Cited By
View all- Kiani RSheng V(2024)Ethereum Smart Contract Vulnerability Detection and Machine Learning-Driven Solutions: A Systematic Literature ReviewElectronics10.3390/electronics1312229513:12(2295)Online publication date: 12-Jun-2024
sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart Contracts
Article No.: 114, Pages 1 - 55
Abstract
Smart contracts are becoming appealing targets for hackers because of the vast amount of cryptocurrencies under their control. Asset loss due to the exploitation of smart contract codes has increased significantly in recent years. To guarantee that smart contracts are vulnerability-free, there are many works to detect the vulnerabilities of smart contracts, but only a few vulnerability repair works have been proposed. Repairing smart contract vulnerabilities at the source code level is attractive as it is transparent to users, whereas existing repair tools, such as SCRepair and sGuard, suffer from many limitations: (1) ignoring the code of vulnerability prevention; (2) possibly applying the repair to the wrong statements and changing the original business logic of smart contracts; and (3) showing poor performance in terms of time and gas overhead.
In this work, we propose machine learning guided rule-based automated vulnerability repair on smart contracts to improve the effectiveness and efficiency of sGuard. To address the limitations mentioned above, we design the features that characterize both the symptoms of vulnerabilities and the methods of vulnerability prevention to learn various vulnerability patterns and reduce false positives. Additionally, a fine-grained localization algorithm is designed by traversing the nodes of the abstract syntax tree, and we refine and extend the repair rules of sGuard to preserve the original business logic of smart contracts and support new vulnerability types. Our tool, named sGuard+, reduces time overhead based on machine learning models, and reduces gas overhead by fewer code changes and precise patching.
In our experiment, we collect a publicly available vulnerability dataset from CVE, SWC, and SmartBugs Curated as a ground truth for evaluations. Overall, sGuard+ repairs more vulnerabilities with less time and gas overhead than state-of-the-art tools. Furthermore, we reproduce about 9,000 historical transactions for regression testing. It is shown that sGuard+ has no impact on the original business logic of smart contracts.
References
[1]
2016. DAO at v1.0. Retrieved from https://github.com/blockchainsllc/DAO/tree/v1.0. Online; accessed 17 June 2016.
[2]
2017. The Parity Wallet Hack Explained. Retrieved from https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/. Online; accessed 19 July 2017.
[3]
2022. CVE-2020-19765. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19765. Online; accessed 1 January 2022.
[4]
2022. The CVE Records Related to Smart Contracts Without Explict Keyworks. Retrieved fromhttps://github.com/ToolmanInside/CVEs. Online; accessed 1 January 2022.
[5]
2022. Etherscan. Retrieved from https://etherscan.io/. Online; accessed 25 April 2022.
[6]
2022. Solidity Documentation. Retrieved from https://docs.soliditylang.org/en/v0.4.26/. Online; accessed 25 April 2022.
[7]
2022. Solidity v0.8.0 Breaking Changes. Retrieved from https://docs.soliditylang.org/en/breaking/080-breaking-changes.html. Online; accessed 25 April 2022.
[8]
2023. The Correctness Evaluation Results of Elysium. Retrieved from https://github.com/gcf3711/truffle_example/tree/main/elysium. Online; accessed 10 Jun 2023.
[9]
Rachit Agarwal, Tanmay Thapliyal, and Sandeep K. Shukla. 2021. Vulnerability and transaction behavior based detection of malicious smart contracts. In International Conference on Cryptography and Security Systems.
[10]
Amir Ali, Zain Ul Abideen, and Kalim Ullah. 2021. SESCon: Secure ethereum smart contracts by vulnerable patterns’ detection. Secur. Commun. Networks 2021 (2021), 2897565:1–2897565:14. https://www.hindawi.com/journals/scn/2021/2897565/
[11]
Nami Ashizawa, Naoto Yanai, Jason Paul Cruz, and Shingo Okamura. 2021. Eth2Vec: Learning contract-wide code representations for vulnerability detection on ethereum smart contracts. Proceedings of the 3rd ACM International Symposium on Blockchain and Secure Critical Infrastructure 3, 4 (2021), 10010.
