Análise das Ferramentas de Detecção de Vulnerabilidades para Contratos Inteligentes de Blockchains EVM
Resumo
Os contratos inteligentes introduziram desafios de segurança devido à sua liberdade para criar operações financeiras programáveis e devido à natureza imutável das redes blockchain. Para mitigar estes riscos, várias ferramentas de verificação automática de vulnerabilidades foram desenvolvidas. Contudo, a efetividade destas ferramentas varia significativamente e a capacidade de detecção de vulnerabilidades em contratos inteligentes continua sendo uma área crítica de pesquisa. Neste trabalho, nós apresentamos um estudo comparativo das principais ferramentas de código-aberto da literatura. Por meio de um benchmark previamente auditado, avaliamos o desempenho destas ferramentas em relação às vulnerabilidades OWASP para contratos inteligentes em 2025. Nossos resultados mostram que as ferramentas possuem alta variabilidade em detectar as vulnerabilidades, abrindo oportunidades para pesquisas futuras.
Palavras-chave:
Contratos Inteligentes, Solidity, Vulnerabilidades, Segurança, Ethereum, Blockchain
Referências
Almakhour, M., Sliman, L., Samhat, A. E., and Mellouk, A. (2020). Verification of smart contracts: A survey. Pervasive and Mobile Computing, 67, 101227.
Ben Fekih, R., Lahami, M., Bradai, S., and Jmaiel, M. (2025). Formal verification of ERC-based smart contracts: A systematic literature review. IEEE Access, 13, 11396–11422.
Brent, L., Jurisevic, A., Kong, M., Liu, E., Gauthier, F., Gramoli, V., Holz, R., and Scholz, B. (2018). Vandal: A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981.
Buterin, V. et al. (2013). Ethereum white paper. GitHub repository, 1(22-23), 5–7.
Campos, J. N., Mendonça, R. D., Fontinele, A., de Carvalho, L. H. S., Oliveira, I. R., Cardoso, Í. W. F., Coelho, R., Freitas, A. E. S., Gonçalves, G. D., Nacif, J. A. M., and Vieira, A. B. (2024). Finanças descentralizadas em redes blockchain: Perspectivas sobre pesquisa e inovação em aplicações, interoperabilidade e segurança. In Jornada de Atualização em Informática 2024, volume 44 of Congresso da Sociedade Brasileira de Computação, 7–56. SBC, Porto Alegre, 43rd edition.
ConsenSys (2018). Mythril. [link]. Acessado em: 2025.
Di Angelo, M. and Salzer, G. (2023). Consolidation of ground truth sets for weakness detection in smart contracts. In International Conference on Financial Cryptography and Data Security, 439–455. Springer.
Durieux, T., Ferreira, J. F., Abreu, R., and Cruz, P. (2020). Empirical review of automated analysis tools on 47,587 Ethereum smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 530–541.
Egelund-Muller, B., Elsman, M., Henglein, F., and Ross, O. (2017). Automated execution of financial contracts on blockchains. Business & Information Systems Engineering, 59, 457–467.
Feist, J., Grieco, G., and Groce, A. (2019). Slither: A static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 8–15. IEEE.
Harvey, C. R., Ramachandran, A., and Santoro, J. (2021). DeFi and the Future of Finance. John Wiley & Sons.
Jiang, B., Liu, Y., and Chan, W. K. (2018). Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 259–269.
Khan, Z. A. and Namin, A. S. (2024). A survey of vulnerability detection techniques by smart contract tools. IEEE Access.
Kushwaha, S. S., Joshi, S., Singh, D., Kaur, M., and Lee, H.-N. (2022a). Ethereum smart contract analysis tools: A systematic review. IEEE Access, 10, 57037–57062.
Kushwaha, S. S., Joshi, S., Singh, D., Kaur, M., and Lee, H.-N. (2022b). Systematic review of security vulnerabilities in Ethereum blockchain smart contracts. IEEE Access, 10, 6605–6621.
Li, H., Dang, R., Yao, Y., and Wang, H. (2023). A review of approaches for detecting vulnerabilities in smart contracts within Web 3.0 applications. Blockchains, 1(1), 3–18.
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., and Hobor, A. (2016). Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 254–269.
