ReviewVerification of smart contracts: A survey
Introduction
Boosted-up by the spread of ICT technologies, many new economic models are emerging in the global markets, such as demand-driven economy, virtual marketplaces and distributed supply chain. These economic and technological forces are producing more and more complex systems, where the interconnection between actors, the availability of trusted information, as well as cost and revenue sharing among the actors are the key factors to obtain sustainable and cost-effective businesses. These systems require the presence of decentralized, yet trusted, process and data management.
Distributed Legder Technology (DLT) can help addressing both, trust and decentralization problems in collaborative business processes. In this context, blockchain [1], [2] as a DLT technology, initially proposed for cryptocurrency, has recently gained a lot of interest from a variety of sectors such as government [3], finance [4], [5], industry [6], health [7], internet of thing IoT [8], [9] and research [10]. It offers key functionalities including data persistence, anonymity, fault-tolerance, auditability, resilience, and decentralized execution. For instance, a company called Everledger [11] built a blockchain based system that allows tracking diamonds from their source, in order to help stakeholders, ensure their diamonds are conflict-free. In addition, several research works [12], [13], [14], [15] have been conducted on this field to prove the feasibility of the blockchain-based collaborative business processes using a high-level notation, (such as the Business Process Model and Notation (BPMN))
More recently, the introduction of smart contracts has extended the functionalities of blockchains. A smart contract is a computer program intended to enforce the execution of a deal between two or more parties. In the context of blockchain, a smart contract is a immutable computer program stored in the blockchain and executed by some of its nodes. The smart contract is usually written in a high-level language such as Solidity or Vyper, and then it is compiled down to the bytecode that runs on the blockchain like Ethereum Virtual Machine (EVM) in Ethereum blockchain. Other blockchain platforms can create and run smart contracts written by different high-level languages. For example, the Hyperledger Fabric [16] is a permissioned blockchain infrastructure, contributed by IBM and Digital Asset. Hyperledger Fabric provides execution of Smart Contracts called “chain code”, written in a Golang and javascript [17]. Also, Tezos is a blockchain-based cryptocurrency and a smart contracts platform for building decentralized applications (dApps) [18]. Tezos-smart contracts [19] are written by Liquidity high-level language with Michelson language (it is the domain-specific language used to write smart contracts on the Tezos blockchain). According to [20], Tezos-smart contracts were designed with security and formal verification in mind.
Thus the smart contracts [21] are paramount to design and implement a business process, which greatly contributes to dependence on the use of blockchain in business process management systems (BPMSs) [22]. The correctness and security of the smart contracts are required as smart contract failures may cause millions of dollars of lost funds. Thus, a blockchain applications based on smart contracts should be checked and verified to ensure the correctness, security, and safety of the smart contract implementations. We focus in this paper on the verification of smart contracts. Given that, the Ethereum platform is the most widely used in the world, especially in smart contracts, thus we only consider the verification of smart contracts on Ethereum blockchain. We investigate two aspects of smart contracts verification, the first is related to the correctness of smart contracts and the second one focuses on the security assurance of smart contracts.
The correctness verification is about respecting the specifications that determine how users can interact with the smart contracts and how the smart contracts should behave when used correctly. There are two approaches used to verify the correctness: the formal verification and the programming correctness. The formal verification methods [23] are based on formal methods (mathematical methods [24]), while the programming correctness methods are based on ensuring the programming as code is correct, which means the program runs without entering the loop and gives correct outputs for correct inputs. We mainly focus on the formal verification approaches that is because formal verification is more rigorous and reliable.
On the other hand, the security assurance aspect is also important as the correctness aspect. In addition, the smart contracts are immutable nature, so any bugs or errors will become permanent once published and could lead to huge economic losses. To avoid this, we investigate the vulnerabilities detection methods that aim at improving the security of smart contracts by the study of vulnerabilities by verifying the smart contracts against a list of already defined and well-known vulnerabilities patterns. The vulnerabilities detection can avoid the same mistakes, which makes smart contracts more secure.
In this survey, the smart contract is the core of interest. This survey covers two aspects:
- i
Smart contract verification to achieve the correctness of collaboration process.
- ii
Vulnerabilities detection related to the security assurance of smart contracts to avoid bugs and errors.
For the formal verification, we investigate the methods based on Theorem Proving, Model Checking and Runtime Verification as well as the existing platforms based on these methods. And for the vulnerabilities detection methods, we present Symbolic Execution, Fuzzing and Abstract Interpretation as well as the existing platforms based on these methods. This work is helpful for researchers that would start working with the formal verification and the vulnerabilities detection of smart contracts.
In Fig. 1, we illustrate the taxonomy of smart contract verification and vulnerability detections methods adopted in this survey.
The rest of this paper is organized as follows; in Section 2, we give required background about smart contracts and the verification requirements. Then we consider the verification of correctness including the different models and platforms in Section 3. The vulnerabilities detection and their tools are presented in Section 4. Section 5 presents the discussion and future directions. Finally, Section 6 concludes the survey.
Section snippets
Theoretical background and definitions
In this section, we briefly provide the theoretical background related to blockchain and smart contracts in addition to the notions typically used.
