ContractTinker: LLM-Empowered Vulnerability Repair for Real-World Smart Contracts

arXiv - CS - Software Engineering Pub Date : 2024-09-15 DOI:arxiv-2409.09661

Che Wang, Jiashuo Zhang, Jianbo Gao, Libin Xia, Zhi Guan, Zhong Chen

{"title":"ContractTinker: LLM-Empowered Vulnerability Repair for Real-World Smart Contracts","authors":"Che Wang, Jiashuo Zhang, Jianbo Gao, Libin Xia, Zhi Guan, Zhong Chen","doi":"arxiv-2409.09661","DOIUrl":null,"url":null,"abstract":"Smart contracts are susceptible to being exploited by attackers, especially\nwhen facing real-world vulnerabilities. To mitigate this risk, developers often\nrely on third-party audit services to identify potential vulnerabilities before\nproject deployment. Nevertheless, repairing the identified vulnerabilities is\nstill complex and labor-intensive, particularly for developers lacking security\nexpertise. Moreover, existing pattern-based repair tools mostly fail to address\nreal-world vulnerabilities due to their lack of high-level semantic\nunderstanding. To fill this gap, we propose ContractTinker, a Large Language\nModels (LLMs)-empowered tool for real-world vulnerability repair. The key\ninsight is our adoption of the Chain-of-Thought approach to break down the\nentire generation task into sub-tasks. Additionally, to reduce hallucination,\nwe integrate program static analysis to guide the LLM. We evaluate\nContractTinker on 48 high-risk vulnerabilities. The experimental results show\nthat among the patches generated by ContractTinker, 23 (48%) are valid patches\nthat fix the vulnerabilities, while 10 (21%) require only minor modifications.\nA video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.09661","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Smart contracts are susceptible to being exploited by attackers, especially when facing real-world vulnerabilities. To mitigate this risk, developers often rely on third-party audit services to identify potential vulnerabilities before project deployment. Nevertheless, repairing the identified vulnerabilities is still complex and labor-intensive, particularly for developers lacking security expertise. Moreover, existing pattern-based repair tools mostly fail to address real-world vulnerabilities due to their lack of high-level semantic understanding. To fill this gap, we propose ContractTinker, a Large Language Models (LLMs)-empowered tool for real-world vulnerability repair. The key insight is our adoption of the Chain-of-Thought approach to break down the entire generation task into sub-tasks. Additionally, to reduce hallucination, we integrate program static analysis to guide the LLM. We evaluate ContractTinker on 48 high-risk vulnerabilities. The experimental results show that among the patches generated by ContractTinker, 23 (48%) are valid patches that fix the vulnerabilities, while 10 (21%) require only minor modifications. A video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.

查看原文本刊更多论文

ContractTinker：为真实世界智能合约提供 LLM 驱动的漏洞修复功能

智能合约很容易被攻击者利用，尤其是在面对真实世界的漏洞时。为了降低这种风险，开发人员通常依靠第三方审计服务在项目部署前找出潜在漏洞。然而，修复识别出的漏洞仍然复杂且耗费人力，对于缺乏安全专业知识的开发人员来说尤其如此。此外，现有的基于模式的修复工具由于缺乏对高层语义的理解，大多无法解决现实世界中的漏洞问题。为了填补这一空白，我们提出了 ContractTinker，这是一种大型语言模型（LLMs）驱动的真实世界漏洞修复工具。其关键之处在于我们采用了 "思维链"（Chain-of-Thought）方法，将整个生成任务分解为多个子任务。此外，为了减少幻觉，我们还集成了程序静态分析来指导 LLM。我们在 48 个高危漏洞上对 ContractTinker 进行了评估。实验结果表明，在 ContractTinker 生成的补丁中，有 23 个（48%）是修复漏洞的有效补丁，而 10 个（21%）只需稍作修改即可。ContractTinker 的视频可在 https://youtu.be/HWFVi-YHcPE 上观看。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Software Engineering

自引率

0.00%

发文量