Mendonça, R. D., Campos, J. N., Vieira, L. F. M., Vieira, M. A. M., Vieira, A. B., and Nacif, J. A. M. (2022). Tokens não fungíveis (NFTs): Conceitos, aplicações e desafios. In Minicursos do XL Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, 52–94, Porto Alegre, RS, Brasil. SBC.
Mense, A. and Flatscher, M. (2018). Security vulnerabilities in Ethereum smart contracts. In Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, 375–380.
Nethermind (2025). Smart contract vulnerabilities and mitigation strategies.
OWASP (2025a). Open Web Application Security Project (OWASP).
OWASP (2025b). OWASP Smart Contract Top 10 Project.
Parizi, R. M., Dehghantanha, A., Choo, K.-K. R., and Singh, A. (2018). Empirical vulnerability analysis of automated smart contracts security testing on blockchains. arXiv preprint arXiv:1809.02702.
Praitheeshan, P., Pan, L., Yu, J., Liu, J., and Doss, R. (2019). Security analysis methods on Ethereum smart contract vulnerabilities: A survey. arXiv preprint arXiv:1908.08605.
Qian, P., Liu, Z., He, Q., Huang, B., Tian, D., and Wang, X. (2022). Smart contract vulnerability detection technique: A survey. arXiv preprint arXiv:2209.05872.
Rameder, H., Di Angelo, M., and Salzer, G. (2022). Review of automated vulnerability analysis of smart contracts on Ethereum. Frontiers in Blockchain, 5, 814977.
Ressi, D., Spano, A., Benetollo, L., Piazza, C., Bugliesi, M., and Rossi, S. (2024). Vulnerability detection in Ethereum smart contracts via machine learning: A qualitative analysis. arXiv preprint arXiv:2407.18639.
Sharma, N. and Sharma, S. (2022). A survey of Mythril, a smart contract security analysis tool for EVM bytecode. Indian Journal of Natural Sciences, 13(75), 39–41.
Torres, C. F., Iannillo, A. K., Gervais, A., and State, R. (2021). Confuzzius: A data dependency-aware hybrid fuzzer for smart contracts. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P), 103–119.
Wohrer, M. and Zdun, U. (2018). Smart contracts: Security patterns in the Ethereum ecosystem and Solidity. In 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2–8. IEEE.
Wood, G. (2014). Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper, 151, 1–32.
Zhou, H., Milani Fard, A., and Makanju, A. (2022). The state of Ethereum smart contracts security: Vulnerabilities, countermeasures, and tool support. Journal of Cybersecurity and Privacy, 2(2), 358–378.
Ben Fekih, R., Lahami, M., Bradai, S., and Jmaiel, M. (2025). Formal verification of ERC-based smart contracts: A systematic literature review. IEEE Access, 13, 11396–11422.
Brent, L., Jurisevic, A., Kong, M., Liu, E., Gauthier, F., Gramoli, V., Holz, R., and Scholz, B. (2018). Vandal: A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981.
Buterin, V. et al. (2013). Ethereum white paper. GitHub repository, 1(22-23), 5–7.
Campos, J. N., Mendonça, R. D., Fontinele, A., de Carvalho, L. H. S., Oliveira, I. R., Cardoso, Í. W. F., Coelho, R., Freitas, A. E. S., Gonçalves, G. D., Nacif, J. A. M., and Vieira, A. B. (2024). Finanças descentralizadas em redes blockchain: Perspectivas sobre pesquisa e inovação em aplicações, interoperabilidade e segurança. In Jornada de Atualização em Informática 2024, volume 44 of Congresso da Sociedade Brasileira de Computação, 7–56. SBC, Porto Alegre, 43rd edition.
ConsenSys (2018). Mythril. [link]. Acessado em: 2025.
Di Angelo, M. and Salzer, G. (2023). Consolidation of ground truth sets for weakness detection in smart contracts. In International Conference on Financial Cryptography and Data Security, 439–455. Springer.
Durieux, T., Ferreira, J. F., Abreu, R., and Cruz, P. (2020). Empirical review of automated analysis tools on 47,587 Ethereum smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 530–541.
Egelund-Muller, B., Elsman, M., Henglein, F., and Ross, O. (2017). Automated execution of financial contracts on blockchains. Business & Information Systems Engineering, 59, 457–467.