[12]
Nami Ashizawa, Naoto Yanai, Jason Paul Cruz, and Shingo Okamura. 2021. Eth2Vec: Learning contract-wide code representations for vulnerability detection on ethereum smart contracts. In BSCI’21: Proceedings of the 3rd ACM International Symposium on Blockchain and Secure Critical Infrastructure, Virtual Event, Hong Kong, June 7, 2021, Keke Gai and Kim-Kwang Raymond Choo (Eds.). ACM, 47–59. DOI:
[13]
Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Comput. Surv. 51, 3 (2018), 50:1–50:39. DOI:
[14]
Thomas Ball. 1999. The concept of dynamic analysis. In Software Engineering - ESEC/FSE’99, 7th European Software Engineering Conference, Held Jointly with the 7th ACM SIGSOFT Symposium on the Foundations of Software Engineering, Toulouse, France, September 1999, Proceedings(Lecture Notes in Computer Science, Vol. 1687), Oscar Nierstrasz and Michel Lemoine (Eds.). Springer, 216–234. DOI:
[15]
James Bergstra and Yoshua Bengio. 2012. Random search for hyper-parameter optimization. J. Mach. Learn. Res. 13, 10 (2012), 281–305. DOI:
[16]
Gérard Biau and Erwan Scornet. 2016. A random forest guided tour. Test 25, 2 (2016), 197–227.
[17]
Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna. 2022. SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds. In 43RD IEEE Symposium On Security and Privacy (SP’22) (IEEE Symposium on Security and Privacy), IEEE COMPUTER SOC, 10662 LOS VAQUEROS CIRCLE, PO BOX 3014, LOS ALAMITOS, CA 90720-1264 USA, 161–178. DOI:
[18]
Chainalysis. 2022. The Chainalysis 2022 Crypto Crime Report. Retrieved from https://go.chainalysis.com/2022-Crypto-Crime-Report.html. Online; accessed 9 Sep 2022.
[19]
S. Chakraborty, R. Krishna, Y. Ding, and B. Ray. 2022. Deep learning based vulnerability detection: Are We There Yet? IEEE Transactions on Software Engineering 48, 9 (September 2022), 3280–3296. DOI:
[20]
Huashan Chen, Marcus Pendleton, Laurent Njilla, and Shouhuai Xu. 2020. A survey on ethereum systems security: Vulnerabilities, attacks, and defenses. ACM Comput. Surv. 53, 3 (2020), 67:1–67:43. DOI:
[21]
Jiachi Chen, Xin Xia, David Lo, John Grundy, Xiapu Luo, and Ting Chen. 2022. DefectChecker: Automated smart contract defect detection by analyzing EVM bytecode. IEEE Trans. Software Eng. 48, 7 (2022), 2189–2207. DOI:
[22]
Jiachi Chen, Xin Xia, David Lo, and John C. Grundy. 2020. Why do smart contracts self-destruct? Investigating the selfdestruct function on ethereum. ACM Transactions on Software Engineering and Methodology (TOSEM) 31, 2 (2020), 1–37.
[23]
Jiachi Chen, Xin Xia, David Lo, John C. Grundy, Xiapu Luo, and Ting Chen. 2019. Defining smart contract defects on ethereum. IEEE Transactions on Software Engineering 48, 1 (2019), 327–345.
[24]
Tianqi Chen, Tong He, Michael Benesty, Vadim Khotilovich, Yuan Tang, Hyunsu Cho, Kailong Chen, Rory Mitchell, Ignacio Cano, Tianyi Zhou, et al. 2015. Xgboost: Extreme gradient boosting. R Package Version 0.4-2 1, 4 (2015), 1–4. https://scholar.google.com/scholar?hl=zh-CN&as_sdt=0%2C5&as_vis=1&q=Xgboost%3A+Extreme+gradient+boosting&btnG=
[25]
ConsenSys. 2019. Truffle Framework Documentation. Retrieved from https://trufflesuite.com/docs/truffle/. Online; accessed 29 January 2022.
[26]
ConsenSys. 2021. Mythril. Retrieved from https://github.com/ConsenSys/mythril-classic. Online; accessed 12 October 2021.
[27]
DHS and CISA. 2022. CVE Website. Retrieved from https://cve.mitre.org/. Online; accessed 1 January 2022.
[28]
Monika di Angelo and Gernot Salzer. 2019. A survey of tools for analyzing ethereum smart contracts. In 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON’19). 69–78. DOI:
[29]
Bruno Dia, Naghmeh Ramezani Ivaki, and Nuno Laranjeiro. 2021. An empirical evaluation of the effectiveness of smart contract verification tools. In 26th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2021, Perth, Australia, December 1–4, 2021. IEEE, 17–26.
