Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited
This work addresses the gap between vulnerability detection and actual exploitation in smart contracts, providing critical insights for blockchain security practitioners and researchers.
The paper investigates how many vulnerable smart contracts on Ethereum have actually been exploited, finding that only 1.98% of 23,327 vulnerable contracts were exploited, corresponding to at most 0.27% of the total funds at stake.
In recent years, we have seen a great deal of both academic and practical interest in the topic of vulnerabilities in smart contracts, particularly those developed for the Ethereum blockchain. While most of the work has focused on detecting *vulnerable* contracts, in this paper, we focus on finding how many of these vulnerable contracts have actually been *exploited*. We survey the 23,327 vulnerable contracts reported by six recent academic projects and find that, despite the amounts at stake, only 1.98% of them have been exploited since deployment. This corresponds to at most 8,487 ETH (~1.7 million USD), or only 0.27% of the 3 million ETH (600 million USD) at stake. We explain these results by demonstrating that the funds are very concentrated in a small number of contracts which are *not exploitable* in practice.