Abstract
A smart contract is a kind of code deployed on the blockchain that executes automatically once an event triggers a clause in the contract. Since smart contracts involve businesses such as asset transfer, they are more vulnerable to attacks, so it is crucial to ensure the security of smart contracts. Because a smart contract cannot be tampered with once deployed on the blockchain, for smart contract developers, it is necessary to fix vulnerabilities before deployment. Compared with many vulnerability detection tools for smart contracts, the amount of automatic fix approaches for smart contracts is relatively limited. These approaches mainly use defined pattern-based methods or heuristic search algorithms for vulnerability repairs. In this article, we propose RLRep, a reinforcement learning-based approach to provide smart contract repair recommendations for smart contract developers automatically. This approach adopts an agent to provide repair action suggestions based on the vulnerable smart contract without any supervision, which can solve the problem of missing labeled data in machine learning-based repair methods. We evaluate our approach on a dataset containing 853 smart contract programs (programming language: Solidity) with different kinds of vulnerabilities. We split them into training and test sets. The result shows that our approach can provide 54.97% correct repair recommendations for smart contracts.
- [1] . 2021. Poly network attack underlines growing DeFi risks. Emerald Expert Briefingsoxan-es (2021).Google Scholar
- [2] . 2009. A survey of robot learning from demonstration. Robot. Auton. Syst. 57, 5 (2009), 469–483.
DOI: Google ScholarDigital Library - [3] . 2019. Getafix: Learning to fix bugs automatically. Proc. ACM Program. Lang. 3, OOPSLA, Article
159 (Oct. 2019), 27 pages.DOI: Google ScholarDigital Library - [4] . 2015. Neural machine translation by jointly learning to align and translate. In Proceedings of the 3rd International Conference on Learning Representations (ICLR’15), and (Eds.).
DOI: DOI: http://arxiv.org/abs/1409.0473Google Scholar - [5] . 2016. Formal verification of smart contracts: Short paper. In Proceedings of the ACM Workshop on Programming Languages and Analysis for Security (PLAS@CCS’16), and (Eds.). ACM, 91–96.
DOI: Google ScholarDigital Library - [6] . 2013. Reversible Debugging Software “Quantify the Time and Cost Saved Using Reversible Debuggers.” (2013).Google Scholar
- [7] . 2022. Defining smart contract defects on ethereum. IEEE Trans. Softw. Eng. 48, 1 (2022), 327–345.
DOI: Google ScholarDigital Library - [8] . 2018. Smart contracts vulnerabilities: A call for blockchain software engineering? In Proceedings of the International Workshop on Blockchain Oriented Software Engineering (IWBOSE’18). 19–25.
DOI: Google ScholarCross Ref - [9] . 2021. Explicable reward design for reinforcement learning agents. In Advances in Neural Information Processing Systems, , , , , and (Eds.), Vol. 34. Curran Associates, Inc., 20118–20131. Retrieved from
DOI: DOI: https://proceedings.neurips.cc/paper/2021/file/a7f0d2b95c60161b3f3c82f764b1d1c9-Paper.pdfGoogle Scholar - [10] . 2014. Reinforcement learning and the reward engineering principle. In Proceedings of the AAAI Spring Symposium Series.Google Scholar
- [11] . 2018. Ethereum smart contract security best practices. Retrieved from
DOI: DOI: https://consensys.github.io/smart-contract-best-practices/Google Scholar - [12] . 2019. Slither: A static analysis framework for smart contracts. In Proceedings of the IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB’19). 8–15.
DOI: Google ScholarDigital Library - [13] . 2021. The eye of Horus: Spotting and analyzing attacks on ethereum smart contracts. In Financial Cryptography and Data Security, and (Eds.). Springer Berlin, 33–52.Google ScholarDigital Library
- [14] . 2022. A critical professional ethical analysis of Non-Fungible Tokens (NFTs). J. Respons. Technol. 12 (2022), 100054.
DOI: Google ScholarCross Ref - [15] . 2021. Checking smart contracts with structural code embedding. IEEE Trans. Softw. Eng. 47, 12 (2021), 2874–2891.
DOI: Google ScholarCross Ref - [16] . 2019. Automatic software repair: A survey. IEEE Trans. Softw. Eng. 45, 1 (2019), 34–67.
DOI: Google ScholarDigital Library - [17] . 2020. How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’20). Association for Computing Machinery, New York, NY, 415–427.
DOI: Google ScholarDigital Library - [18] . 2019. Practical Program Repair via Bytecode Mutation. Association for Computing Machinery, New York, NY, 19–30.
DOI: Google ScholarDigital Library - [19] . 2019. Automated program repair. Commun. ACM 62, 12 (
Nov. 2019), 56–65.DOI: Google ScholarDigital Library - [20] . 2019. Learning to fuzz from symbolic execution with application to smart contracts. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’19). Association for Computing Machinery, New York, NY, 531–548.