[30]
ConsenSys Diligence. 2022. Ethereum Smart Contract Security Best Practices. https://consensys.github.io/smart-contract-best-practices/. Online; accessed 25 April 2022.
[31]
Pedro Domingos. 2012. A few useful things to know about machine learning. Commun. ACM 55, 10 (2012), 78–87.
[32]
Thomas Durieux, João F. Ferreira, Rui Abreu, and Pedro Cruz. 2020. Empirical review of automated analysis tools on 47, 587 Ethereum smart contracts. In ICSE’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June–19 July, 2020, Gregg Rothermel and Doo-Hwan Bae (Eds.). ACM, 530–541. DOI:
[33]
Mojtaba Eshghie, Cyrille Artho, and Dilian Gurov. 2021. Dynamic vulnerability detection on smart contracts using machine learning. In EASE’21, Association for Computing Machinery, Trondheim, Norway, 305–312. DOI:
[34]
Ethereum. 2022. Decentralized Applications. Retrieved from https://ethereum.org/en/dapps/. Online; accessed 9 Aug 2022.
[35]
Ethereum. 2022. History. Retrieved from https://ethereum.org/en/history/. Online; accessed 29 January 2022.
[36]
Ethereum. 2022. Yellow Paper. Retrieved from https://ethereum.github.io/yellowpaper/paper.pdf. Online; accessed 25 April 2022.
[37]
Etherscan. 2022. Verified Contracts. Retrieved from https://etherscan.io/chart/verified-contracts. Online; accessed 29 January 2022.
[38]
Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: A static analysis framework for smart contracts. In Proceedings of the 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2019, Montreal, QC, Canada, May 27, 2019. IEEE / ACM, 8–15. DOI:
[39]
João F. Ferreira, Pedro Cruz, Thomas Durieux, and Rui Abreu. 2020. SmartBugs: A framework to analyze solidity smart contracts. In 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020, Melbourne, Australia, September 21–25, 2020. IEEE, 1349–1352. DOI:
[40]
Ying Fu, Meng Ren, Fuchen Ma, Heyuan Shi, Xin Yang, Yu Jiang, Huizhong Li, and Xiang Shi. 2019. EVMFuzzer: Detect EVM vulnerabilities via fuzz testing. In Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2019, Tallinn, Estonia, August 26–30, 2019, Marlon Dumas, Dietmar Pfahl, Sven Apel, and Alessandra Russo (Eds.). ACM, 1110–1114. DOI:
[41]
Zhipeng Gao, Vinoj Jayasundara, Lingxiao Jiang, Xin Xia, David Lo, and John C. Grundy. 2019. SmartEmbed: A tool for clone and bug detection in smart contracts through structural code embedding. In 2019 IEEE International Conference on Software Maintenance and Evolution, ICSME 2019, Cleveland, OH, USA, September 29–October 4, 2019. IEEE, 394–397. DOI:
[42]
Luca Gazzola, Daniela Micucci, and Leonardo Mariani. 2019. Automatic software repair: A survey. IEEE Trans. Software Eng. 45, 1 (2019), 34–67. DOI:
[43]
GeeksforGeeks. 2022. What was the DAO Hack? Retrieved from https://www.geeksforgeeks.org/what-was-the-dao-hack/. Online; accessed 29 January 2022.
[44]
Seyed Mohammad Ghaffarian and Hamid Reza Shahriari. 2017. Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey. ACM Comput. Surv. 50, 4 (2017), 56:1–56:36. DOI:
[45]
Asem Ghaleb and Karthik Pattabiraman. 2020. How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection. In ISSTA’20: 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, USA, July 18–22, 2020, Sarfraz Khurshid and Corina S. Pasareanu (Eds.). ACM, 415–427. DOI:
[46]
Ajay K. Gogineni, Soumya Swayamjyoti, Devadatta Sahoo, Kisor Kumar Sahu, and Raj Kishore. 2020. Multi-class classification of vulnerabilities in smart contracts using AWD-LSTM, with pre-trained encoder inspired from natural language processing. IOP SciNotes 1, 3 (2020), 035002.
[47]
Google. 2022. Bigquery. Retrieved from https://console.cloud.google.com/bigquery?project=ethereal-shape-303507. Online; accessed 25 April 2022.
