The rise of decentralized applications (dApps) has made smart contracts imperative components of blockchain technology. As many smart contracts process financial transactions, their security is paramount. Moreover, the immutability of blockchains makes vulnerabilities in smart contracts particularly challenging because it requires deploying a new version of the contract at a different address, incurring substantial fees paid in Ether. This paper proposes Ethstractor, the first smart contract collection tool for gathering a dataset of versioned smart contracts. The collected dataset is then used to evaluate the reliability of code metrics as indicators of vulnerabilities in smart contracts. Our findings indicate that code metrics are ineffective in signalling the presence of vulnerabilities. Furthermore, we investigate whether vulnerabilities in newer versions of smart contracts are mitigated and identify that the number of vulnerabilities remains consistent over time. Finally, we examine the removal of self-admitted technical debt in contracts and uncover that most of the introduced debt has never been subsequently removed.

翻译：随着去中心化应用（dApps）的兴起，智能合约已成为区块链技术不可或缺的组成部分。由于许多智能合约处理金融交易，其安全性至关重要。此外，区块链的不可篡改性使得智能合约中的漏洞修复尤为困难，因为需要在不同地址部署新版本合约，并产生以以太币支付的巨额费用。本文提出Ethstractor——首个用于收集版本化智能合约数据集的智能合约采集工具。基于所收集的数据集，我们评估了代码度量指标作为智能合约漏洞指示器的可靠性。研究发现，代码度量指标在提示漏洞存在方面效果不佳。进一步地，我们探究了智能合约新版本中的漏洞是否得到缓解，并发现漏洞数量随时间推移保持稳定。最后，我们考察了合约中自承技术债务的消除情况，揭示出大部分引入的技术债务后续从未被清除。