DOI: Google ScholarDigital Library - [21] . 2019. Software-defined infrastructure for decentralized data lifecycle governance: Principled design and open challenges. In Proceedings of the 39th IEEE International Conference on Distributed Computing Systems (ICDCS’19). IEEE, 1674–1683.Google ScholarCross Ref
- [22] . 2011. An analysis and survey of the development of mutation testing. IEEE Trans. Softw. Eng. 37, 5 (2011), 649–678.
DOI: Google ScholarDigital Library - [23] . 2018. ContractFuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE’18). 259–269.
DOI: Google ScholarDigital Library - [24] . 2019. Inferring program transformations from singular examples via big code. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE’19). 255–266.
DOI: Google ScholarDigital Library - [25] . 2018. Shaping program repair space with existing patches and similar code. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18). Association for Computing Machinery, New York, NY, 298–309.
DOI: Google ScholarDigital Library - [26] . 2021. CURE: Code-aware neural machine translation for automatic program repair. In Proceedings of the IEEE/ACM 43rd International Conference on Software Engineering (ICSE’21). 1161–1173.
DOI: Google ScholarDigital Library - [27] . 2021. Aroc: An automatic repair framework for on-chain smart contracts. IEEE Trans. Softw. Eng. (2021), 1–1.
DOI: Google ScholarCross Ref - [28] . 1985. The analysis of panel data under a Markov assumption. J. Amer. Statist. Assoc. 80, 392 (1985), 863–871.
DOI: Google ScholarCross Ref - [29] . 2020. An improved gas efficient library for securing iot smart contracts against arithmetic vulnerabilities. In Proceedings of the 9th International Conference on Software and Computer Applications (ICSCA’20). Association for Computing Machinery, New York, NY, 326–330.
DOI: Google ScholarDigital Library - [30] . 2020. Automated generation of test cases for smart contract security analyzers. IEEE Access 8 (2020), 209377–209392.
DOI: Google ScholarCross Ref - [31] . 2004. Pharaoh: A beam search decoder for phrase-based statistical machine translation models. In Machine Translation: From Real Users to Research, and (Eds.). Springer Berlin, 115–124.Google ScholarCross Ref
- [32] . 2018. teEther: Gnawing at ethereum to automatically exploit smart contracts. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, Baltimore, MD, 1317–1333. Retrieved from
DOI: DOI: https://www.usenix.org/conference/usenixsecurity18/presentation/kruppGoogle Scholar - [33] . 2022. Systematic review of security vulnerabilities in ethereum blockchain smart contract. IEEE Access 10 (2022), 6605–6621.
DOI: Google ScholarCross Ref - [34] . 2017. S3: Syntax- and semantic-guided repair synthesis via programming by examples. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). Association for Computing Machinery, New York, NY, 593–604.
DOI: Google ScholarDigital Library - [35] . 2012. A systematic study of automated program repair: Fixing 55 out of 105 bugs for $8 each. In Proceedings of the 34th International Conference on Software Engineering (ICSE’12). 3–13.
DOI: Google ScholarCross Ref - [36] . 2012. GenProg: A generic method for automatic software repair. IEEE Trans. Softw. Eng. 38, 1 (2012), 54–72.
DOI: Google ScholarDigital Library - [37] . 2021. A blockchain-based decentralized federated learning framework with committee consensus. IEEE Netw. 35, 1 (2021), 234–241.
DOI: Google ScholarDigital Library - [38] . 2019. MuSC: A tool for mutation testing of ethereum smart contract. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE’19). 1198–1201.
DOI: Google ScholarDigital Library - [39] . 2022. Context-aware code change embedding for better patch correctness assessment. ACM Trans. Softw. Eng. Methodol. 31, 3, Article
51 (May 2022), 29 pages.DOI: Google ScholarDigital Library - [40] . 2018. ReGuard: Finding reentrancy bugs in smart contracts. In Proceedings of the IEEE/ACM 40th International Conference on Software Engineering (ICSE’18). 65–68.Google ScholarDigital Library
- [41] . 2018. A closer look at real-world patches. In Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME’18). 275–286.
DOI: Google ScholarCross Ref - [42] . 2019. TBar: Revisiting template-based automated program repair. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’19). Association for Computing Machinery, New York, NY, 31–42.
DOI: Google ScholarDigital Library - [43] . 2014. iMashup: A mashup-based framework for service composition. Sci. China Inf. Sci. 57, 1 (2014), 1–20.
DOI: Google ScholarCross Ref - [44] . 2016. Making smart contracts smarter. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’16). Association for Computing Machinery, New York, NY, 254–269.
DOI: Google ScholarDigital Library - [45] . 2018. Solidity security: Comprehensive list of known attack vectors and common anti-patterns. Sigma Prime 20, 10 (2018). Retrieved from
DOI: DOI: https://github.com/sigp/solidity-security-blogGoogle Scholar - [46] . 2016. Deep reinforcement learning: An overview. In Proceedings of SAI Intelligent Systems Conference (IntelliSys’16) (Lecture Notes in Networks and Systems), , , and (Eds.), Vol. 16. Springer, 426–440.
