Citation: DeCusatis, C.; Gormanly, B.; Iacino, J.; Percelay, R.; Pingue, A.; Valdez, J. Cybersecurity Test Bed for Smart Contracts. Cryptography 2023, 7, 15. https://doi.org/10.3390/ cryptography7010015 Academic Editor: Kentaroh Toyoda Received: 14 February 2023 Revised: 2 March 2023 Accepted: 3 March 2023 Published: 10 March 2023 Copyright: © 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/). cryptography Article Cybersecurity Test Bed for Smart Contracts Casimer DeCusatis *, Brian Gormanly , John Iacino, Reed Percelay, Alex Pingue and Justin Valdez School of Computer Science and Mathematics, Marist College, Poughkeepsie, NY 12601, USA * Correspondence: casimer.decusatis@marist.edu; Tel.: +1-845-575-3883 Abstract: Blockchain, smart contracts, and related concepts have emerged in recent years as a promising technology for cryptocurrency, NFTs, and other areas. However, there are still many security issues that must be addressed as these technologies evolve. This paper reviews some of the leading social engineering attacks on smart contracts, as well as several vulnerabilities which result from insecure code development. A smart contract test bed is constructed using Solidity and a Metamask wallet to evaluate vulnerabilities such as insecure arithmetic, denial of service, and re-entrancy attacks. Cross-chain vulnerabilities and potential vulnerabilities resulting from layer 2 side-chain processing were also investigated. Mitigation best practices are proposed based on the experimental results. Keywords: blockchain; smart contract; cybersecurity 1. Introduction Blockchain provides an immutable database that operates as a distributed transaction ledger. It has been used for cryptocurrencies and so-called Web3 technologies [1,2]. Some blockchain frameworks, such as Etherium and the Etherium Virtual Machine, are also well suited for the development of smart contracts, which automate transactions in accordance with pre-defined specifications and use digital signatures to approve each step of the contract. Smart contracts have been proposed to supplement or replace existing contractual methods in a wide range of applications [2]. This includes trading of digital currencies and non-fungible tokens (NFTs), which have received a great deal of attention recently and in some cases may have significant issues [3]. While smart contracts can be quite complex, the following brief overview will contextualize this research. Smart contracts are commonly coded in the language Solidity (other alternatives in- clude Vyper, Rust, and Javascript). Solidity is a statistically typed, object-oriented language which sets itself apart through special state variables that allow for access control to be writ- ten into the program. This unique addition enhances the security potential of any contract, if used properly. Solidity uses a syntax similar to ECMAScript which makes it easier for existing web developers to deploy smart contracts. ECMAScript is a JavaScript standard intended originally to ensure web pages interoperate correctly when different browsers are used. It is commonly used for client-side scripting, and it is increasingly being used for writing server-side applications and services using runtime environments such as Node.js. ECMAScript has been formalized through the use of operational semantics, a category of formal programming language semantics in which certain desirable properties of a smart contract are verified by constructing proofs from logical statements about the contract’s execution and procedures. This stands in contrast to denotational semantics, which attaches mathematical meaning to the terms of a smart contract to validate its desired properties. Operational semantics can be used to validate a contract’s security, safety, or correctness, for example. Solidity benefits from these techniques, which both make it accessible to web developers and provide the means to validate security of the resulting contract. However, unlike ECMAScript, Solidity employs static variable typing and variadic return types. Solidity also differs from other Ethereum virtual machine supported languages in several Cryptography 2023, 7, 15. https://doi.org/10.3390/cryptography7010015 https://www.mdpi.com/journal/cryptography