This information was gathered through reading the original paper and an interview with Aashish Kolluri, one of the lead researchers on the project along with Ivica Nikolic.

There are currently over 2 million contracts deployed and live on the mainnet, but the question is, how many of these can be “hacked”. The research group from the National University of Singapore, University College London and Yale under the guidance of Prateek Saxena, Aquinas Hobor and Ilya Sergey attempted to find smart contract vulnerabilities at scale.

The group developed a tool called MAIAN which was able to find and validate vulnerabilities in a smart contract in a matter of under 10 seconds.

Before we dig into how this was accomplished, let’s establish the three types of vulnerabilities that the MAIAN tool was seeking.

Greedy — The contract could be locked in a way that no user can withdraw funds from the contract. Even the owner should not be able to withdraw. Suicidal — It was possible to execute the SUICIDE operation such that no further interaction with the contract was possible. Anyone should be able to invoke this function. Prodigal — Contracts that would give away Ether to any arbitrary address. Leaking only to the contract owner does not meet the requirements as a prodigal contract._value

To initiate the project, the team downloaded a total of 970,898 contracts (up to block 4,799,998). Only 1% of these contracts actually had their source code deployed (Etherscan) so the tool must be able to run analysis without knowledge of the source code. The team decided to only execute up to three invocations which means only up to a depth of three function calls.

To complete this mission, the team developed the MAIAN tool. This tool leverages symbolic execution (here’s a great intro: Youtube) which does not require strict test parameters and does not require the actual source code of the contract.

MAIAN takes the contract bytecode and analysis specs (starting block value, depth, etc.) then outputs results depending on whether or not a vulnerability was found. If a vulnerability was found, MAIAN would output all the input parameters and the series of invocations it used that led up to the vulnerability.

After a vulnerability was found, the exploit would be tested against a local copy of the Ethereum blockchain for validation.

With the MAIAN tool, the team’s analysis of almost 1 million contracts yielded the following results:

Final results using depth of 3 invocations and at block 4,499,451.

That’s about it! An interesting thing to note that this tool actually found the Parity exploit (since it used a older block header) along with several other notable ones.

I am planning on summarizing more research papers on blockchain tech. Please let me know if this interests you.

Check out the original paper for more details on the research.