Abstract
Smart contract security is essential for blockchain applications.
Studies show that few of the reported vulnerabilities are exploited.
However, no follow-up study is performed to why the reported
vulnerabilities are not exploited. We aim to understand the reasons for
the low exploitation rate to help improve vulnerability detection
practices. We first collect 136,969 unique real-world smart contracts
and analyze them using seven vulnerability detectors. Then, we apply
Strauss’ grounded theory approach to understand if they are exploitable.
In addition, we analyze the transaction logs of the exploitable
vulnerabilities to understand their exploitations in history. Among the
4,364 smart contracts reported as vulnerable by the vulnerability
detectors, 75.27% of them are unexploitable. Only 66 (0.015%)
exploitable contracts have been exploited. We uncover 11 reasons for
making the detectors misidentify unexploitable vulnerabilities and six
reasons that may lower the possibility of exploitable contracts being
exploited by attackers. We illustrate that: beyond treating the smart
contracts as yet another Object Oriented (OO) application, it is
essential to consider the Solidity programming language’s design
principle, smart contracts’ application scenarios, and their execution
environments. Based on the study’s insights, we provide several
suggestions to improve smart contract vulnerability detection,
prioritization, and mitigation.