Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis
Masoud Jamshidiyan Tehrani
TL;DR
This work investigates whether software complexity metrics can meaningfully signal vulnerabilities in Solidity smart contracts. By analyzing 21 metrics from the Solmet tool on a large, labeled set of contracts, the study demonstrates substantial redundancy among metrics and weak per-metric correlations with vulnerabilities, yet shows strong collective discriminative capability to separate secure from vulnerable code. The authors provide practical guidance for integrating complexity signals into vulnerability detectors, emphasize the importance of simplicity and documentation, and discuss limitations and avenues for future work, including domain-specific analyses and cognitive-complexity measures. Overall, complexity metrics emerge as a valuable, though not causative, supplement to existing static-analysis approaches for improving smart contract security in real-world ecosystems.
Abstract
Software built on poor structural patterns often shows higher exposure to security defects. When code differs from established best practices, verification and maintenance become increasingly difficult, thereby raising the risk of unintentional vulnerabilities. In the context of blockchain technology, where immutable smart contracts handle high-value transactions, the need for strict security assurance is important. This research analyzes the utility of software complexity metrics as diagnostic tools for identifying vulnerable Solidity smart contracts. We evaluate the hypothesis that complexity measures serve as vital, complementary signals for security assessment. Through an empirical examination of 21 distinct metrics, we analyzed their inter-dependencies, statistical association with vulnerabilities, and discriminative capabilities. Our findings indicate a significant degree of redundancy among certain metrics and a relatively low correlation between any single metric and the presence of vulnerabilities. However, the data demonstrates that these metrics possess strong power to distinguish between secure and vulnerable code when analyzed collectively. Notably, with only three exceptions, vulnerable contracts consistently exhibited higher mean complexity scores than their neutral counterparts. While our results show a statistical association, we emphasize that complexity is an indicator rather than a direct cause of vulnerability.