[48]
Claire Le Goues, Michael Dewey-Vogt, Stephanie Forrest, and Westley Weimer. 2012. A systematic study of automated program repair: Fixing 55 out of 105 bugs for $8 each. In 34th International Conference on Software Engineering, ICSE 2012, June 2–9, 2012, Zurich, Switzerland, Martin Glinz, Gail C. Murphy, and Mauro Pezzè (Eds.). IEEE Computer Society, 3–13. DOI:
[49]
H-X. 2022. Top 3 Smart Contract Audit Tools. Retrieved from https://www.h-x.technology/blog/top-3-smart-contract-audit-tools. Online; accessed 9 Aug 2022.
[50]
Hui Han, Wenyuan Wang, and Binghuan Mao. 2005. Borderline-SMOTE: A new over-sampling method in imbalanced data sets learning. In Advances in Intelligent Computing, International Conference on Intelligent Computing, ICIC 2005, Hefei, China, August 23–26, 2005, Proceedings, Part I(Lecture Notes in Computer Science, Vol. 3644), De-Shuang Huang, Xiao-Ping (Steven) Zhang, and Guang-Bin Huang (Eds.). Springer, 878–887. DOI:
[51]
Bo Jiang, Ye Liu, and W. K. Chan. 2018. ContractFuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, September 3–7, 2018, Marianne Huchard, Christian Kästner, and Gordon Fraser (Eds.). ACM, 259–269. DOI:
[52]
Nan Jiang, Thibaud Lutellier, and Lin Tan. 2021. CURE: Code-aware neural machine translation for automatic program repair. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE’21). 1161–1173. DOI:
[53]
Dongsun Kim, Jaechang Nam, Jaewoo Song, and Sunghun Kim. 2013. Automatic patch generation learned from human-written patches. In 2013 35th International Conference on Software Engineering (ICSE’13). 802–811. DOI:
[54]
Masanari Kondo, Gustavo Ansaldi Oliva, Zhen Ming Jack Jiang, Ahmed E. Hassan, and Osamu Mizuno. 2020. Code cloning in smart contracts: A case study on verified contracts from the Ethereum blockchain platform. Empirical Software Engineering 25, 6 (2020), 4617–4675.
[55]
Sifis Lagouvardos, Neville Grech, Ilias Tsatiris, and Yannis Smaragdakis. 2020. Precise static modeling of Ethereum “memory”. Proc. ACM Program. Lang. 4, OOPSLA (2020), 190:1–190:26. DOI:
[56]
George Lawton. 2022. Top 9 Blockchain Platforms to Consider in 2022. https://www.techtarget.com/searchcio/feature/Top-9-blockchain-platforms-to-consider. Online; accessed 9 Aug 2022.
[57]
Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, and Westley Weimer. 2012. GenProg: A generic method for automatic software repair. IEEE Transactions on Software Engineering 38, 1 (2012), 54–72. DOI:
[58]
Nicolas Lesimple and Martin Jaggi. 2020. Exploring Deep Learning Models for Vulnerabilities Detection in Smart Contracts. Ecole Polytechnique Federale de Lausanne, Lausanne, Switzerland.
[59]
Yi Li, Shaohua Wang, and Tien N. Nguyen. 2020. DLFix: Context-based code transformation learning for automated program repair. In ICSE’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June–19 July, 2020, Gregg Rothermel and Doo-Hwan Bae (Eds.). ACM, 602–614. DOI:
[60]
Jian-Wei Liao, Tsung-Ta Tsai, Chia-Kang He, and Chin-Wei Tien. 2019. SoliAudit: Smart contract vulnerability assessment based on machine learning and fuzz testing. 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS) (2019), 458–465.
