Smart Contract Analyzer to Debut at Ethereum Conference

Researchers will soon open source a tool designed to evaluate ethereum smart contract code.

Sep 7, 2016 at 3:05 p.m. UTC
Updated Sep 11, 2021 at 12:28 p.m. UTC

Researchers from National University of Singapore will soon release a tool that will help ethereum users determine whether the smart contracts they've coded are valid or not.

Developed in the wake of the massive hack of the first large-scale smart contract – The DAO – in June, the researchers described the tool as an attempt to curb future problems that could lead consumer funds to be lost. Called Oyente, the program has been reportedly used to successfully pinpoint bugs in thousands of smart contracts, including the one that led to the failure of The DAO.

National University of Singapore PhD student Loi Luu explained that the team first began its work by analyzing smart contracts for security bugs.

Luu told CoinDesk:

"After finding all these problems, we wanted to measure how many smart contracts have these problems."

Oyente, he said, represents a refinement and optimization of this process, one that analyzes security problems in which adversaries could manipulate smart contracts for gains.

Luu's team now plans to release the code for the smart contract analyzer before Devcon2, the ethereum development conference set to be held later this month in Shanghai.

The open-source analyzer is among the many new ideas to enhance smart contract security on the public ethereum blockchain, but innovation has also been forced to other blockchains.

For example, the failure of The DAO can be seen as encouraging a new emphasis on innovation at the smart contracting language level due to criticisms with Solidity, ethereum's specially designed smart contract programming language.

Automating bug detection

Before release, the team is working with ethereum developers and to clean up the Oyente code and write documentation for developers that will illustrate its benefits.

There are four key problems that the tool can detect, including the "reentrancy" bug, or the type of bug that led to The DAO collapse.

To analyze a smart contract, a user feeds it into the Oyente program, which will then notify them if it has vulnerabilities that malicious actors can potentially exploit.

Oyente aims to go through every possible path of the program to check for these bugs, Luu explained:

"If there are two possible execution paths, it will go through each of them and check whether the reentrancy bug happens in that path, and then flag whether the smart contract is vulnerable or not."

Specifically, Oyente looks at the smart contract "bytecode" or the code that's ultimately stored on the blockchain.

Before use, high-level ethereum programming languages like Solidity or Serpent are converted into bytecode so that the ethereum network can understand and execute them.

For more details on the project, read the full white paper.

Update: The headline has been updated to better reflect the performance of the Oyente tool.

Stethescope image via Shutterstock


The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.