Feist, J., Grieco, G., and Groce, A. (2019). Slither: A static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), 8–15. IEEE.
Harvey, C. R., Ramachandran, A., and Santoro, J. (2021). DeFi and the Future of Finance. John Wiley & Sons.
Jiang, B., Liu, Y., and Chan, W. K. (2018). Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 259–269.
Khan, Z. A. and Namin, A. S. (2024). A survey of vulnerability detection techniques by smart contract tools. IEEE Access.
Kushwaha, S. S., Joshi, S., Singh, D., Kaur, M., and Lee, H.-N. (2022a). Ethereum smart contract analysis tools: A systematic review. IEEE Access, 10, 57037–57062.
Kushwaha, S. S., Joshi, S., Singh, D., Kaur, M., and Lee, H.-N. (2022b). Systematic review of security vulnerabilities in Ethereum blockchain smart contracts. IEEE Access, 10, 6605–6621.
Li, H., Dang, R., Yao, Y., and Wang, H. (2023). A review of approaches for detecting vulnerabilities in smart contracts within Web 3.0 applications. Blockchains, 1(1), 3–18.
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., and Hobor, A. (2016). Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 254–269.
Mendonça, R. D., Campos, J. N., Vieira, L. F. M., Vieira, M. A. M., Vieira, A. B., and Nacif, J. A. M. (2022). Tokens não fungíveis (NFTs): Conceitos, aplicações e desafios. In Minicursos do XL Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, 52–94, Porto Alegre, RS, Brasil. SBC.
Mense, A. and Flatscher, M. (2018). Security vulnerabilities in Ethereum smart contracts. In Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, 375–380.
Nethermind (2025). Smart contract vulnerabilities and mitigation strategies.
OWASP (2025a). Open Web Application Security Project (OWASP).
OWASP (2025b). OWASP Smart Contract Top 10 Project.
Parizi, R. M., Dehghantanha, A., Choo, K.-K. R., and Singh, A. (2018). Empirical vulnerability analysis of automated smart contracts security testing on blockchains. arXiv preprint arXiv:1809.02702.
Praitheeshan, P., Pan, L., Yu, J., Liu, J., and Doss, R. (2019). Security analysis methods on Ethereum smart contract vulnerabilities: A survey. arXiv preprint arXiv:1908.08605.
Qian, P., Liu, Z., He, Q., Huang, B., Tian, D., and Wang, X. (2022). Smart contract vulnerability detection technique: A survey. arXiv preprint arXiv:2209.05872.
Rameder, H., Di Angelo, M., and Salzer, G. (2022). Review of automated vulnerability analysis of smart contracts on Ethereum. Frontiers in Blockchain, 5, 814977.
Ressi, D., Spano, A., Benetollo, L., Piazza, C., Bugliesi, M., and Rossi, S. (2024). Vulnerability detection in Ethereum smart contracts via machine learning: A qualitative analysis. arXiv preprint arXiv:2407.18639.
Sharma, N. and Sharma, S. (2022). A survey of Mythril, a smart contract security analysis tool for EVM bytecode. Indian Journal of Natural Sciences, 13(75), 39–41.
Torres, C. F., Iannillo, A. K., Gervais, A., and State, R. (2021). Confuzzius: A data dependency-aware hybrid fuzzer for smart contracts. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P), 103–119.
Wohrer, M. and Zdun, U. (2018). Smart contracts: Security patterns in the Ethereum ecosystem and Solidity. In 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), 2–8. IEEE.
Wood, G. (2014). Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper, 151, 1–32.
Zhou, H., Milani Fard, A., and Makanju, A. (2022). The state of Ethereum smart contracts security: Vulnerabilities, countermeasures, and tool support. Journal of Cybersecurity and Privacy, 2(2), 358–378.
Publicado
19/05/2025
Como Citar
CAMPOS, Josué N. et al.
Análise das Ferramentas de Detecção de Vulnerabilidades para Contratos Inteligentes de Blockchains EVM. In: WORKSHOP EM BLOCKCHAIN: TEORIA, TECNOLOGIAS E APLICAÇÕES (WBLOCKCHAIN), 8. , 2025, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 126-139.
DOI: https://doi.org/10.5753/wblockchain.2025.8897.