[61]
Zeqin Liao, Zibin Zheng, Xiao Cui Chen, and Yuhong Nan. 2022. SmartDagger: A bytecode-based static analysis approach for detecting cross-contract vulnerability. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (2022). Retrieved from https://api.semanticscholar.org/CorpusID:250562430
[62]
Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. ReGuard: Finding reentrancy bugs in smart contracts. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, ICSE 2018, Gothenburg, Sweden, May 27–June 03, 2018, Michel Chaudron, Ivica Crnkovic, Marsha Chechik, and Mark Harman (Eds.). ACM, 65–68. DOI:
[63]
Kui Liu, Anil Koyuncu, Dongsun Kim, and Tegawendé F. Bissyandé. 2019. TBar: Revisiting template-based automated program repair. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2019, Beijing, China, July 15–19, 2019, Dongmei Zhang and Anders Møller (Eds.). ACM, 31–42. DOI:
[64]
Kui Liu, Shangwen Wang, Anil Koyuncu, Kisub Kim, Peng Wu, Jacques Klein, Xiaoguang Mao, Yves Le Traon, Tegawendé Bissyandé, and Dongsun Kim. 2020. On the efficiency of test suite based program repair: A systematic assessment of 16 automated repair systems for Java programs. DOI:
[65]
Zhenguang Liu, Peng Qian, Xiang Wang, Lei Zhu, Qinming He, and Shouling Ji. 2021. Smart contract vulnerability detection: From pure neural network to interpretable graph feature and expert pattern fusion. In International Joint Conference on Artificial Intelligence. Retrieved from https://api.semanticscholar.org/CorpusID:235458204
[66]
Oliver Lutz, Huili Chen, Hossein Fereidooni, Christoph Sendner, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Farinaz Koushanfar. 2021. ESCORT: Ethereum smart COntRacTs vulnerability detection using deep neural network and transfer learning. arXiv:2103.12607. Retrieved from https://arxiv.org/abs/2103.12607
[67]
Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24–28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 254–269. DOI:
[68]
Na Meng, Stefan Nagy, Danfeng Daphne Yao, Wenjie Zhuang, and Gustavo A. Arango-Argoty. 2017. Secure coding practices in Java: challenges and vulnerabilities. 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE) (2017), 372–383. Retrieved from https://api.semanticscholar.org/CorpusID:3480894
[69]
Pouyan Momeni, Yu Wang, and Reza Samavi. 2019. Machine learning model for smart contracts security analysis. In 2019 17th International Conference on Privacy, Security and Trust (PST) (2019), 1–6.
[70]
Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019, San Diego, CA, USA, November 11–15, 2019. IEEE, 1186–1189. DOI:
[71]
Anthony J. Myles, Robert N. Feudale, Yang Liu, Nathaniel A Woody, and Steven D Brown. 2004. An introduction to decision tree modeling. Journal of Chemometrics: A Journal of the Chemometrics Society 18, 6 (2004), 275–285.
[72]
MythX. 2021. SWC Registry. Retrieved from https://swcregistry.io/. Online; accessed 12 October 2021.
[73]
NCC Group. 2019. Decentralized Application Security Project (or DASP) Top 10 of 2018. Retrieved from https://dasp.co/. Online; accessed 29 January 2019.
[74]
Hoang Duong Thien Nguyen, Dawei Qi, Abhik Roychoudhury, and Satish Chandra. 2013. SemFix: Program repair via semantic analysis. In 35th International Conference on Software Engineering, ICSE’13, San Francisco, CA, USA, May 18–26, 2013, David Notkin, Betty H. C. Cheng, and Klaus Pohl (Eds.). IEEE Computer Society, 772–781. DOI:
[75]
Tai D. Nguyen, Long H. Pham, and Jun Sun. 2021. SGUARD: Towards fixing vulnerable smart contracts automatically. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24–27 May 2021. IEEE, 1215–1229. DOI:
[76]
Tai D. Nguyen, Long H. Pham, Jun Sun, Yun Lin, and Quang Tran Minh. 2020. sFuzz: An efficient adaptive fuzzer for solidity smart contracts. In ICSE’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June–19 July, 2020, Gregg Rothermel and Doo-Hwan Bae (Eds.). ACM, 778–788. DOI:
[77]
NickLennonLiu. 2023. How to Produce the Graph Feature from Onehot Vectors? Retrieved from https://github.com/Messi-Q/AMEVulDetector/issues/4. Online; accessed 25 October 2023.
[78]
Openzeppelin. 2022. Access Control. Retrieved from https://docs.openzeppelin.com/contracts/4.x/access-control. Online; accessed 29 January 2022.
[79]
OpenZeppelin. 2022. A Library for Secure Smart Contract Development. Retrieved from https://github.com/OpenZeppelin/openzeppelin-contracts/. Online; accessed 25 April 2022.
[80]
Openzeppelin. 2022. SafeMath. Retrieved from https://github.com/binodnp/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol. Online; accessed 29 January 2022.
[81]
Openzeppelin. 2022. Security. Retrieved from https://docs.openzeppelin.com/contracts/4.x/api/security#ReentrancyGuard. Online; accessed 29 January 2022.
