Smart contracts are vulnerable to control-flow attacks—including delegatecall confusion, reentrancy, and improper error handling—compromising cross-contract interaction security. Existing pattern- and heuristic-based detection techniques suffer from high false-positive and false-negative rates. This paper introduces SCIF, the first programming language to principledy extend Secure Information Flow (SIF) to the control-flow level, enabling joint end-to-end information-flow security and strong control-flow integrity guarantees. We design a type system and static analysis framework for Secure Information Flow enforcement and implement an SCIF-to-Solidity compiler that ensures safe interoperability with arbitrary non-SCIF contracts. Evaluation on high-complexity applications and large-scale vulnerable contract repositories demonstrates zero false positives and negligible runtime overhead, establishing SCIF as a practical, sound foundation for secure smart contract development.

Smart contracts are frequently vulnerable to control-flow attacks based on confused deputies, reentrancy, and incorrect error handling. These attacks exploit the complexity of interactions among multiple possibly unknown contracts. Existing best practices to prevent vulnerabilities rely on code patterns and heuristics that produce both false positives and false negatives. Even with extensive audits and heuristic tools, new vulnerabilities continue to arise, routinely costing tens of millions of dollars. We introduce SCIF, a language for secure smart contracts, that addresses these classes of control-flow attacks. By extending secure information flow mechanisms in a principled way, SCIF enforces both classic end-to-end information flow security and new security restrictions on control flow, even when SCIF contracts interact with malicious non-SCIF code. SCIF is implemented as a compiler to Solidity. We show how SCIF can secure contracts with minimal overhead through case studies of applications with intricate security reasoning and a large corpus of insecure code.