{"title":"ContractTinker:为真实世界智能合约提供 LLM 驱动的漏洞修复功能","authors":"Che Wang, Jiashuo Zhang, Jianbo Gao, Libin Xia, Zhi Guan, Zhong Chen","doi":"arxiv-2409.09661","DOIUrl":null,"url":null,"abstract":"Smart contracts are susceptible to being exploited by attackers, especially\nwhen facing real-world vulnerabilities. To mitigate this risk, developers often\nrely on third-party audit services to identify potential vulnerabilities before\nproject deployment. Nevertheless, repairing the identified vulnerabilities is\nstill complex and labor-intensive, particularly for developers lacking security\nexpertise. Moreover, existing pattern-based repair tools mostly fail to address\nreal-world vulnerabilities due to their lack of high-level semantic\nunderstanding. To fill this gap, we propose ContractTinker, a Large Language\nModels (LLMs)-empowered tool for real-world vulnerability repair. The key\ninsight is our adoption of the Chain-of-Thought approach to break down the\nentire generation task into sub-tasks. Additionally, to reduce hallucination,\nwe integrate program static analysis to guide the LLM. We evaluate\nContractTinker on 48 high-risk vulnerabilities. The experimental results show\nthat among the patches generated by ContractTinker, 23 (48%) are valid patches\nthat fix the vulnerabilities, while 10 (21%) require only minor modifications.\nA video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ContractTinker: LLM-Empowered Vulnerability Repair for Real-World Smart Contracts\",\"authors\":\"Che Wang, Jiashuo Zhang, Jianbo Gao, Libin Xia, Zhi Guan, Zhong Chen\",\"doi\":\"arxiv-2409.09661\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Smart contracts are susceptible to being exploited by attackers, especially\\nwhen facing real-world vulnerabilities. To mitigate this risk, developers often\\nrely on third-party audit services to identify potential vulnerabilities before\\nproject deployment. Nevertheless, repairing the identified vulnerabilities is\\nstill complex and labor-intensive, particularly for developers lacking security\\nexpertise. Moreover, existing pattern-based repair tools mostly fail to address\\nreal-world vulnerabilities due to their lack of high-level semantic\\nunderstanding. To fill this gap, we propose ContractTinker, a Large Language\\nModels (LLMs)-empowered tool for real-world vulnerability repair. The key\\ninsight is our adoption of the Chain-of-Thought approach to break down the\\nentire generation task into sub-tasks. Additionally, to reduce hallucination,\\nwe integrate program static analysis to guide the LLM. We evaluate\\nContractTinker on 48 high-risk vulnerabilities. The experimental results show\\nthat among the patches generated by ContractTinker, 23 (48%) are valid patches\\nthat fix the vulnerabilities, while 10 (21%) require only minor modifications.\\nA video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.\",\"PeriodicalId\":501278,\"journal\":{\"name\":\"arXiv - CS - Software Engineering\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Software Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.09661\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.09661","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
ContractTinker: LLM-Empowered Vulnerability Repair for Real-World Smart Contracts
Smart contracts are susceptible to being exploited by attackers, especially
when facing real-world vulnerabilities. To mitigate this risk, developers often
rely on third-party audit services to identify potential vulnerabilities before
project deployment. Nevertheless, repairing the identified vulnerabilities is
still complex and labor-intensive, particularly for developers lacking security
expertise. Moreover, existing pattern-based repair tools mostly fail to address
real-world vulnerabilities due to their lack of high-level semantic
understanding. To fill this gap, we propose ContractTinker, a Large Language
Models (LLMs)-empowered tool for real-world vulnerability repair. The key
insight is our adoption of the Chain-of-Thought approach to break down the
entire generation task into sub-tasks. Additionally, to reduce hallucination,
we integrate program static analysis to guide the LLM. We evaluate
ContractTinker on 48 high-risk vulnerabilities. The experimental results show
that among the patches generated by ContractTinker, 23 (48%) are valid patches
that fix the vulnerabilities, while 10 (21%) require only minor modifications.
A video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
