skip to main content

A study of inline assembly in solidity smart contracts

Published:31 October 2022Publication History
Skip Abstract Section

Abstract

The Solidity programming language is the most widely used language for smart contract development. Improving smart contracts’ correctness, security, and performance has been the driving force for research in vulnerability detection, program analysis, and compiler techniques for Solidity. Similar to system-level languages such as C, Solidity enables the embedding of low-level code in programs, in the form of inline assembly code. Developers use inline assembly for low-level optimizations, extending the Solidity language through libraries, and using blockchain-specific opcodes only available through inline assembly. Nevertheless, inline assembly fragments are not well understood by an average developer and can introduce security threats as well as affect the optimizations that can be applied to programs by the compiler; it also significantly limits the effectiveness of source code static analyzers that operate on the Solidity level. A better understanding of how inline assembly is used in practice could in turn increase the performance, security, and support for inline assembly in Solidity. This paper presents a large-scale quantitative study of the use of inline assembly in 6.8M smart contracts deployed on the Ethereum blockchain. We find that 23% of the analyzed smart contracts contain inline assembly code, and that the use of inline assembly has become more widespread over time. We further performed a manual qualitative analysis for identifying usage patterns of inline assembly in Solidity smart contracts. Our findings are intended to help practitioners understand when they should use inline assembly and guide developers of Solidity tools in prioritizing which parts of inline assembly to implement first. Finally, the insights of this study could be used to enhance the Solidity language, improve the Solidity compiler, and to open up new research directions by driving future researchers to build appropriate methods and techniques for replacing inline assembly in Solidity programs when there is no real necessity to use it.

