Demystifying the Composition and Code Reuse in Solidity Smart Contracts

"Smart contracts are a special form of program that use blockchain technology to automate, verify, and enforce agreements between parties. As the development of Solidity smart contracts has increased in popularity, the reliance on third-party packages increases to reduce development costs. However, the diverse and flexible approaches to introducing external subcontracts (i.e., contract-level code blocks) make it difficult to assure the security of downstream applications. Hence, it is crucial to properly manage external subcontracts in the development of smart contracts to ensure the security of Web3 applications. While previous studies have only focused on a single part of smart contracts such as subcontracts or functions during analysis, the common compositions of a smart contract and their characteristics still remain mysterious. To fill these gaps, we first decomposed smart contracts into various subcontracts and discussed the common approaches to introduce subcontracts and their origins in smart contract development. We then conducted code reuse analysis for various subcontracts separately to better understand the compositions of smart contracts. Through the study, we identified that over 80% of the subcontracts in smart contracts are from external sources while the largest identified external source is NPM, accounting for over 72% of the total external subcontracts. For self-developed subcontracts, around 50% of the subcontracts have less than 10% unique functions, suggesting that code reuse at the level of functions is also common. For external subcontracts, though around 35% of the subcontracts are interfaces to provide templates for standards or protocols, an inconsistency in the use of subcontract types is also identified. Lastly, we extracted and accessed 10 frequently reused development patterns."