By Allium Research

Blockchain [41] is a decentralized digital ledger that records transactions transparently. It enables verifiable interactions between smart contracts through transactions. Smart contracts [7] are programs encoding self-executing agreements with the terms directly written into code. Ethereum [4] is the most popular smart contract platform. It has been designed with the vision that smart contracts interact with each other as part of ever more complex and composable agreements [49].

Understanding how smart contracts depend on each other is crucial yet understudied. In traditional software ecosystems, tools like package managers, software bill of materials, and automated dependency bots are used to track and manage dependencies. However, these methods do not apply to smart contracts. The smart contract ecosystem lacks standardized dependency declarations. Contract dependencies are oftenopaque, as they are typically hardcoded or dynamically resolved at runtime through deployed addresses. This possesses several security risks. In this paper, we aim to study the width and depth of smart contract dependencies and the corresponding risks.