智慧合約為區塊鏈技術的特點之一，佈署至區塊鏈的合約將自動執行，然而，一旦佈署完成的智慧合約因安全漏洞而受到攻擊，區塊鏈仍會繼續執行智慧合約，很難從區塊鏈中撤回，因此，智慧合約佈署至區塊鏈前的程式碼檢測顯得更為重要，許多組織和研究人員提出智慧合約檢測工具，因此，我們需要一個基準來評量智慧合約檢測工具的有效性。本文提出一個智慧合約檢測工具的比較框架，這框架是基於漏洞評鑑系統(CVSS)來評估智慧合約漏洞的風險指標，此外，本研究採用層級分析法(AHP)邀集領域專家評比權重，依照專家經驗決定漏洞指標嚴重性，透過風險指標與權重來計算各智慧合約漏洞風險值。本研究進一步的蒐集了數個不同類別的智慧合約樣本，並將各智慧合約樣本放進智慧合約檢測工具實測，因此，我們可以透過智慧合約檢測工具是否可以檢測出智慧合約漏洞來評比工具的檢測成果。

Smart contracts have been one of major features of the blockchain technologies. Once people deploy their smart contracts on a blockchain, the blockchain can enforce the faithful execution of the smart contracts. However, even the smart contracts are vulnerable and under attacks, the blockchain still faithfully execute the attacks on the smart contracts. Moreover, it is very hard to withdraw a vulnerable smart contract from a blockchain once it is deployed. Therefore, finding vulnerabilities in smart contracts before they are deployed has been brought to the spotlight recently. In this case, several organizations and researchers have proposed their smart contract inspection tools. Therefore, people need benchmarks to evaluate the effectiveness of the inspection tools. In light of this, this thesis proposes a comparative framework for smart contract security inspection tools. The framework defines the metrics to evaluate risks of smart contract vulnerabilities based on the Common Vulnerability Scoring System (CVSS). In addition, this thesis uses the Analytic Hierarchy Process (AHP) method to determine weights of the metrics from the opinions of experts. Consequently, this thesis can calculate a vulnerable smart contract with the metrics and weights of the metrics. This thesis further collects several smart contracts in different categories and feed the contracts to the inspection tools. For the very sake of that, we can compare inspection tools by whether the tools can identify risky vulnerabilities.

[1] Atzori, M. (2015). Blockchain technology and decentralized governance: Is the state still necessary?. Available at SSRN 2709713.
[2] Gatteschi, V., Lamberti, F., Demartini, C., Pranteda, C., & Santamaría, V. (2018). To blockchain or not to blockchain: That is the question. IT Professional, 20(2), 62-74.
[3] Madeira, A. (2019, March 12). The Dao, the Hack, the Soft Fork and the Hard Fork. Retrieved July 5, 2019, from https://www.cryptocompare.com/coins/guides/the-dao-the-hack-the-soft-fork-and-the-hard-fork/
[4] Mell, P., Kent, K. A., & Romanosky, S. (2007). The common vulnerability scoring system (CVSS) and its applicability to federal agency systems. US Department of Commerce, National Institute of Standards and Technology.
[5] United States Computer Emergency Readiness Team (US-CERT). (2006). US-CERT Vulnerability Note Field Descriptions. Retrieved July 2, 2019, from http://www.kb.cert.org/vuls/html/fieldhelp
[6] Saaty, R. W. (1987). The analytic hierarchy process—what it is and how it is used. Mathematical modelling, 9(3-5), 161-176.
[7] NCC Group. (2019). Decentralized Application Security Project. Retrieved June 10, 2019, from http://dasp.co
[8] Mohanta, B. K., Panda, S. S., & Jena, D. (2018, July). An overview of smart contract and use cases in blockchain technology. In 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT) (pp. 1-4). IEEE.
[9] Ambisafe. (2018). Smart Contracts: 10 Use Cases for Business. In Smart Contracts: 10 Use Cases for Business. Retrieved July 15, 2019, from https://ambisafe.com/blog/smart-contracts-10-use-cases-business/
[10] E. Foundation. (2018, May 21) Ethereum’s white paper. Retrieved June 15, 2019, from https://github.com/ethereum/wiki/wiki/White-Paper