USENIX Security '21 - Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited
Daniel Perez and Benjamin Livshits, Imperial College London
In recent years, we have seen a great deal of both academic and practical interest in the topic of vulnerabilities in smart contracts, particularly those developed for the Ethereum blockchain. While most of the work has focused on detecting vulnerable contracts, in this paper, we focus on finding how many of these vulnerable contracts have actually been exploited. We survey the 23,327 vulnerable contracts reported by six recent academic projects and find that, despite the amounts at stake, only 1.98% of them have been exploited since deployment. This corresponds to at most 8,487 ETH (~1.7 million USD 1 ), or only 0.27% of the 3 million ETH (600 million USD) at stake. We explain these results by demonstrating that the funds are very concentrated in a small number of contracts which are not exploitable in practice.
View the full USENIX Security '21 Program at https://www.usenix.org/conference/usenixsecurity21/technical-sessions