Developing a Robust Vulnerability Detection Tool for ink! Smart Contracts
Developing a Robust Vulnerability Detection Tool for ink! Smart Contracts on Substrate-Based Blockchains
CoinFabrik received a grant from the Web3 Foundation to develop a proof-of-concept tool for detecting security vulnerabilities in Parity’s ink! smart contracts, used for developing on Substrate-based blockchains like Kusama and Polkadot. The team faced challenges in finding a comprehensive source of vulnerable smart contracts, so they built an annotated database of vulnerable and remediated ink! smart contracts using public security audit reports and extrapolating vulnerabilities from other languages and blockchains.
Using tools such as Dylint, Semgrep, and cargo-fuzz, the team successfully built detectors for all examples in their annotated database, achieving high precision and recall. However, they acknowledged that their detectors may not guarantee 100% precision and recall for every ink! smart contract, and further testing and independent audits are necessary to estimate the real precision, recall, and overall quality of the tool.
Our researchers believe that the vulnerability-detection tool can be improved iteratively, by expanding the annotated database with more instances of vulnerabilities, adding new vulnerability classes, and incorporating user feedback. This will allow them to transform their proof-of-concept toolset into a robust, reliable tool for detecting vulnerabilities in ink! smart contracts, enhancing the security of blockchain-based applications.
Expanded details are available in the following article in the CoinFabrik blog post Vulnerability Detection in ink! Programming Language.