Existing static analysis methods for detecting security vulnerabilities in Solidity smart contracts suffer from insufficient interpretability due to a lack of well-validated, semantically meaningful static features. Method: This work conducts the first systematic evaluation of 21 code complexity metrics—extracted via static analysis—for their discriminative power between vulnerable and benign contracts. We employ statistical hypothesis testing (e.g., Mann–Whitney U), correlation analysis, and empirical distribution comparison to assess metric redundancy and collective discriminative consistency. Contribution/Results: All 21 metrics exhibit statistically significant discrimination (p < 0.01). Notably, 18 metrics show higher median values in vulnerable contracts, confirming that elevated code complexity consistently correlates with increased security risk. The study establishes an empirically grounded, lightweight vulnerability early-warning framework and delivers a reusable, interpretable feature set grounded in software complexity theory—enabling transparent, efficient, and scalable smart contract security assessment.

Codes with specific characteristics are more exposed to security vulnerabilities. Studies have revealed that codes that do not adhere to best practices are more challenging to verify and maintain, increasing the likelihood of unnoticed or unintentionally introduced vulnerabilities. Given the crucial role of smart contracts in blockchain systems, ensuring their security and conducting thorough vulnerability analysis is critical. This study investigates the use of code complexity metrics as indicators of vulnerable code in Solidity smart contracts. We highlight the significance of complexity metrics as valuable complementary features for vulnerability assessment and provide insights into the individual power of each metric. By analyzing 21 complexity metrics, we explored their interrelation, association with vulnerability, discriminative power, and mean values in vulnerable versus neutral codes. The results revealed some high correlations and potential redundancies among certain metrics, but weak correlations between each independent metric and vulnerability. Nevertheless, we found that all metrics can effectively discriminate between vulnerable and neutral codes, and most complexity metrics, except for three, exhibited higher values in vulnerable codes.