Clear Sky Science
Evidence-based, jargon-light explanations

Clear Sky Science · en

DIVE: A Multi-Label Smart Contract Vulnerability Dataset

· Back to index

Why safer digital deals matter

Every day, billions of dollars move through "smart contracts"—pieces of code that automatically run deals on blockchains like Ethereum. When these digital agreements contain hidden mistakes, the consequences can be severe: frozen funds, stolen assets, and loss of trust in new financial systems. This article introduces DIVE, a large, carefully built dataset that helps researchers find and understand weaknesses in smart contracts more reliably, so that the digital agreements underpinning cryptocurrencies and decentralized apps can become safer for everyone.

Figure 1
Figure 1.

How digital contracts live and change

Smart contracts pass through several stages in their lifetime. They start as readable source code written by developers, then are compiled into machine-friendly instructions and sent in a deployment transaction to the blockchain. Once accepted, a contract gets a permanent address and its code becomes unchangeable, but its internal state can still evolve as people interact with it. Throughout this journey, different kinds of data appear—source code, bytecode, settings, and transaction records—which all hold clues about possible flaws. DIVE is built around this lifecycle view, collecting features from both before deployment (code and configuration) and after deployment (on-chain behavior) to give a fuller picture of each contract.

Why older datasets fell short

Earlier collections of smart contracts helped kick-start machine learning approaches to spotting vulnerabilities, but they came with serious limitations. Many included only small numbers of contracts, focused on a narrow time window or specific compiler versions, or captured just one kind of data, like source code or bytecode, but not both. Some treated vulnerabilities as if only one type could appear per contract, even though real contracts frequently contain several problems at once. Labels were not always consistent, because different studies used different naming schemes and relied on one or two tools without a common standard. All of this made it hard to compare results across papers or to build detectors that generalize well beyond a single study.

What the DIVE dataset contains

DIVE assembles 22,330 real Ethereum contracts, deployed between 2016 and 2024 and spanning the major versions of the Solidity programming language. Each contract is described through hundreds of features. Before deployment, DIVE records items such as compiler version, optimization settings, use of external libraries, the structure of the public interface (its functions and events), measurements of code complexity, and patterns in the low-level instructions used to create the contract. After deployment, it adds information from the launch transaction—gas usage, value sent, timing and position within the block—as well as instruction patterns from the contract’s runtime code. This dual view lets researchers study how coding choices and on-chain behavior both relate to security.

How vulnerabilities are identified

To decide which contracts are vulnerable, DIVE does not rely on a single tool or a simple majority vote. Instead, it runs six different analysis tools, each with its own strengths, and funnels their findings through a standardized framework. Tool outputs are mapped to eight well-known categories from the DASP Top 10 list, such as reentrancy flaws, broken access control, arithmetic mistakes, denial-of-service risks, bad randomness, front running, time manipulation, and unchecked low-level calls. A "power-based" voting scheme then decides, category by category, how much to trust each tool. On top of that, a second validation step checks whether the flagged issue is actually supported by the contract’s code—for example, by confirming that a supposed arithmetic bug is not already protected by modern compiler checks or safety libraries. This extra scrutiny removes many false alarms, especially for denial-of-service and time-related warnings.

Figure 2
Figure 2.

How this resource can be used

Because DIVE is multi-label, a single contract can be tagged with several vulnerability types, reflecting how real-world bugs cluster and interact. The dataset supports a wide range of studies: binary and multi-class classification, multi-label and multi-task learning, transfer learning across compiler versions or years, and experiments that compare the value of pre-deployment versus post-deployment information. It also documents how often different vulnerabilities appear together, revealing that some, like reentrancy and access control issues, tend to co-occur, while others are rarer and more isolated. These patterns encourage more advanced learning methods that model relationships between bug types, rather than treating each in isolation.

What this means for everyday users

For most people, smart contracts are invisible infrastructure behind trading apps, games, lending platforms, and other blockchain services. The DIVE dataset does not fix vulnerabilities directly, but it provides the detailed, well-labeled data needed to train and fairly test stronger detection tools. Those tools, in turn, can help developers catch problems earlier and help auditors prioritize their reviews. As the framework is open and can be rerun on new contracts over time, DIVE offers a living foundation for improving the safety of digital agreements—reducing the risk that everyday users will be harmed by hidden errors in the code they rely on.

Citation: Alsunaidi, S.J., Aljamaan, H. & Hammoudeh, M. DIVE: A Multi-Label Smart Contract Vulnerability Dataset. Sci Data 13, 664 (2026). https://doi.org/10.1038/s41597-026-07025-5

Keywords: smart contract security, Ethereum, blockchain vulnerabilities, machine learning dataset, DASP Top 10