[82]
PeckShield. 2022. Uniswap/Lendf.Me Hacks: Root Cause and Loss Analysis. Retrieved from https://peckshield.medium.com/uniswap-lendf-me-hacks-root-cause-and-loss-analysis-50f3263dcc09. Online; accessed 9 Sep 2022.
[83]
Anton Permenev, Dimitar K. Dimitrov, Petar Tsankov, Dana Drachsler-Cohen, and Martin T. Vechev. 2020. VerX: Safety verification of smart contracts. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18–21, 2020. IEEE, 1661–1677. DOI:
[84]
Andrea Pinna, Simona Ibba, Gavina Baralla, Roberto Tonelli, and Michele Marchesi. 2019. A massive analysis of ethereum smart contracts empirical study and code metrics. IEEE Access 7 (2019), 78194–78213. https://webofscience.clarivate.cn/wos/alldb/full-record/WOS:000473774600001
[85]
Kamil Polak. 2022. Hack Solidity: Reentrancy Attack. Retrieved from https://hackernoon.com/hack-solidity-reentrancy-attack. Online; accessed 9 Sep 2022.
[86]
Yuhua Qi, Xiaoguang Mao, Yan Lei, Ziying Dai, and Chengsong Wang. 2014. The strength of random search on automated program repair. In 36th International Conference on Software Engineering, ICSE’14, Hyderabad, India - May 31 - June 07, 2014, Pankaj Jalote, Lionel C. Briand, and André van der Hoek (Eds.). ACM, 254–265. DOI:
[87]
Yuhua Qi, Xiaoguang Mao, Yan Lei, Ziying Dai, and Chengsong Wang. 2014. The strength of random search on automated program repair. In 36th International Conference on Software Engineering, ICSE’14, Hyderabad, India - May 31 - June 07, 2014, Pankaj Jalote, Lionel C. Briand, and André van der Hoek (Eds.). ACM, 254–265. DOI:
[88]
J. Ross Quinlan et al. 1996. Bagging, boosting, and C4. 5. In Aaai/Iaai, vol. 1. 725–730.
[89]
Meng Ren, Zijing Yin, Fuchen Ma, Zhenyang Xu, Yu Jiang, Chengnian Sun, Huizhong Li, and Yan Cai. 2021. Empirical evaluation of smart contract testing: What is the best choice?. In ISSTA’21: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Denmark, July 11–17, 2021, Cristian Cadar and Xiangyu Zhang (Eds.). ACM, 566–579. DOI:
[90]
Michael Rodler, Wenting Li, Ghassan O. Karame, and Lucas Davi. 2021. EVMPatch: Timely and automated patching of ethereum smart contracts. In 30th USENIX Security Symposium, USENIX Security 2021, August 11–13, 2021, Michael Bailey and Rachel Greenstadt (Eds.). USENIX Association, 1289–1306. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/rodler
[91]
Stelios Sidiroglou-Douskos, Eric Lahtinen, Fan Long, and Martin C. Rinard. 2015. Automatic error elimination by horizontal code transfer across multiple applications. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, Portland, OR, USA, June 15–17, 2015, David Grove and Stephen M. Blackburn (Eds.). ACM, 43–54. DOI:
[92]
Slither. 2022. Control Flow Node. Retrieved from https://github.com/crytic/slither/blob/master/slither/core/cfg/node.py. Online; accessed 29 January 2022.
[93]
SmartBugs. 2021. Dataset. Retrieved from https://github.com/smartbugs/smartbugs/tree/master/dataset. Online; accessed 12 October 2021.
[94]
Sunbeom So, Myungho Lee, Jisu Park, Heejo Lee, and Hakjoo Oh. 2020. VERISMART: A highly precise safety verifier for ethereum smart contracts. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18–21, 2020. IEEE, 1678–1694. DOI:
[95]
Solidity Documentation. 2022. Security Considerations. Retrieved from https://docs.soliditylang.org/en/v0.4.26/security-considerations.html#use-the-checks-effects-interactionspattern. Online; accessed 29 January 2022.
[96]
Yuhang Sun and Lize Gu. 2021. Attention-based machine learning model for smart contract vulnerability detection. Journal of Physics: Conference Series 1820, 1 (2021), 012004.
[97]
Onur Sürücü, Uygar Yeprem, Connor Wilkinson, Waleed Hilal, Stephen Andrew Gadsden, John Yawney, Naseem Alsadi, and Alessandro Giuliano. 2022. A survey on ethereum smart contract vulnerability detection using machine learning. In Defense + Commercial Sensing.
