

    (2019)
  • MurrayY. et al.

    Survey of formal verification methods for smart contracts on blockchain

  • LiuJ. et al.

    A survey on security verification of blockchain smart contracts

    IEEE Access

    (2019)
  • RushbyJ.

    Theorem proving for verification

  • K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Gollamudi, G. Gonthier, N. Kobeissi, N. Kulatova, A. Rastogi, T....
  • HildenbrandtE. et al.

    Kevm: A complete formal semantics of the ethereum virtual machine

  • HarrisonJ.

    Theorem proving for verification (invited tutorial)

  • NesiM.

    A brief introduction to higher order logic and the HOL proof assistant

    (2011)
  • HuY.

    Exploring Formal Verification Methodology for FPGA-Based Digital Systems

    (2012)
  • S. Amani, M. Bégel, M. Bortin, M. Staples, Towards verifying ethereum smart contract bytecode in Isabelle/HOL, in:...
  • SotnichekM.

    Formal verification of smart contracts with the k framework

    (2018)
  • Cited by (66)

    • Auditing decentralized finance

      2023, British Accounting Review
    • Comparison of Ethereum Smart Contract Analysis and Verification Methods

      2024, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    View all citing articles on Scopus
    View full text