A collection of smart contracts in source and binary format, labelled with respective vulnerabilities.
Some of the contracts in this dataset have been derived from smartbugs, which in turn have been publically available and hence retain their original licences.
This benchmark repo is organized as follows:
| Path | Description |
|---|---|
| invulnerable-bytecode | Contains a collection of popular compiled contract without known vulnerabilities |
| vulnerable-bytecode | Contains a collection of compiled contracts with labelled vulnerabilities |
| vulnerable-source | Contains a collection of sources of contracts with labelled vulnerabilities |
| labels.json | Machine-readable labels for all vulnerable contracts |
The naming conventions in the directories vulnerable-bytecode / vulnerable-source are organized according to the DASP taxonomy. Each class of vulnerability may include:
- Brief description of the vulnerability
- Attack scenarios to exploit the vulnerability
- Methods of mitigation
- Examples of real world exploitation
| Vulnerability | Description | Level |
|---|---|---|
| Reentrancy | Reentrant function calls make a contract to behave in an unexpected way | Solidity |
| Access Control | Failure to use function modifiers or use of tx.origin | Solidity |
| Arithmetic | Integer over/underflows | Solidity |
| Unchecked Low Level Calls | call(), callcode(), delegatecall() or send() fails and it is not checked | Solidity |
| Denial Of Service | The contract is overwhelmed with time-consuming computations | Solidity |
| Bad Randomness | Malicious miner biases the outcome | Blockchain |
| Front Running | Two dependent transactions that invoke the same contract are included in one block | Blockchain |
| Time Manipulation | The timestamp of the block is manipulated by the miner | Blockchain |
| Short Addresses | EVM itself accepts incorrectly padded arguments | EVM |