[98]
Nick Szabo. 1997. Formalizing and securing relationships on public networks. First Monday 2, 9 (1997). https://webofscience.clarivate.cn/wos/alldb/full-record/INSPEC:5726368
[99]
Wesley Joon-Wie Tann, Xing Jie Han, Sourav Sengupta, and Y. Ong. 2018. Towards safer smart contracts: A sequence learning approach to detecting vulnerabilities. arXiv:1811.06632. Retrieved from https://arxiv.org/abs/1811.06632
[100]
Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, Evgeny Marchenko, and Yaroslav Alexandrov. 2018. SmartCheck: Static analysis of ethereum smart contracts. In 1st IEEE/ACM International Workshop on Emerging Trends in Software Engineering for Blockchain, WETSEB@ICSE 2018, Gothenburg, Sweden, May 27–June 3, 2018, Roberto Tonelli, Giuseppe Destefanis, Steve Counsell, and Michele Marchesi (Eds.). ACM, 9–16. DOI:
[101]
Christof Ferreira Torres, Hugo Jonker, and Radu State. 2022. Elysium: Context-aware bytecode-level patching to automatically heal vulnerable smart contracts. In RAID’22, Association for Computing Machinery, Limassol, Cyprus, 115–128. DOI:
[102]
Petar Tsankov, Andrei Marian Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin T. Vechev. 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15–19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 67–82. DOI:
[103]
Alexey Tsymbal. 2004. The problem of concept drift: definitions and related work. Computer Science Department, Trinity College Dublin 106, 2 (2004), 58.
[104]
Gerhard Wagner. 2021. Authorization through tx.origin Vulnerability. Retrieved from https://swcregistry.io/docs/SWC-115. Online; accessed 12 October 2021.
[105]
Gerhard Wagner. 2021. EIP-1470. Retrieved from https://eips.ethereum.org/EIPS/eip-1470. Online; accessed 12 October 2021.
[106]
Wei Wang, Jingjing Song, Guangquan Xu, Yidong Li, Hao Wang, and Chunhua Su. 2020. ContractWard: Automated vulnerability detection models for ethereum smart contracts. IEEE Transactions on Network Science and Engineering 8, 2 (2020), 1133–1144.
[107]
Wei Wang, Jingjing Song, Guangquan Xu, Yidong Li, Hao Wang, and Chunhua Su. 2021. ContractWard: Automated vulnerability detection models for ethereum smart contracts. IEEE Trans. Netw. Sci. Eng. 8, 2 (2021), 1133–1144. DOI:
[108]
Geoffrey I. Webb, Roy Hyde, Hong Cao, Hai-Long Nguyen, and François Petitjean. 2015. Characterizing concept drift. Data Mining and Knowledge Discovery 30, 4 (2015), 964–994.
[109]
Westley Weimer, ThanhVu Nguyen, Claire Le Goues, and Stephanie Forrest. 2009. Automatically finding patches using genetic programming. In 31st International Conference on Software Engineering, ICSE 2009, May 16–24, 2009, Vancouver, Canada, Proceedings. IEEE, 364–374. DOI:
[110]
Cipai Xing, Zhuo Chen, Lexin Chen, Xiaojie Guo, Zibin Zheng, and Jin Li. 2020. A new scheme of vulnerability analysis in smart contract with machine learning. Wireless Networks (2020), 1–10. https://webofscience.clarivate.cn/wos/alldb/full-record/WOS:000546538400002
[111]
Yingjie Xu, Gengran Hu, Lin You, and Chengtang Cao. 2021. A novel machine learning-based analysis model for smart contract vulnerability. Secur. Commun. Networks 2021 (2021), 5798033:1–5798033:12. https://www.hindawi.com/journals/scn/2021/5798033/
[112]
Jifeng Xuan, Matias Martinez, Favio Demarco, Maxime Clement, Sebastian R. Lamelas Marcote, Thomas Durieux, Daniel Le Berre, and Martin Monperrus. 2017. Nopol: Automatic repair of conditional statement bugs in Java programs. IEEE Trans. Software Eng. 43, 1 (2017), 34–55. DOI:
[113]
Yinxing Xue, Mingliang Ma, Yun Lin, Yulei Sui, Jiaming Ye, and Tianyong Peng. 2020. Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts. In 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020, Melbourne, Australia, September 21–25, 2020. IEEE, 1029–1040. DOI:
[114]
Yinxing Xue, Jiaming Ye, Wei Zhang, Jun Sun, Lei Ma, Haijun Wang, and Jianjun Zhao. 2022. xFuzz: Machine learning guided cross-contract fuzzing. IEEE Transactions on Dependable and Secure Computing (2022), 1–14. https://ieeexplore.ieee.org/document/9795233?denied=
