eprintid: 10182359 rev_number: 20 eprint_status: archive userid: 699 dir: disk0/10/18/23/59 datestamp: 2023-11-29 07:51:16 lastmod: 2024-08-12 10:38:50 status_changed: 2023-11-29 07:51:16 type: proceedings_section metadata_visibility: show sword_depositor: 699 creators_name: Chaliasos, Stefanos creators_name: Charalambous, Marcos Antonios creators_name: Zhou, Liyi creators_name: Galanopoulou, Rafaila creators_name: Gervais, Arthur creators_name: Mitropoulos, Dimitris creators_name: Livshits, Benjamin title: Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners? ispublished: pub divisions: UCL divisions: B04 divisions: C05 divisions: F48 note: © The Author(s), 2024. This is an Open Access article distributed under the terms of the Creative Commons Attribution Licence (CC BY 4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. https://creativecommons.org/licenses/by/4.0/ abstract: The growth of the decentralized finance (DeFi) ecosystem built on blockchain technology and smart contracts has led to an increased demand for secure and reliable smart contract development. However, attacks targeting smart contracts are increasing, causing an estimated $6.45 billion in financial losses. Researchers have proposed various automated security tools to detect vulnerabilities, but their real-world impact remains uncertain. In this paper, we aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks, and their overall usage within the industry. Our comprehensive study encompasses an evaluation of five SoTA automated security tools, an analysis of 127 high-impact real-world attacks resulting in $2.3 billion in losses, and a survey of 49 developers and auditors working in leading DeFi protocols. Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to $149 million out of the $2.3 billion in losses. Notably, all preventable attacks were related to reentrancy vulnerabilities. Furthermore, practitioners distinguish logic-related bugs and protocol layer vulnerabilities as significant threats that are not adequately addressed by existing security tools. Our results emphasize the need to develop specialized tools catering to the distinct demands and expectations of developers and auditors. Further, our study highlights the necessity for continuous advancements in security tools to effectively tackle the ever-evolving challenges confronting the DeFi ecosystem. date: 2024-02-06 date_type: published publisher: Association for Computing Machinery (ACM) official_url: https://doi.org/10.1145/3597503.3623302 oa_status: green full_text_type: pub language: eng primo: open primo_central: open_green verified: verified_manual elements_id: 2113364 doi: 10.1145/3597503.3623302 isbn_13: 979-8-4007-0217-4 lyricists_name: Gervais, Arthur lyricists_id: AGERV21 actors_name: Gervais, Arthur actors_id: AGERV21 actors_role: owner full_text_status: public pres_type: paper place_of_pub: Lisbon, Portugal pagerange: art no-60 event_title: International Conference on Software Engineering 2024 book_title: Proceedings of the 46th International Conference on Software Engineering (ICSE 2024) citation: Chaliasos, Stefanos; Charalambous, Marcos Antonios; Zhou, Liyi; Galanopoulou, Rafaila; Gervais, Arthur; Mitropoulos, Dimitris; Livshits, Benjamin; (2024) Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners? In: Proceedings of the 46th International Conference on Software Engineering (ICSE 2024). (pp. art no-60). Association for Computing Machinery (ACM): Lisbon, Portugal. Green open access document_url: https://discovery.ucl.ac.uk/id/eprint/10182359/7/Gervais_Smart%20Contract%20and%20DeFi%20Security_3597503.pdf