Notable Works in Auditing and Security

CTA: SCRF is building a list of key readings in each category area to orient researchers to notable works and previous research. Please comment in this thread with links to seminal research that would form part of an introductory graduate seminar in this category. Please include a 1) a brief summary of what the link is and 2) the rationale for including this particular piece in the SCRF Notable Works reading list. As with every post in SCRF, a discussion is highly encouraged. Please review one another’s suggestions and include your own. Syllabi and curated lists from other sources are also welcome.

  • The Security Reference Architecture for Blockchains: Towards a Standardized Model for Studying Vulnerabilities, Threats, and Defenses. By Ivan Homoliak; Sarad Venugopalan; Daniël Reijsbergen; Qingze Hum; Richard Schumi; Pawel Szalachowski

    • This paper proposes a 4-layer security reference architecture for blockchains and identifies known threats, countermeasures, and dependencies at each layer
    • This paper is relevant because it is one of the first contributing towards the standardization of security threat analysis in the blockchain space
  • A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses. By Huashan Chen, Marcus Pendleton, Laurent Njilla, Shouhuai Xu

    • This paper provides a holistic survey of Ethereum security, stratifying vulnerabilities, attacks, and defenses
    • This paper is relevant because it is one of the first to investigate the security issues across different layers of the Ethereum architecture
  • A Survey on the Security of Blockchain Systems. By Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo, Qiaoyan Wen

    • This paper performs a high-level review of blockchain security as a whole.
    • This paper is relevant because it covers attacks in a wide time range (2009 to 2017)
  • 246 Findings From our Smart Contract Audits: An Executive Summary

  • Ethereum Smart Contract Security Best Practices

  • List of Ethereum Smart Contracts Post-Mortems


I’m might be missing some context here. Can you please help me understand what this discussion should be about?

1 Like

this is not a “discussion” post. this is a post to accumulate research in the area for people to contribute to.

1 Like

This article is in Communications of the ACM. It’s discusses issues surrounding responsible vulnerability disclosure and best practices in cryptocurrencies


Thanks @socrates1024 We will take a look and will consider its inclusion. In the meantime, feel free to provide a summary of the paper so others can better familiarize themselves with the work and discuss it further.


I came across with this paper which I think is worth reading:
TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts


@tina1998612 That is awesome, thanks for pointing out this paper. Out of curiosity, do you know how much does the authors’ tool differ from other tools that do symbolic execution (e.g., mythril), and what is its false-positive rate?


I think this might be useful to some researchers as well. It’s slightly out of date but already is one of the most comprehensive lists I’ve seen. Contributions are welcomed though :)

The Blockchain Security Database is an open-source database created by ConsenSys Diligence to act as a repository of security information organized by projects. The database contains a catalog of blockchain projects with details pertaining to their security including audits, bounties, and security contacts.