Verification of correctness: Formal verification for smart contracts
Based on the formal methods, the formal verification of smart contracts provides the correctness of smart contracts in a rigorous and reliable mathematical model [23], [24]. In order to perform formal verification, formal specifications could be used. By using mathematical methods, formal verification can attest that the final program behaves exactly as described in its specification. Formal verification is used in the fields where errors can be quite significant as it eliminates human error.
The vulnerabilities analysis in SC: vulnerabilities detection
Vulnerabilities detection aims to improve the security of smart contracts. This can be done by studying the possible vulnerabilities and verifying the smart contracts against a list of already defined and well-known vulnerabilities patterns. The vulnerabilities detection can also avoid mistakes, which makes smart contracts more secure. On other hand, the Vulnerabilities detection is inefficient to analyze the complex smart contracts. Moreover, it is easy to ignore some vulnerabilities, this is
Discussion and future directions
After investigating a set of tools related to the verification of the smart contracts, we summarize the different characteristics in Table 2, Table 3 and then, we draw some conclusions. In Table 2 there are six model-checking based tools, five theorem proving based tools, and one runtime verification tool. Where theorem proving is unable to perform without human intervention (the high skill of users are required), model checking requires no human oversight. In contrast, theorem proving can hand
Conclusion
In this survey, we show a detailed overview of the smart contracts verification methods. Due to the immutable nature of distributed ledger technology on the blockchain, a smart contract should work as intended before using it. Any bugs or errors will become permanent once published and could lead to huge economic losses. Thus, ensuring the security of smart contracts is important to achieve trust and continuity in the Blockchain-based business process execution. To avoid such problems,
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (90)
The blockchain: State-of-the-art and research challenges
J. Ind. Inf. Integr.
(2019)- et al.
Blockchain technology: Is it hype or real in the construction industry?
J. Ind. Inf. Integr.
(2020) - et al.
Blockchain characteristics and consensus in modern business processes
J. Ind. Inf. Integr.
(2019) - et al.
Characterizing finite kripke structures in propositional temporal logic
Theoret. Comput. Sci.
(1988) - et al.
Computation tree logic model checking based on possibility measures
Fuzzy Sets and Systems
(2015) Bitcoin: A peer-to-peer electronic cash system
(2008)- et al.
Blockchain in Government: Benefits and Implications of Distributed Ledger Technology for Information Sharing
(2017) - et al.
Banking with blockchain-ed big data
J. Manag. Anal.
(2018) - et al.
Blockchain technology in the future of business cyber security and accounting
J. Manag. Anal.
(2020) - et al.
Healthcare blockchain system using smart contracts for secure automated remote patient monitoring
J. Med. Syst.
(2018)
A review of research relevant to the emerging industry trends: Industry 4.0, iot, block chain, and business analytics
J. Ind. Integr. Manag.
New blockchain-based architecture for service interoperations in internet of things
IEEE Trans. Comput. Soc. Syst.
Blockchain and the related issues: a review of current research topics
J. Manag. Anal.
Blockchain technology for collaborative information systems (dagstuhl seminar 18332)
Dagstuhl Rep.
Business process model and notation - BPMN
Blockchain support for collaborative business processes
Inform. Spektrum
Hyperledger fabric: a distributed operating system for permissioned blockchains
Tezos—a self-amending crypto-ledger white paper
Ethereum: a secure decentralised generalised transaction ledger
Caterpillar: A blockchain-based business process management system
Formal methods
Mastering Blockchain: Distributed Ledger Technology, Decentralization, and Smart Contracts Explained
To blockchain or not to blockchain: That is the question
IT Prof.
Trustless blockchain-based access control in dynamic collaboration
Explaining the DAO exploit for beginners in solidity
Formal specification and verification of smart contracts for azure blockchain
ZEUS: analyzing safety of smart contracts
A survey on ethereum systems security: Vulnerabilities, attacks and defenses
A survey of tools for analyzing ethereum smart contracts
Security analysis methods on ethereum smart contract vulnerabilities: a survey
Survey of formal verification methods for smart contracts on blockchain
A survey on security verification of blockchain smart contracts
IEEE Access
Theorem proving for verification
Kevm: A complete formal semantics of the ethereum virtual machine
Theorem proving for verification (invited tutorial)
A brief introduction to higher order logic and the HOL proof assistant
Exploring Formal Verification Methodology for FPGA-Based Digital Systems
Formal verification of smart contracts with the k framework
Cited by (66)
Smart contract vulnerability detection based on a semantic code structure and a self-designed neural network
2023, Computers and Electrical EngineeringAuditing decentralized finance
2023, British Accounting ReviewEthereum smart contract security: Design, risks and protection approaches
2024, AIP Conference ProceedingsSmart Contract Vulnerability Detection Based on Multi-Scale Encoders
2024, Electronics (Switzerland)Comparison of Ethereum Smart Contract Analysis and Verification Methods
2024, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Design of blockchain-based applications using model-driven engineering and low-code/no-code platforms: a structured literature review
2023, Software and Systems Modeling