Abstract
Smart contracts are slowly penetrating our society where they are leveraged to support critical business transactions of which financial stakes are high. Smart contract programming is, however, in its infancy, and many failures due to programming defects exploited by malicious attackers and have made the headlines. In recent years, there has been an increasing effort in the literature to identify such vulnerabilities early in smart contracts to reduce the threats to the security of the accounts. Automatically patching smart contracts, however, is a much less investigated research topic. Yet, it can provide tools to help developers in fixing known vulnerabilities more rapidly. In this paper, we propose to review smart contract vulnerabilities and specify templates that will serve to automate patch generation. We implement the TIPS pipeline with 12 fix templates and assess its effectiveness on established smart contract datasets such as SmartBugs and ContractDefects. In particular, we show that TIPS is competitive against the state-of-the-art automated repair approach (SCRepair) in the literature. Finally, we evaluate the impact of the code changes suggested by TIPS in terms of gas usage.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Notes
A fallback function in Solidity is executed when the function identifier does not match any of the available functions in a smart contract or if there was no data supplied at all.
ConsenSys Diligence - https://consensys.net/diligence/.
References
Ashraf, I., Ma, X., Jiang, B., Chan, W.K.: GasFuzzer: fuzzing ethereum smart contract binaries to expose gas-oriented exception security vulnerabilities. IEEE Access 8, 99552–99564 (2020). https://doi.org/10.1109/ACCESS.2020.2995183
Brent, L., Grech, N., Lagouvardos, S., Scholz, B., Smaragdakis, Y.: Ethainter: a smart contract security analyzer for composite vulnerabilities. In: Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, pp. 454–469. ACM (2020). https://doi.org/10.1145/3385412.3385990
Chen, J., Xia, X., Lo, D., Grundy, J., Luo, X., Chen, T.: Defining smart contract defects on ethereum. IEEE Trans. Softw. Eng. (2020)
del Castillo, M.: The DAO attacked: code issue leads to \$60 million ether theft (2016)
Durieux, T., Cornu, B., Seinturier, L., Monperrus, M.: Dynamic patch generation for null pointer exceptions using metaprogramming. In: Proceedings of the 24th International Conference on Software Analysis, Evolution and Reengineering, pp. 349–358 (2017)
Durieux, T., Ferreira, J.F., Abreu, R., Cruz, P.: Empirical review of automated analysis tools on 47,587 ethereum smart contracts. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 530–541 (2020)
Ethereum smart contract security best practices. https://consensys.github.io/smart-contract-best-practices/ (Last Accessed: July 2021)
Ethereum. https://ethereum.org/ (Last Accessed: July 2021)
Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8–15 (2019)
Gao, Z., Jiang, L., Xia, X., Lo, D., Grundy, J.C.: Checking smart contracts with structural code embedding. IEEE Trans. Softw. Eng. 1–1 (2020)
Gazzola, L., Micucci, D., Mariani, L.: Automatic software repair: a survey. IEEE Trans. Softw. Eng. 45(1), 34–67 (2017)
Ghanbari, A., Benton, S., Zhang, L.: Practical program repair via bytecode mutation. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 19–30. ACM (2019). https://doi.org/10.1145/3293882.3330559
Goues, C.L., Pradel, M., Roychoudhury, A.: Automated program repair. Commun. ACM 62(12), 56–65 (2019)
Hartel, P.H., Schumi, R.: Mutation testing of smart contracts at scale. In: Proceedings of the 14th International Conference on Tests and Proofs. Lecture Notes in Computer Science, vol. 12165, pp. 23–42 (2020). https://doi.org/10.1007/978-3-030-50995-8_2
Huang, Y., Jiang, B., Chan, W.K.: EOSFuzze: fuzzing EOSIO smart contracts for vulnerability detection. CoRR (2020) arXiv:2007.14903
