Smart Contract Vulnerabilities, Tools, and Benchmarks: an Updated Systematic Literature Review
Gerardo Iuliano, Dario Di Nucci
TL;DR
This paper updates the state of the art on Ethereum smart contracts by systematically reviewing $3{,}380$ publications and distilling $222$ high-quality studies into a three-level taxonomy of $192$ vulnerabilities across $13$ categories. It catalogs $219$ automated detection tools and $133$ evaluation benchmarks, and provides a detailed mapping between vulnerabilities and tools while highlighting substantial coverage gaps (e.g., $113$ vulnerabilities lack tool coverage). The authors validate the taxonomy with expert input, discuss cross-chain and compiler-version challenges, and propose a forward-looking agenda including secure-by-design practices and consolidated ground truth benchmarks. The work offers a practical, repeatable resource for security researchers, tool developers, and auditors aiming to improve automated vulnerability detection in smart contracts and to benchmark progress consistently.
Abstract
Smart contracts are self-executing programs on blockchain platforms like Ethereum, which have revolutionized decentralized finance by enabling trustless transactions and the operation of decentralized applications. Despite their potential, the security of smart contracts remains a critical concern due to their immutability and transparency, which expose them to malicious actors. Numerous solutions for vulnerability detection have been proposed, but it is still unclear which one is the most effective. This paper presents a systematic literature review that explores vulnerabilities in Ethereum smart contracts, focusing on automated detection tools and benchmark evaluation. We reviewed 3,380 studies from five digital libraries and five major software engineering conferences, applying a structured selection process that resulted in 222 high-quality studies. The key results include a hierarchical taxonomy of 192 vulnerabilities grouped into 13 categories, a comprehensive list of 219 detection tools with corresponding functionalities, methods, and code transformation techniques, a mapping between our taxonomy and the list of tools, and a collection of 133 benchmarks used for tool evaluation. We conclude with a discussion about the insights into the current state of Ethereum smart contract security and directions for future research.