Symbolic value-flow static analysis: deep, precise, complete modeling of Ethereum smart contracts

We present a static analysis approach that combines concrete values and symbolic expressions. This value-flow (“symvalic”) models program behavior with high precision, e.g., full path sensitivity. To achieve deep modeling of semantics, the relies on symbiotic relationship between traditional fixpoint computation solver: solver does not merely receive complex “path condition” to solve, but is instead invoked repeatedly (often tens or hundreds thousands times), in close cooperation flow analysis. The result symvalic architecture much more complete than execution, precise conventional analysis, domain-agnostic: no special-purpose definition anti-patterns necessary order compute violations safety conditions precision. apply domain Ethereum smart contracts. represents fundamental challenge for approaches: despite numerous publications, research work has been effective at uncovering vulnerabilities real-world value. In systematic comparison past tools, we find significantly increased completeness (shown as 83-96% statement coverage true error reports) combined higher measured by rate positive reports. terms impact, since beginning 2021, resulted discovery disclosure several critical vulnerabilities, over funds many millions dollars. Six separate bug bounties totaling $350K have awarded these disclosures.