Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On-Chain Analysis of Smart Contract Dependency Risks on Ethereum

Monica Jin, Raphina Liu, Martin Monperrus

TL;DR

The paper tackles the problem of understanding smart contract dependencies and their security implications on Ethereum at scale. It introduces an on-chain analysis framework and uses Allium to survey the mainnet up to 2024-12, yielding four core findings: widespread multi-contract interactions, extreme centralization in contract deployment, reliance on mutable/core contracts, and deeper-than-documented protocol dependencies. The study exposes significant risk vectors from factory patterns and proxy upgrades, and demonstrates transparency gaps in major DeFi protocols through Uniswap and Lido case studies. These results provide a foundation for developers, users, and researchers to assess dependency risk and motivate better tooling and documentation to improve Ethereum’s transparency and security.

Abstract

In this paper, we present the first large-scale empirical study of smart contract dependencies, analyzing over 41 million contracts and 11 billion interactions on Ethereum up to December 2024. Our results yield four key insights: (1) 59% of contract transactions involve multiple contracts (median of 4 per transaction in 2024) indicating potential smart contract dependency risks; (2) the ecosystem exhibits extreme centralization, with just 11 (0.001%) deployers controlling 20.5 million (50%) of alive contracts, with major risks related to factory contracts and deployer privileges; (3) three most depended-upon contracts are mutable, meaning large parts of the ecosystem rely on contracts that can be altered at any time, which is a significant risk, (4) actual smart contract protocol dependencies are significantly more complex than officially documented, undermining Ethereum's transparency ethos, and creating unnecessary attack surface. Our work provides the first large-scale empirical foundation for understanding smart contract dependency risks, offering crucial insights for developers, users, and security researchers in the blockchain space.

On-Chain Analysis of Smart Contract Dependency Risks on Ethereum

TL;DR

The paper tackles the problem of understanding smart contract dependencies and their security implications on Ethereum at scale. It introduces an on-chain analysis framework and uses Allium to survey the mainnet up to 2024-12, yielding four core findings: widespread multi-contract interactions, extreme centralization in contract deployment, reliance on mutable/core contracts, and deeper-than-documented protocol dependencies. The study exposes significant risk vectors from factory patterns and proxy upgrades, and demonstrates transparency gaps in major DeFi protocols through Uniswap and Lido case studies. These results provide a foundation for developers, users, and researchers to assess dependency risk and motivate better tooling and documentation to improve Ethereum’s transparency and security.

Abstract

In this paper, we present the first large-scale empirical study of smart contract dependencies, analyzing over 41 million contracts and 11 billion interactions on Ethereum up to December 2024. Our results yield four key insights: (1) 59% of contract transactions involve multiple contracts (median of 4 per transaction in 2024) indicating potential smart contract dependency risks; (2) the ecosystem exhibits extreme centralization, with just 11 (0.001%) deployers controlling 20.5 million (50%) of alive contracts, with major risks related to factory contracts and deployer privileges; (3) three most depended-upon contracts are mutable, meaning large parts of the ecosystem rely on contracts that can be altered at any time, which is a significant risk, (4) actual smart contract protocol dependencies are significantly more complex than officially documented, undermining Ethereum's transparency ethos, and creating unnecessary attack surface. Our work provides the first large-scale empirical foundation for understanding smart contract dependency risks, offering crucial insights for developers, users, and security researchers in the blockchain space.

Paper Structure

This paper contains 19 sections, 7 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Smart Contracts
  4. Smart Contract Deployment
  5. Smart Contract Interactions
  6. Smart Contract Transparency
  7. Experimental Methodology
  8. Research Questions
  9. Methodology
  10. Experimental Results
  11. RQ1: Scale of Smart Contract Interactions
  12. RQ2: Contract Creation
  13. RQ3: Most Called Contracts
  14. RQ4. Contract Transparency
  15. Uniswap case study
  16. ...and 4 more sections

Figures (7)

  • Figure 1: RQ1: Number of created, destructed, and alive smart contracts (cumulative) per year on Ethereum mainnet. As of Dec 31 2024, Ethereum has 41M alive contracts.
  • Figure 2: RQ1: Distribution of contracts called per transaction per year on Ethereum mainnet (up to 2024). More than half of the transactions involve at least 4 contracts.
  • Figure 3: RQ1: Evolution and distribution of each type of call (up to December 31 2024). The significant increase of delegate calls indicate ever more usage of risk proxy pattern.
  • Figure 4: RQ2: Top 100 deployers of contracts (alive in 2024) and their cumulative proportion. Eleven deployers are responsible for 50% of all contracts.
  • Figure 5: RQ3: Top callee contracts by call type on the Ethereum mainnet in 2024. Risk due to delegate calls should be carefully considered.
  • ...and 2 more figures