Full version of Securify, a state-of-the-art security scanner for Ethereum, available now

Petar Tsankov
ChainSecurity
Published in
4 min readJul 2, 2018

Today we are happy to release a new automated security scanner for Ethereum smart contracts. The system is publicly available at https://securify.ch with the goal to raise the level of security in the Ethereum ecosystem. It marks the official release of Securify, the popular automated verifier for Ethereum smart contracts, used on a daily basis by security experts to audit smart contracts. It has so far scanned over 4,800 contracts and discovered over 59,000 security issues.

The research behind the scanner

The main technical challenge in building an effective security scanner for smart contracts is finding a way to explore all behaviors of the contract, which can even exceed the number of atoms in the universe. Recent research from the ICE center, ETH Zurich, addresses this challenge via a new abstraction, tailored specifically to the domain of smart contracts, enabling us to scan all behaviors for vulnerabilities in few minutes. ChainSecurity, a startup founded by researchers from the ICE center, have turned this new result into an easy-to-use security scanner. Full technical details behind the new research are available in this report.

How does it compare to existing solutions?

Unlike existing security checkers, which inspect only a subset of all behaviors and can miss critical security vulnerabilities, Securify considers all behaviors. Indeed, a study on open-source Ethereum contracts reveals that existing solutions can miss up to two-thirds of vulnerabilities due to insufficient coverage (see experiments and data here). Finally, Securify offers the following advantages:

  • Guarantees: it is able to prove the safety of the contract for specific properties;
  • Scalability: it is scalable enough to handle any Ethereum project;
  • Coverage: it scans for 18 critical vulnerabilities, making it the most comprehensive security analyzer for Ethereum;
  • Improved usability: supports scanning of git repositories.

How to use it?

There are three ways: (i) paste the source code in code editor, (ii) point to a git repository that stores all contracts (see Fig. 1), or (iii) upload a ZIP file with the contracts. The “SCAN NOW” button will scan all contracts for security issues and show a security report.

Fig 1: To use the new Securify security scanner, users can paste a link to their git repository and the system will scan all smart contracts for security vulnerabilities
Fig 2: Security report produced by Securify
Fig 3: Vulnerable lines are highlighted to guide developers in fixing their smart contracts

When the smart contracts have been fully scanned, the system produces a comprehensive report that lists all identified security issues (see Fig. 2) and highlights the vulnerable statements in the code editor (see Fig. 3), to guide developers how to fix their contract. The security scanner also provides additional information about each vulnerability which can help developers fix the issues.

Impact

Securify aims to eliminate all generic security issues that appear in Ethereum smart contracts. The scanner has already discovered critical security issues in newly proposed token standards (such as a reentrancy issue in the ERC827 standard) and Solidity libraries (such as the Feeless library). Further, it successfully detects critical vulnerabilities that have resulted in more than $300M losses in the past two years. Examples include the infamous DAO vulnerability and the two critical security issues discovered in the popular Parity wallet (read this article for more details).

Get in touch?

Interested to learn more about Securify or the research behind it? Contact us at contact@chainsecurity.com.

Release summary

  • Securify is available as a free service at https://securify.ch
  • Research available at: https://arxiv.org/pdf/1806.01143.pdf
  • The new scanner inspects all possible behaviors of the contract and often discovers up to 3x more security issues compared to existing security tools, which only check part of the contract. This offers stronger guarantees than existing widely-used solutions such as Oyente and Mythril.

About the ICE center at ETH Zurich

ICE is an inter-disciplinary and inter-department R&D center at ETH Zurich, Switzerland. The mission of ICE is to conduct practical and impactful research in the areas of AI, blockchain, security, and networks. The ICE center has 10+ researchers (including 2 Professors, 2 Research Scientists, and 7+ PhD and master students) working in the area of security and reliability of Ethereum. For more details visit http://ice.ethz.ch.

About ChainSecurity

ChainSecurity is an ICE startup founded by the creators of Securify. The ChainSecurity team keeps a strong focus on practical research in the area of blockchain security and is dedicated to maintain the security scanner for Ethereum with the goal to improve security in the blockchain space.

--

--