ICO Security. https://blog.positive.com (Last Accessed: July 2021)
Jiang, B., Liu, Y., Chan, W.K.: ContractFuzzer: fuzzing smart contracts for vulnerability detection. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 259–269. ACM (2018a). https://doi.org/10.1145/3238147.3238177
Jiang, J., Xiong, Y., Zhang, H., Gao, Q., Chen, X.: Shaping program repair space with existing patches and similar code. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 298–309. ACM, (2018b)
Kim, D., Nam, J., Song, J., Kim, S.: Automatic patch generation learned from human-written patches. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 802–811 (2013)
Koyuncu, A., Liu, K., Bissyandé, T.F., Kim, D., Monperrus, M., Klein, J., Le Traon, Y.: ifixr: bug report driven program repair. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 314–325 (2019)
Koyuncu, A., Liu, K., Bissyandé, T.F., Kim, D., Monperrus, M., Klein, J., Le Traon, Y.: FixMiner: mining relevant fix patterns for automated program repair. Empir. Softw. Eng. 25(3), 1980–2024 (2020). https://doi.org/10.1007/s10664-019-09780-z
Le, X.B.D., Lo, D., Le Goues, C.: History driven program repair. In: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 213–224. IEEE (2016)
Li, Z., Wu, H., Xu, J., Wang, X., Zhang, L., Chen, Z.: Musc: a tool for mutation testing of ethereum smart contract. In: Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering, pp. 1198–1201. IEEE (2019). https://doi.org/10.1109/ASE.2019.00136
Liu, X., Zhong, H.: Mining stackoverflow for program repair. In: Proceedings of the 25th International Conference on Software Analysis, Evolution and Reengineering, pp. 118–129 (2018)
Liu, C., Liu, H., Cao, Z., Chen, Z., Chen, B., Roscoe, B.: ReGuard: finding reentrancy bugs in smart contracts. In: Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, pp. 65–68. ACM, (2018a). https://doi.org/10.1145/3183440.3183495
Liu, H., Liu, C., Zhao, W., Jiang, Y., Sun, J.: S-gram: towards semantic-aware security auditing for ethereum smart contracts. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 814–819. ACM (2018b). https://doi.org/10.1145/3238147.3240728
Liu, K., Koyuncu, A., Bissyandé, T.F., Kim, D., Klein, J., Le Traon, Y.: You cannot fix what you cannot find! an investigation of fault localization bias in benchmarking automated program repair systems. In: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 102–113 (2019a)
Liu, K., Koyuncu, A., Kim, D., Bissyandé, T.F.: Avatar: Fixing semantic bugs with fix patterns of static analysis violations. In: 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 1–12 (2019b)
Liu, K., Koyuncu, A., Kim, D., Bissyandé, T.F.: TBar: revisiting template-based automated program repair. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 31–42 (2019c). https://doi.org/10.1145/3293882.3330577
Liu, K., Wang, S., Koyuncu, A., Kim, K., Bissyandé, T.F., Kim, D., Wu, P., Klein, J., Mao, X., Traon, Y.L.: On the efficiency of test suite based program repair: a systematic assessment of 16 automated repair systems for java programs. In: Proceedings of the 42nd International Conference on Software Engineering, pp. 615–627. ACM (2020). https://doi.org/10.1145/3377811.3380338
Liu, K., Li, L., Koyuncu, A., Kim, D., Liu, Z., Klein, J., Bissyandé, T.F.: A critical review on the evaluation of automated program repair systems. J. Syst. Softw. 171, 110817 (2021). https://doi.org/10.1016/j.jss.2020.110817
Liu, K., Zhang, J., Li, L., Koyuncu, A., Kim, D., Ge, C., Liu, Z., Klein, J., Bissyandé, T.F.: Reliable fix patterns inferred from static checkers for automated program repair. ACM Trans. Softw. Eng. Methodol. (2022). https://doi.org/10.1145/3579637
Long, F., Amidon, P., Rinard, M.: Automatic inference of code transforms for patch generation. In: Proceedings of the 11th Joint Meeting on Foundations of Software Engineering, pp. 727–739 (2017)
