To investigate Smart Contracts, the team of authors developed a tool called MAIAN, which they used to check all Smart Contracts existing on the Ethereum blockchain by the end of 2017.
The paper itself examines trace vulnerabilities that occur when a Smart Contract is called several times in a row. In concrete terms, a distinction is made between three types of security vulnerability:
Suicidal security gaps can be accidentally destroyed by a Bitcoin loophole user
Parity was an example of this. Stingy security holes deny users access to their own Bitcoin loophole funds. Here is the review by onlinebetrug. Parity would be an indirect example: After the parity contract was destroyed thanks to the suicidal security vulnerability, other contracts that used this specific contract could no longer do so and thus became a stingy security vulnerability.
Wasteful security holes are gaps in which funds can be sent to addresses that are not specified. An example of this would be the DAO exploit, in which the funds were transferred from the DAO to a new address.
Posthumous vulnerabilities are another special case: A suicidal contract may no longer work, but its ethereal address still exists on the ethereal blockchain. Ether sent to this address can no longer be reclaimed.
Two key findings of the research are that a large part, 99% of smart contracts to be precise, are not stored in a readable solidity format on the blockchain. So tools are needed to examine the byte code. For this reason alone, it is to be hoped that the MAIAN tool will soon be made available to the free market.
But also with the readable articles it is to be paid attention that first of all often legacy code is used. Some security vulnerabilities have already been fixed in newer Solidity versions. It should be noted, however, that what is executed on the Ethereum blockchain is not the solidarity code itself, but a byte-code compiled version of the smart contract. This means that these vulnerabilities in Smart Contracts written with old Solidity versions are not fixed.
Second, it is not simply the single Smart Contract that is executed. For example, there were many Smart Contracts that accessed the Library of Parity and were also affected by the Parity bug.
Code testing as due diligence
As lessons from the paper one can summarize the following: Check the Smart Contracts! Of course, not everyone can become a passionate Solidity programmer, but on the one hand you can make sure that a Smart Contract is accompanied by source code that can be read by humans. Since you won’t be the only one looking at the code, you can trust the power of the crowd; maybe someone else will notice an error.
On the other hand, you should pay attention to whether formulations like xxx is yyy occur. With such code, functions of other Smart Contracts are used, so the original Smart Contract should also be checked.
All in all, as with any other investment, keep your eyes open and always be healthy and critical!