English

Attack-Centric by Design: A Program-Structure Taxonomy of Smart Contract Vulnerabilities

Cryptography and Security 2025-11-13 v1 Distributed, Parallel, and Cluster Computing

Abstract

Smart contracts concentrate high value assets and complex logic in small, immutable programs, where even minor bugs can cause major losses. Existing taxonomies and tools remain fragmented, organized around symptoms such as reentrancy rather than structural causes. This paper introduces an attack-centric, program-structure taxonomy that unifies Solidity vulnerabilities into eight root-cause families covering control flow, external calls, state integrity, arithmetic safety, environmental dependencies, access control, input validation, and cross-domain protocol assumptions. Each family is illustrated through concise Solidity examples, exploit mechanics, and mitigations, and linked to the detection signals observable by static, dynamic, and learning-based tools. We further cross-map legacy datasets (SmartBugs, SolidiFI) to this taxonomy to reveal label drift and coverage gaps. The taxonomy provides a consistent vocabulary and practical checklist that enable more interpretable detection, reproducible audits, and structured security education for both researchers and practitioners.

Keywords

Cite

@article{arxiv.2511.09051,
  title  = {Attack-Centric by Design: A Program-Structure Taxonomy of Smart Contract Vulnerabilities},
  author = {Parsa Hedayatnia and Tina Tavakkoli and Hadi Amini and Mohammad Allahbakhsh and Haleh Amintoosi},
  journal= {arXiv preprint arXiv:2511.09051},
  year   = {2025}
}

Comments

42 pages, 1 figure, 8 root-cause families

R2 v1 2026-07-01T07:33:30.228Z