References

  1. Amogh Akshintala, Bhushan Jain, Chia-Che Tsai, Michael Ferdman, and Donald E. Porter. 2019. X86-64 Instruction Usage among C/C++ Applications. In Proceedings of the 12th ACM International Conference on Systems and Storage (SYSTOR ’19). Association for Computing Machinery, New York, NY, USA. 68–79. isbn:9781450367493 https://doi.org/10.1145/3319647.3325833 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Massimo Bartoletti and Livio Pompianu. 2017. An empirical analysis of smart contracts: platforms, applications, and design patterns. In International conference on financial cryptography and data security. 494–509. https://doi.org/10.1007/978-3-319-70278-0_31 Google ScholarGoogle ScholarCross RefCross Ref
  3. Lexi Brent, Neville Grech, Sifis Lagouvardos, Bernhard Scholz, and Yannis Smaragdakis. 2020. Ethainter: A smart contract security analyzer for composite vulnerabilities. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 454–469. https://doi.org/10.1145/3385412.3385990 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Lexi Brent, Anton Jurisevic, Michael Kong, Eric Liu, François Gauthier, Vincent Gramoli, Ralph Holz, and Bernhard Scholz. 2018. Vandal: A Scalable Security Analysis Framework for Smart Contracts. ArXiv, abs/1809.03981 (2018). Google ScholarGoogle Scholar
  5. Stefanos Chaliasos, Arthur Gervais, and Benjamin Livshits. 2022. Artifact: A Study of Inline Assembly in Solidity Smart Contracts. https://doi.org/10.5281/zenodo.7071281 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Stefanos Chaliasos, Thodoris Sotiropoulos, Georgios-Petros Drosos, Charalambos Mitropoulos, Dimitris Mitropoulos, and Diomidis Spinellis. 2021. Well-Typed Programs Can Go Wrong: A Study of Typing-Related Bugs in JVM Compilers. Proc. ACM Program. Lang., 5, OOPSLA (2021), Article 123, oct, 30 pages. https://doi.org/10.1145/3485500 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Shyam R Chidamber and Chris F Kemerer. 1994. A metrics suite for object oriented design. IEEE Transactions on software engineering, 20, 6 (1994), 476–493. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-Wide Security Testing of Real-World Embedded Systems Software. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, USA. 309–326. isbn:9781931971461 Google ScholarGoogle Scholar
  9. Thomas Durieux, João F Ferreira, Rui Abreu, and Pedro Cruz. 2020. Empirical review of automated analysis tools on 47,587 ethereum smart contracts. In Proceedings of the ACM/IEEE 42nd International conference on software engineering. 530–541. https://doi.org/10.1145/3377811.3380364 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). 8–15. https://doi.org/10.1109/WETSEB.2019.00008 Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Robert Feldt and Ana Magazinius. 2010. Validity threats in empirical software engineering research-an initial survey.. In Seke. 374–379. Google ScholarGoogle Scholar
  12. Aviral Goel, Pierre Donat-Bouillud, Filip Křikava, Christoph M. Kirsch, and Jan Vitek. 2021. What We Eval in the Shadows: A Large-Scale Study of Eval in R Programs. Proc. ACM Program. Lang., 5, OOPSLA (2021), Article 125, oct, 23 pages. https://doi.org/10.1145/3485502 Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. 2018. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. Proceedings of the ACM on Programming Languages, 2, OOPSLA (2018), 1–27. https://doi.org/10.1145/3276486 Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Péter Hegedűs. 2019. Towards analyzing the complexity landscape of solidity based ethereum smart contracts. Technologies, 7, 1 (2019), 6. Google ScholarGoogle ScholarCross RefCross Ref
  15. Simon Holm Jensen, Peter A. Jonsson, and Anders Møller. 2012. Remedying the Eval That Men Do. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012). Association for Computing Machinery, New York, NY, USA. 34–44. isbn:9781450314541 https://doi.org/10.1145/2338965.2336758 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Stephen Kell, Dominic P. Mulligan, and Peter Sewell. 2016. The Missing Link: Explaining ELF Static Linking, Semantically. In Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2016). Association for Computing Machinery, New York, NY, USA. 607–623. isbn:9781450344449 https://doi.org/10.1145/2983990.2983996 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Benjamin Mariano, Yanju Chen, Yu Feng, Shuvendu K Lahiri, and Isil Dillig. 2020. Demystifying loops in smart contracts. In 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE). 262–274. https://doi.org/10.1145/3324884.3416626 Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Fadi Meawad, Gregor Richards, Floréal Morandat, and Jan Vitek. 2012. Eval Begone! Semi-Automated Removal of Eval from Javascript Programs. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA ’12). Association for Computing Machinery, New York, NY, USA. 607–620. isbn:9781450315616 https://doi.org/10.1145/2384616.2384660 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf Google ScholarGoogle Scholar
  20. Terence J. Parr and Russell W. Quong. 1995. ANTLR: A predicated-LL (k) parser generator. Software: Practice and Experience, 25, 7 (1995), 789–810. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Andrea Pinna, Simona Ibba, Gavina Baralla, Roberto Tonelli, and Michele Marchesi. 2019. A massive analysis of ethereum smart contracts empirical study and code metrics. IEEE Access, 7 (2019), 78194–78213. https://doi.org/10.1109/ACCESS.2019.2921936 Google ScholarGoogle ScholarCross RefCross Ref
  22. Frédéric Recoules, Sébastien Bardin, Richard Bonichon, Matthieu Lemerre, Laurent Mounier, and Marie-Laure Potet. 2021. Interface Compliance of Inline Assembly: Automatically Check, Patch and Refine. IEEE Press, 1236–1247. isbn:9781450390859 https://doi.org/10.1109/ICSE43902.2021.00113 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Frédéric Recoules, Sébastien Bardin, Richard Bonichon, Laurent Mounier, and Marie-Laure Potet. 2019. Get Rid of Inline Assembly through Verification-Oriented Lifting. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE ’19). IEEE Press, 577–589. isbn:9781728125084 https://doi.org/10.1109/ASE.2019.00060 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. 2011. The Eval That Men Do: A Large-Scale Study of the Use of Eval in Javascript Applications. In Proceedings of the 25th European Conference on Object-Oriented Programming (ECOOP’11). Springer-Verlag, Berlin, Heidelberg. 52–78. isbn:9783642226540 https://doi.org/10.5555/2032497.2032503 Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. 2010. An Analysis of the Dynamic Behavior of JavaScript Programs. In Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’10). Association for Computing Machinery, New York, NY, USA. 1–12. isbn:9781450300193 https://doi.org/10.1145/1806596.1806598 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Manuel Rigger, Stefan Marr, Bram Adams, and Hanspeter Mössenböck. 2019. Understanding GCC Builtins to Develop Better Tools. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2019). Association for Computing Machinery, New York, NY, USA. 74–85. isbn:9781450355728 https://doi.org/10.1145/3338906.3338907 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Manuel Rigger, Stefan Marr, Stephen Kell, David Leopoldseder, and Hanspeter Mössenböck. 2018. An Analysis of X86-64 Inline Assembly in C Programs. In Proceedings of the 14th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE ’18). Association for Computing Machinery, New York, NY, USA. 84–99. isbn:9781450355797 https://doi.org/10.1145/3186411.3186418 Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Solidity. 2022. Solidity Inline Assembly Documentation. https://docs.soliditylang.org/en/latest/assembly.html Google ScholarGoogle Scholar
  29. Nick Szabo. 1997. Formalizing and securing relationships on public networks. First monday. Google ScholarGoogle Scholar
  30. Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. Smartcheck: Static analysis of ethereum smart contracts. In Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain. 9–16. https://doi.org/10.1145/3194113.3194115 Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Roberto Tonelli, Giuseppe Destefanis, Michele Marchesi, and Marco Ortu. 2018. Smart contracts software metrics: a first study. arXiv preprint arXiv:1802.01517, https://doi.org/10.13140/RG.2.2.25506.12483 Google ScholarGoogle ScholarCross RefCross Ref
  32. Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 67–82. https://doi.org/10.1145/3243734.3243780 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Gavin Wood. 2022. Ethereum: A secure decentralised generalised transaction ledger. Google ScholarGoogle Scholar
  34. Weiqin Zou, David Lo, Pavneet Singh Kochhar, Xuan-Bach Dinh Le, Xin Xia, Yang Feng, Zhenyu Chen, and Baowen Xu. 2019. Smart contract development: Challenges and opportunities. IEEE Transactions on Software Engineering, 47, 10 (2019), 2084–2106. https://doi.org/10.1109/TSE.2019.2942301 Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. A study of inline assembly in solidity smart contracts

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Article Metrics

          • Downloads (Last 12 months)403
          • Downloads (Last 6 weeks)51

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!