Many fields exploit blockchain technology, including those related to human and life sciences, supply chains, and clinical research. However, especially in the past couple years (namely 2017), almost all transactions running on public blockchains were related to the decentralized exchange of cryptocurrencies. Such transactions are executed via smart contract programs, which update the status of the blockchain with respect to the exchanged values.

In Ethereum (a popular blockchain implementation), smart contracts are written in a language called Solidity and compiled into code executed by the Ethereum Virtual Machine (EVM). The current daily volume of exchanged currencies is 7.5 billion euros; and in 2018, there were two million smart contracts deployed. Once deployed, smart contracts cannot be modified (they are “written in stone”), thus an ex ante security evaluation is compelling.

Although tools exist (for example, performing static analysis or symbolic execution), they are still crude and new to many developers. The authors develop a fuzzing framework for detecting the security vulnerabilities of smart contracts on the Ethereum platform. They evaluate 6991 smart contracts and identify 459 vulnerabilities (including “the infamous DAO bug” and the Parity Wallet bug). Their fuzzing tool detects seven known vulnerabilities and finds fewer false positives than Oyente, another popular tool that uses formal methods.

When deploying a computer program that potentially holds a high volume of economic assets, a security analysis is of utmost importance. Because both the language and the integrated development environment (IDE) are also in development, tools such as the ones presented in this paper are very useful for any smart contract developer’s toolbox.