ChainSecurity, a developer of secure blockchain protocols today announced the release of its latest automated security scanner for Ethereum smart contracts. The system is publicly available at https://securify.ch with the goal to raise the level of security in the Ethereum ecosystem.
This also marks the official release of Securify, the popular automated verifier for Ethereum smart contracts, used on a daily basis by security experts to audit smart contracts. It has so far scanned over 4,800 contracts and discovered over 59,000 security issues.
The research behind the scanner
The main technical challenge in building an effective security scanner for smart contracts is finding a way to explore all behaviors of the contract, which can even exceed the number of atoms in the universe. Recent research from the ICE Center, ETH Zurich, addresses this challenge via a new abstraction, tailored specifically to the domain of smart contracts, enabling us to scan all behaviors for vulnerabilities in few minutes. ChainSecurity, a startup founded by researchers from the ICE center, have turned this new result into an easy-to-use security scanner. Full technical details behind the new research are available in this report.
How does it compare to existing solutions?
Unlike existing security checkers, which inspect only a subset of all behaviors and can miss critical security vulnerabilities, Securify considers all behaviors. Indeed, a study on open-source Ethereum contracts reveals that existing solutions can miss up to two-thirds of vulnerabilities due to insufficient coverage (see experiments and data here). Finally, Securify offers the following advantages:
- Guarantees: it is able to prove the safety of the contract for specific properties;
- Scalability: it is scalable enough to handle any Ethereum project;
- Coverage: it scans for 18 critical vulnerabilities, making it the most comprehensive security analyzer for Ethereum;
- Improved usability: supports scanning of git repositories.
Security report produced by Securify
How to use it?
There are three ways: (i) paste the source code in code editor, (ii) point to a git repository that stores all contracts (see Fig. 1), or (iii) upload a ZIP file with the contracts. The “SCAN NOW” button will scan all contracts for security issues and show a security report.
When the smart contracts have been fully scanned, the system produces a comprehensive report that lists all identified security issues (see Fig. 2) and highlights the vulnerable statements in the code editor (see Fig. 3), to guide developers how to fix their contract. The security scanner also provides additional information about each vulnerability which can help developers fix the issues.
Impact
Securify aims to eliminate all generic security issues that appear in Ethereum smart contracts. The scanner has already discovered critical security issues in newly proposed token standards (such as a reentrancy issue in the ERC827 standard) and Solidity libraries (such as the Feeless library). Further, it successfully detects critical vulnerabilities that have resulted in more than $300M losses in the past two years. Examples include the infamous DAO vulnerability and the two critical security issues discovered in the popular Parity wallet (read this article for more details).
Release summary
- Securify is available as a free service at https://securify.ch
- Research available at https://arxiv.org/pdf/1806.01143.pdf
- The new scanner inspects all possible behaviors of the contract and often discovers up to 3x more security issues compared to existing security tools, which only check part of the contract. This offers stronger guarantees than existing widely-used solutions such as Oyente and Mythril.
