Statically Checking Missing Input Validations in Solidity Smart Contracts - A Case Study

Smart contracts, running on blockchains, enable transparent interactions without intermediaries. However, program-related bugs and flaws in translating business logic into code can introduce vulnerabilities, making them attractive targets for malicious users. For instance, using input from untrusted users in critical operations without proper validation may lead to exploitable functionalitics. We refer to this vulnerability as ' sing Input Validation (MIV). This paper focuses on the issues caused by MIV (aka MIV-related issues) in Solidity smart contracts executing on the Ethereum blockchain. In particular, we conduct a case study emphasizing how MIV-related issues can lead to unexpected behavior in smart contracts, rendering them vulnerable to malicious manipulation. We also implement an information flow analysis -based analyzer, MIV-Checker, to statically detect instances of MIV in Solidity smart contracts. We evaluated MIV-Checker against a state-of-the-art smart contract analysis tool, Securify, using 3399 distinct contracts collected from the Ethereum blockchain. Securify identified only three contracts, whereas MIV-Checker detected 86 contracts as potentially susceptible to MIV. Our manual assessment confirms that MIV-Checker outperforms Securify by detecting more true Ai cases and reducing execution time. This case study helps determine that many recently used contracts on Ethereum may still be potentially vulnerable to MIV. Additionally, we position user-provided input as a non-deterministic factor in Ethereum contract execution and discuss future research avenues for mitigating issues arising from such factors.