Smart Contract Vulnerabilities in Ethereum: A Systematic Literature Review and Analytical Synthesis
摘要
The immutable and asset-bearing nature of blockchain smart contracts has made them attractive targets for exploitation, resulting in cumulative financial losses amounting to billions of dollars. While early vulnerabilities primarily arose from syntactic coding errors, the current threat landscape is increasingly dominated by complex economic and semantic flaws in interconnected DeFi systems. This study conducts a Systematic Literature Review (SLR) synthesizing evidence from 112 primary studies and incident reports (2015–2025) to examine the evolution of Ethereum smart contract vulnerabilities. Beyond traditional descriptive taxonomies, we introduce a novel Vulnerability-Attack-Defense (VAD) analytical framework that dissects each threat by integrating its root cause, exploitation mechanism, and technical countermeasures. Our analysis highlights a significant paradigm shift: attacks from 2021 to 2025 predominantly exploit access control and business logic flaws, which contributed to approximately 60% of total financial losses ($1.44 billion of $2.36 billion) across 767 on-chain security incidents in 2024 (CertiK, 2025), as illustrated by cases such as the Euler Finance exploit (~$197 M) and the 2025 Bybit breach (~$1.4B). We propose a refined, analytically cohesive seven-category taxonomy of vulnerabilities. Additionally, we provide a qualitative synthesis of detection approaches, surveying reported performance metrics from the literature across static analysis, dynamic analysis, machine learning, graph‑based techniques, formal verification, and emerging LLM‑assisted auditing methods. This synthesis characterizes their efficacy, coverage, and trade-offs against the evolving threat landscape. This review provides researchers and practitioners with an evidence-based foundation for securing next-generation smart contracts, emphasizing that robust security requires prioritizing sound economic design and operational controls in addition to code correctness.