【摘要】 区块链作为对等网络中的一种分布式账本技术,集成了密码学、共识机制、智能合约等多种技术,提供一种新型信任体系构建方法.智能合约具有公开透明、实时更新、准确执行等显著特点,在区块链中为信息存储、交易执行和资产管理等功能的实现提供了更安全、高效、可信的方式.但是,智能合约本身仍然存在安全问题,影响了区块链技术的进一步推广使用.所以,近年来围绕智能合约安全问题的相关研究比较多,为了帮助相关人员更好地理解和掌握其中的研究思路,本文采用Mapping Study方法,通过收集2015年以来公开发表的关于智能合约安全问题的各类文献,并进一步通过文献筛查、问题设置、信息提取、结果获取和分析等步骤,总结智能合约安全相关研究的现状和未来发展趋势如下:(1)目前智能合约自身面临的安全问题和挑战主要体现在合约安全和隐私安全两方面(问题和挑战).在调查的45篇文献中,有29篇文献针对合约安全,16篇文献针对隐私安全;(2)智能合约安全保障目前采用的方法主要包括形式化验证、模糊测试、零知识证明、可信执行环境等(保障方法);(3)针对合约安全的研究目前主要集中在合约实现、测试阶段,而针对智能合约设计、部署及运维阶段的研究比较少;针对隐私安全的研究主要集中在合约数据隐私保护,而针对合约代码隐私安全的比较少(覆盖范围);(4)智能合约安全保障研究目前主要从合约实现人员、合约测试人员的角度进行,而从合约维护人员和合约用户角度展开的研究较少(研究角度);(5)未来研究应该围绕智能合约的全生命周期的每个阶段安全问题进一步推进,先验方法和后验方法、定性方法和定量方法、静态方法和动态方法的结合是大势所趋(发展趋势).综上,本文通过调研发现了现有研究的不足,并建议了进一步的研究方向.更多还原

【Abstract】 As a distributed ledger technology in a peer-to-peer network,blockchain integrates cryptography,consensus mechanisms,smart contracts and other technologies to provide a new trust system construction method.The smart contract,which is transparent,real-time,deterministic,provides a safer,more efficient,and credible way for the realization of functions such as storage,transaction execution,and asset management.However,the smart contract itself still suffers from some vulnerabilities,which hinders its further promotion and adoption.Therefore,there has been plenty of related research on smart contract security issues recently.In this paper,we adopt the mapping study method and collect published papers on smart contract security since2015.Through literature screening,problem sets,information extraction,result acquisition,and analysis,we summarize the smart contract security research status and future trends as follows:(1) Current security problems and challenges are mainly reflected in contract security and privacy security.Among the 45 documents surveyed,29 focused on contract security,and 16 focused on privacy security.(2) The main contract security enhancement techniques include formal verification,fuzzing,zero-knowledge proof,and trusted execution environment.(3) Existing contract security researches mainly focused on implementing and testing smart contracts.By contrast,little research explored contract security problems in design,implementation,and runtime stages;Current privacy security researches mainly focused on contract data privacy rather than contract code privacy.(4) The research on smart contract security is mainly carried out from the perspective of contract implementation and testing staff,while there is relatively little research from the perspective of maintainers and users.(5) Future researches should focus on the security issues at each stage of the smart contract lifecycle.The combination of priori and posterior methods,qualitative and quantitative methods,static and dynamic methods is an irresistible trend.To sum up,this paper has found the deficiencies of existing researches through investigation and suggested further research directions.更多还原