STATISTICAL VULNERABILITIES IN SMART CONTRACTS

Existing research of the smart contract vulnerabilities focus mainly on technical vulnerabilities, without paying attention to statistical vulnerabilities, which can be present even in the applications with technically perfect implementation. In this article statistical vulnerabilities essence is described, damage from these vulnerabilities is calculated based on analysis of real vulnerabilities in working smart contracts, potential damage is estimated in different application categories, recommendations are developed about the methods offered to discover and mitigate statistical vulner-abilities. Article materials are of practical value for developers and smart contract security experts, allowing them to use the knowledge gained to discover and mitigate new vulnerability type, making financial applications on blockchain technology more secure and safe for end users.

1. Hu B. A comprehensive survey on smart contract construction and execution: Para-digms, tools, and systems / B. Hu [et al.] // Patterns. – 2021. – № 2. – URL: https://doi.org/10.1016/j.patter.2020.100179.

2. Kushwaha S. S. Ethereum Smart Contract Analysis Tools: A Systematic Review / S. S. Kushwaha [et al.] // IEEE Access. – 2022. – Vol. 10. – pp. 57037-57062 – URL: https://doi.org/10.1109/ACCESS.2022.3169902.

3. Atzei N. A survey of attacks on Ethereum smart contracts (SoK). / N. Atzei, M. Barto-letti, T. Cimoli // Proceedings of International Conference on Principles of Security and Trust. – 2017. – pp. 164 186. – URL: https://doi.org/10.1007/978-3-662-54455-6_8.

4. Delmolino K. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. / K. Delmolino [et al.] // Financial Cryptography Workshops, ser. Lec-ture Notes in Computer Science. – 2016. – Vol. 9604. – pp. 79-94. – URL: https://doi.org/10.1007/978-3-662-53357-4_6.

5. Chen J. Defining smart contract defects on Ethereum / J. Chen [et al.] // IEEE Trans. Software Eng. – 2022. – № 48. – pp. 327-345.

6. Zhang P. A framework and dataset for bugs in ethereum smart contracts / P. Zhang, F. Xiao, X. Luo. // ICSME. IEEE. – 2020. – pp. 139-150.

7. Classification of smart contract vulnerabilities. [Электронный ресурс] – URL: https://github.com/smartdec/classification (дата обращения: 06.07.2023).

8. Dingman W. Classification of smart contract bugs using the NIST bugs framework / W. Dingman // SERA. IEEE. – 2019. – pp. 116-123.

9. D. Perez. Smart contract vulnerabilities: Vulnerable does not imply exploited / D. Perez, B. Livshits // USENIX Security Symposium. [Электронный ресурс] – 2021. – URL: https://www.usenix.org/system/files/sec21-perez.pdf (дата обращения: 06.07.2023)

10. Most common smart contract bugs of 2020 [Электронный ресурс] – 2020. – URL: https://medium.com/solidified/most-commonsmart-contract-bugs-of-2020-c1edfe9340ac (дата об-ращения: 06.07.2023)

11. DASP - TOP 10 [Электронный ресурс] – URL: https://dasp.co/ (дата обращения: 06.07.2023)

12. Daian P. Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability / P. Daian [et al.] // 2020 IEEE Symposium on Security and Privacy (SP). – 2020. – pp. 910-927.

13. Zhou L. High-frequency trading on decentralized on-chain exchanges / L. Zhou [et al.] // 2021 IEEE Symposium on Security and Privacy (SP). – 2021. – pp. 428-445.

14. Gains Trade [Электронный ресурс] – URL: https://gains.trade/ (дата обращения: 10.07.2023)

15. TWAP Trading on Ethereum and Arbitrum DEX. Trade with SIZE | Integral [Электронный ресурс] – URL: https://integral.link/ (дата обращения: 13.07.2023)

16. Update to recent vulnerability report. The post mortem. [Электронный ресурс] – 2022. – URL: https://integral.link/update-to-recent-vulnerability-report-the-post-mortem/ (дата обращения: 13.07.2023)

17. Defi Llama. [Электронный ресурс] – URL: https://defillama.com/ (дата обращения: 13.07.2023)

18. DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications [Электронный ресурс] – 2021. – URL: https://doi.org/10.48550/arXiv.2104.15068 (дата обращения: 13.07.2023)

19. Zhou L. On the just-in-time discovery of profit-generating transactions in defi protocols / L. Zhou [et al.] // 2021 IEEE Symposium on Security and Privacy (SP). – 2021. – pp. 919-936.