[115]
Xiao Liang Yu, Omar I. Al-Bataineh, David Lo, and Abhik Roychoudhury. 2020. Smart contract repair. ACM Trans. Softw. Eng. Methodol. 29, 4 (2020), 27:1–27:32. DOI:
[116]
Meng Zhang, Pengcheng Zhang, Xiapu Luo, and Feng Xiao. 2020. Source code obfuscation for smart contracts. In 2020 27th Asia-Pacific Software Engineering Conference (APSEC’20). 513–514. DOI:
[117]
Yuyao Zhang, Siqi Ma, Juanru Li, Kailai Li, Surya Nepal, and Dawu Gu. 2020. SMARTSHIELD: Automatic smart contract protection made easy. In 27th IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2020, London, ON, Canada, February 18–21, 2020, Kostas Kontogiannis, Foutse Khomh, Alexander Chatzigeorgiou, Marios-Eleftherios Fokaefs, and Minghui Zhou (Eds.). IEEE, 23–34. DOI:
[118]
Yanjie Zhao, Li Li, Haoyu Wang, Haipeng Cai, Tegawendé F. Bissyandé, Jacques Klein, and John C. Grundy. 2021. On the impact of sample duplication in machine-learning-based Android malware detection. ACM Trans. Softw. Eng. Methodol. 30, 3 (2021), 40:1–40:38. DOI:
[119]
Zibin Zheng, Neng Zhang, Jianzhong Su, Zhijie Zhong, Mingxi Ye, and Jiachi Chen. 2023. Turn the rudder: A beacon of reentrancy detection for smart contracts on ethereum. In Proceedings of the 45th International Conference on Software Engineering (ICSE’23), IEEE Press, Melbourne, Victoria, Australia, 295–306. DOI:
[120]
Xiaogang Zhu, Sheng Wen, Seyit Camtepe, and Yang Xiang. 2022. Fuzzing: A survey for roadmap. ACM Comput. Surv. 54, 11s (2022), 1–36. DOI:Just Accepted.
[121]
Yuan Zhuang, Zhenguang Liu, Peng Qian, Qi Liu, Xiang Wang, and Qinming He. 2020. Smart contract vulnerability detection using graph neural network. In International Joint Conference on Artificial Intelligence.
Index Terms
- sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart Contracts
Recommendations
Smart Contract Code Repair Recommendation based on Reinforcement Learning and Multi-metric Optimization
A smart contract is a kind of code deployed on the blockchain that executes automatically once an event triggers a clause in the contract. Since smart contracts involve businesses such as asset transfer, they are more vulnerable to attacks, so it is ...
ContractFuzzer: fuzzing smart contracts for vulnerability detection
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringDecentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while ...
EOSFuzzer: Fuzzing EOSIO Smart Contracts for Vulnerability Detection
Internetware '20: Proceedings of the 12th Asia-Pacific Symposium on InternetwareEOSIO is one typical public blockchain platform. It is scalable in terms of transaction speeds and has a growing ecosystem supporting smart contracts and decentralized applications. However, the vulnerabilities within the EOSIO smart contracts have led ...
Comments
Information & Contributors
Information
Published In
June 2024
952 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 June 2024
Online AM: 08 February 2024
Accepted: 09 January 2024
Revised: 15 November 2023
Received: 24 November 2022
Published in TOSEM Volume 33, Issue 5
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Anhui Provincial Department of Science and Technology
- National Natural Science Foundation of China
- Basic Research Program of Jiangsu Province
- CAS Pioneer Hundred Talents Program of China
- Ministry of Education, Singapore under its Academic Research Fund Tier 3
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 645Total Downloads
- Downloads (Last 12 months)645
- Downloads (Last 6 weeks)67
Reflects downloads up to 11 Aug 2024
Other Metrics
Citations
Cited By
View all- Kiani RSheng V(2024)Ethereum Smart Contract Vulnerability Detection and Machine Learning-Driven Solutions: A Systematic Literature ReviewElectronics10.3390/electronics1312229513:12(2295)Online publication date: 12-Jun-2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in