Software built on poor structural patterns often shows higher exposure to security defects. When code differs from established best practices, verification and maintenance become increasingly difficult, thereby raising the risk of unintentional vulnerabilities. In the context of blockchain technology, where immutable smart contracts handle high-value transactions, the need for strict security assurance is important. This research analyzes the utility of software complexity metrics as diagnostic tools for identifying vulnerable Solidity smart contracts. We evaluate the hypothesis that complexity measures serve as vital, complementary signals for security assessment. Through an empirical examination of 21 distinct metrics, we analyzed their inter-dependencies, statistical association with vulnerabilities, and discriminative capabilities. Our findings indicate a significant degree of redundancy among certain metrics and a relatively low correlation between any single metric and the presence of vulnerabilities. However, the data demonstrates that these metrics possess strong power to distinguish between secure and vulnerable code when analyzed collectively. Notably, with only three exceptions, vulnerable contracts consistently exhibited higher mean complexity scores than their neutral counterparts. While our results show a statistical association, we emphasize that complexity is an indicator rather than a direct cause of vulnerability.

翻译：基于不良结构模式构建的软件通常表现出更高的安全缺陷暴露风险。当代码偏离既定最佳实践时，验证与维护会变得愈发困难，从而增加非故意漏洞产生的可能性。在区块链技术背景下，不可篡改的智能合约处理着高价值交易，因此对严格安全保障的需求至关重要。本研究分析了软件复杂度度量作为识别易受攻击的Solidity智能合约的诊断工具的效用。我们评估了以下假设：复杂度度量可作为安全评估中关键且互补的指标。通过对21种不同度量的实证检验，我们分析了它们之间的相互依赖性、与漏洞的统计关联性以及判别能力。研究结果表明，某些度量之间存在显著冗余，且任何单一度量与漏洞存在之间的相关性相对较低。然而，数据表明当这些度量被集体分析时，它们具备强大的能力来区分安全代码与易受攻击代码。值得注意的是，除三个特例外，易受攻击合约的复杂度平均得分始终高于中性对照合约。虽然我们的结果显示了统计关联性，但我们强调复杂度是漏洞的指示因子而非直接成因。