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)
Monperrus, M.: Automatic software repair: a bibliography. ACM Comput. Surv. 51(1), 17–11724 (2018)
Mueller, B.: Smashing ethereum smart contracts for fun and real profit. In: 9th Annual HITB Security Conference (HITBSecConf), p. 54 (2018)
Nguyen, T.D., Pham, L.H., Sun, J., Lin, Y., Minh, Q.T.: sFuzz: an efficient adaptive fuzzer for solidity smart contracts. CoRR (2020). arXiv:2004.08563
Nguyen, T.D., Pham, L.H., Sun, J.: sGUARD: towards fixing vulnerable smart contracts automatically (2021). arXiv preprint arXiv:2101.01917
Nikolić, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663 (2018)
(Not So) Smart Contracts. https://github.com/crytic/not-so-smart-contracts (Last Accessed: July 2021)
O’Leary, R.-R.: Parity team publishes postmortem on $160 million ether freeze (2017)
Remix. https://remix.ethereum.org/ (Last Accessed: July 2021)
Rolim, R., Soares, G., Gheyi, R., D’Antoni, L.: Learning quick fixes from code repositories (2018). arXiv preprint arXiv:1803.03806
Saha, R.K., Lyu, Y., Yoshida, H., Prasad, M.R.: ELIXIR: effective object-oriented program repair. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pp. 648–659 (2017)
Saha, S., Saha, R.K., Prasad, M.R.: Harnessing evolution for multi-hunk program repair. In: Proceedings of the 41st International Conference on Software Engineering, pp. 13–24. IEEE (2019). https://doi.org/10.1109/ICSE.2019.00020
Solidity. https://github.com/ethereum/solidity (Last Accessed: July 2021)
SWC-registry. https://smartcontractsecurity.github.io/SWC-registry (Last Accessed: July 2021)
This is the very first iteration of the Decentralized Application Security Project (or DASP) Top 10 of 2018. https://dasp.co/ (Last Accessed: July 2021)
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: Smartcheck: static analysis of ethereum smart contracts. In: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9–16 (2018)
Torres, C.F., Schütte, J., State, R.: Osiris: Hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 664–676. ACM (2018). https://doi.org/10.1145/3274694.3274737
Wan, Z., Xia, X., Lo, D., Chen, J., Luo, X., Yang, X.: Smart contract security: a practitioners’ perspective (2021). arXiv preprint arXiv:2102.10963
Wen, M., Chen, J., Wu, R., Hao, D., Cheung, S.-C.: Context-aware patch generation for better automated program repair. In: Proceedings of the 40th IEEE/ACM International Conference on Software Engineering, pp. 1–11 (2018)
Wüstholz, V., Christakis, M.: Harvey: a greybox fuzzer for smart contracts. CoRR (2019). arXiv:1905.06944
Xiong, Y., Wang, J., Yan, R., Zhang, J., Han, S., Huang, G., Zhang, L.: Precise condition synthesis for program repair. In: Proceedings of the 39th IEEE/ACM International Conference on Software Engineering, pp. 416–426. IEEE (2017). https://doi.org/10.1109/ICSE.2017.45
Yu, X.L., Al-Bataineh, O., Lo, D., Roychoudhury, A.: Smart contract repair. ACM Trans. Softw. Eng. Methodol. 29(4), 1–32 (2020)
Yuan, Y., Banzhaf, W.: ARJA: automated repair of java programs via multi-objective genetic programming. IEEE Trans. Softw. Eng. (2018). https://doi.org/10.1109/TSE.2018.2874648
Zhang, Q., Wang, Y., Li, J., Ma, S.: EthPloit: from fuzzing to efficient exploit generation against smart contracts. In: Proceedings of the 27th IEEE International Conference on Software Analysis, Evolution and Reengineering, pp. 116–126 (2020a). https://doi.org/10.1109/SANER48275.2020.9054822
Zhang, P., Yu, J., Ji, S.: ADF-GA: data flow criterion based test case generation for ethereum smart contracts. CoRR abs/2003.00257 (2020b). arXiv:2003.00257
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Chen, Q., Zhou, T., Liu, K. et al. Tips: towards automating patch suggestion for vulnerable smart contracts. Autom Softw Eng 30, 31 (2023). https://doi.org/10.1007/s10515-023-00392-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10515-023-00392-y