Tezla, an Intermediate Representation for Static Analysis of Michelson Smart Contracts

This paper introduces Tezla, an intermediate representation of Michelson smart contracts that eases the design of static smart contract analysers. This intermediate representation uses a store and aims to preserve the semantics, flow and resource usage of the original smart contract. This enables properties like gas consumption to be statically verified. We provide an automated decompiler of Michelson smart contracts to Tezla. In order to support our claim about the adequacy of Tezla, we develop a static analyser that takes advantage of the Tezla representation of Michelson smart contracts to prove simple but non-trivial properties

Pre-deployment Analysis of Smart Contracts -- A Survey

Smart contracts are programs that execute transactions involving independent parties and cryptocurrencies. As programs, smart contracts are susceptible to a wide range of errors and vulnerabilities. Such vulnerabilities can result in significant losses. Furthermore, by design, smart contract transactions are irreversible. This creates a need for methods to ensure the correctness and security of contracts pre-deployment. Recently there has been substantial research into such methods. The sheer volume of this research makes articulating state-of-the-art a substantial undertaking. To address this challenge, we present a systematic review of the literature. A key feature of our presentation is to factor out the relationship between vulnerabilities and methods through properties. Specifically, we enumerate and classify smart contract vulnerabilities and methods by the properties they address. The methods considered include static analysis as well as dynamic analysis methods and machine learning algorithms that analyze smart contracts before deployment. Several patterns about the strengths of different methods emerge through this classification process

Provas de Coerência Transacional para Smart Contracts em Blockhains

Blockchain technology is an emergent topic based on decentralization and immutability, enabling mutually untrusting parties to fairly exchange assets without the need of a central authority. Recently, the addition of blockchain programs, known as smart contracts, enabled the technology to expand upon a variety of industry sectors, already known to traditional software. Many organizations and corporates saw a growth opportunity, extending their businesses into this domain — now, though, with the blockchain twist. However, the inclusion of computation exposed a weak link in the overall blockchain security, due to carrying not only traditional software bugs, but also never before seen ones. That way, smart contracts, especially valuable ones, became enticing for hackers to exploit, which resulted in a set of tragedies where funds were stolen, among other consequences. Soon after, smart contract security became a most valuable topic of research among blockchain platforms. The Tezos blockchain is a relatively new platform whose stance values security by construct infrastructure, in consequence of the past incidents. While many smart contract security solutions were devised over the years, these have not been properly adapted nor adopted for the average developer in the community. Due to various reasons, but for one, seamless integration with the smart contract development processes is one of them. This dissertation approaches the blockchain security problem through an indirect approach, providing the developer with better accessibility and conditions for working on one of Tezos’s state-of-the-art security tools. Although it is unorthodox, it is hoped for the solution to inspire and appeal other blockchain communities by shedding some light in this unknown direction.A tecnologia blockchain é um tópico emergente baseado na descentralização e imutabilidade, permitindo que entidades desconhecidas e não confiáveis consigam trocar bens e valores digitais de forma justa sem necessitarem uma entidade central. Recentemente, a adição de programas na blockchain, designados de smart contracts, permitiu que tal se expandisse sobre uma variedade de sectores industriais já explorada por programas tradicionais. Contudo, muitas empresas viram uma oportunidade de negócio bastante lucrativa, estendendo o seu negócio para este ambiente, agora incutindo as regras da blockchain. Embora oportunidades lucrativas tenham aparecido, problemas relativos aos programas tradicionais, bem como outros novos ainda não descobertos, também. Os smart contracts revelaram-se como um elo mais fraco para a segurança da blockchain e, tendo estes a capacidade de reter bastante valor monetário, tornaram-se um alvo aliciante para hackers. Não muito depois, notícias espalharam-se pela internet a anunciar crimes por entidades anónimas — roubo e congelamento de fundos, entre outras consequências, na blockchain. Após o primeiro grande incidente, a segurança na blockchain começou a ser um tópico bastante estudado por peritos e investigadores das várias comunidades. A blockchain da Tezos é uma plataforma relativamente recente, com uma postura relativa à segurança bastante madura, resultado dos incidentes passados. Enquanto várias soluções foram alcançadas para a segurança de smart contracts, estas não seriam ainda bem incorporadas pela comunidade, ou pelo menos para o engenheiro de contratos comum. Existem várias razões, porém, acessibilidade nos vários aspetos das ferramentas de segurança é uma delas. O trabalho realizado por esta dissertação passa por solucionar este problema, mais especificamente, solucionar o problema para uma ferramenta de segurança de programas na blockchain da Tezos. Este tipo de solução não é comum na literatura, contudo, espera-se que o trabalho realizado sirva de inspiração para que as comunidades possa explorar esta vertente mais indireta de segurança na blockchain

Blockchain Software Verification and Optimization

In the last decade, blockchain technology has undergone a strong evolution. The maturity reached and the consolidation obtained have aroused the interest of companies and businesses, transforming it into a possible response to various industrial needs. However, the lack of standards and tools for the development and maintenance of blockchain software leaves open challenges and various possibilities for improvements. The goal of this thesis is to tackle some of the challenges proposed by blockchain technology, to design and implement analysis, processes, and architectures that may be applied in the real world. In particular, two topics are addressed: the verification of the blockchain software and the code optimization of smart contracts. As regards the verification, the thesis focuses on the original developments of tools and analyses able to detect statically, i.e. without code execution, issues related to non-determinism, untrusted cross-contracts invocation, and numerical overflow/underflow. Moreover, an approach based on on-chain verification is investigated, to proactively involve the blockchain in verifying the code before and after its deployment. For the optimization side, the thesis describes an optimization process for the code translation from Solidity language to Takamaka, also proposing an efficient algorithm to compute snapshots for fungible and non-fungible tokens. The results of this thesis are an important first step towards improving blockchain software development, empirically demonstrating the applicability of the proposed approaches and their involvement also in the industrial field

Towards Safer Smart Contracts: A Survey of Languages and Verification Methods

With a market capitalisation of over USD 205 billion in just under ten years, public distributed ledgers have experienced significant adoption. Apart from novel consensus mechanisms, their success is also accountable to smart contracts. These programs allow distrusting parties to enter agreements that are executed autonomously. However, implementation issues in smart contracts caused severe losses to the users of such contracts. Significant efforts are taken to improve their security by introducing new programming languages and advance verification methods. We provide a survey of those efforts in two parts. First, we introduce several smart contract languages focussing on security features. To that end, we present an overview concerning paradigm, type, instruction set, semantics, and metering. Second, we examine verification tools and methods for smart contract and distributed ledgers. Accordingly, we introduce their verification approach, level of automation, coverage, and supported languages. Last, we present future research directions including formal semantics, verified compilers, and automated verification