Security Analysis Tools for Solidity Smart Contracts: A Comparison Based on Real-World Exploits.

A blockchain is essentially a digital ledger of transactions that is duplicated and distributed across the entire network of computer systems on the blockchain. Blockchains can implement cryptocurrency systems, because of their ability to maintain a secure and decentralized record of transactions. This technology guarantees fidelity and security of a record of data and generates trust without the need for a trusted third party. Ethereum is a blockchain considered a "smart contract platform" because it was one of the first blockchains allowing their development. Smart contracts are programs which are self-verifying programs running on top of the blockchain. Those are public, distributed and immutable, consequently, developers cannot design security by layers, such as a Firewall or a virtual private network. For these reason, the detection of any potential weaknesses before the deployment turns into a challenge. The regulation of this field is not strict, therefor, malicious users have tried to compute several attacks. To guarantee security, numerous tools have been created, and a large amount of data about vulnerabilities and detection techniques is continually being produced. This thesis is addressed to deepen the field of security in smart contract programming, written in Solidity: the most used and maintained programming language in this field. This work presents a collection of attacks and a collection of tools, selected after a literature research phase. The vulnerable code of smart contracts is explained. The tools are described based on their documentation and experience during the installation on running during this thesis. The analysis have as targets smart contracts involved in real-world exploits that have occurred during the last two years (since 2020). An outcome of the thesis is a comparison of tools based on real-world exploits. The comparison involves parameters such as the time of the installation requirements, the time of execution, the configuration of settings and the amount of discovered vulnerabilities. Furthermore, the tools are grouped based on their different characteristics, their typology, and even on their running mode.