DOI: Google ScholarCross Ref - [47] . 2018. Smashing ethereum smart contracts for fun and real profit. HITB SECCONF Amsterd. 9 (2018), 54.Google Scholar
- [48] . 2021. SGUARD: Towards fixing vulnerable smart contracts automatically. In Proceedings of the IEEE Symposium on Security and Privacy (SP’21). 1215–1229.
DOI: Google ScholarCross Ref - [49] . 2020. SFuzz: An efficient adaptive fuzzer for solidity smart contracts. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE’20). Association for Computing Machinery, New York, NY, 778–788.
DOI: Google ScholarDigital Library - [50] . 2017. Attention-based encoder-decoder model for answer selection in question answering. Front. Inf. Technol. Electron. Eng. 18, 4 (2017), 535–544.
DOI: Google ScholarCross Ref - [51] . 2021. A review on the attention mechanism of deep learning. Neurocomputing 452 (2021), 48–62.
DOI: Google ScholarCross Ref - [52] . 2015. Metallaxis-FL: Mutation-based fault localization. Softw. Test., Verif. Reliab. 25, 5-7 (2015), 605–628.
DOI: arXiv: https://onlinelibrary.wiley.com/doi/pdf/10.1002/stvr.1509Google ScholarDigital Library - [53] . 1987. The complexity of Markov decision processes. Math. Oper. Res. 12, 3 (1987), 441–450.
DOI: Google ScholarDigital Library - [54] . 2019. Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey. CoRR abs/1908.08605 (2019).Google Scholar
- [55] . 2015. An analysis of patch plausibility and correctness for generate-and-validate patch generation systems. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’15). Association for Computing Machinery, New York, NY, 24–36.
DOI: Google ScholarDigital Library - [56] . 2016. On the “Naturalness” of buggy code. In Proceedings of the IEEE/ACM 38th International Conference on Software Engineering (ICSE’16). 428–439.
DOI: Google ScholarDigital Library - [57] . 2021. EVMPatch: Timely and automated patching of ethereum smart contracts. In Proceedings of the 30th USENIX Security Symposium (USENIX Security’21). USENIX Association, 1289–1306. Retrieved from
DOI: DOI: https://www.usenix.org/conference/usenixsecurity21/presentation/rodlerGoogle Scholar - [58] . 2009. Javalanche: Efficient Mutation Testing for Java. In Proceedings of the 7th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering (ESEC/FSE’09). Association for Computing Machinery, New York, NY, 297–298.
DOI: Google ScholarDigital Library - [59] . 2021. Elysium: Context-aware Bytecode-Level Patching to Automatically Heal Vulnerable Smart Contracts.
DOI: Google ScholarCross Ref - [60] . 2018. Securify: Practical security analysis of smart contracts. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). Association for Computing Machinery, New York, NY, 67–82.
DOI: Google ScholarDigital Library - [61] . 2014. On the localness of software. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14). Association for Computing Machinery, New York, NY, 269–280.
DOI: Google ScholarDigital Library - [62] . 2019. On learning meaningful code changes via neural machine translation. In Proceedings of the IEEE/ACM 41st International Conference on Software Engineering (ICSE’19). 25–36.
DOI: Google ScholarDigital Library - [63] . 2005. The dependence of Cohen’s Kappa on the prevalence does not matter. J. Clin. Epidem. 58, 7 (2005), 655–661.
DOI: Google ScholarCross Ref - [64] . 2017. Attention is all you need. In Advances in Neural Information Processing Systems, , , , , , , and (Eds.), Vol. 30. Curran Associates, Inc. Retrieved from
DOI: DOI: https://proceedings.neurips.cc/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdfGoogle ScholarDigital Library - [65] . 2018. ERC20 API: An Attack Vector on Approve/Transfer from Methods. (2018).Google Scholar
- [66] . 2021. BLOCKEYE: Hunting for defi attacks on blockchain. In Proceedings of the IEEE/ACM 43rd International Conference on Software Engineering (ICSE’21). 17–20.
DOI: Google ScholarDigital Library - [67] . 2021. Automated patch correctness assessment: How far are we? In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering (ASE’20). Association for Computing Machinery, New York, NY, 968–980.
DOI: Google ScholarDigital Library - [68] . 2019. Towards generating cost-effective test-suite for ethereum smart contract. In Proceedings of the IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER’19). 549–553.
DOI: Google ScholarCross Ref - [69] . 2018. Context-aware patch generation for better automated program repair. In Proceedings of the IEEE/ACM 40th International Conference on Software Engineering (ICSE’18). 1–11.
DOI: Google ScholarDigital Library - [70] . 2017. Nopol: Automatic repair of conditional statement bugs in Java programs. IEEE Trans. Softw. Eng. 43, 1 (2017), 34–55.
DOI: Google ScholarDigital Library - [71] . 2021. A location-based factorization machine model for web service QoS prediction. IEEE Trans. Serv. Comput. 14, 5 (2021), 1264–1277.
DOI: Google ScholarCross Ref - [72] . 2021. Break-it-fix-it: Unsupervised learning for program repair. In Proceedings of the 38th International Conference on Machine Learning (Proceedings of Machine Learning Research), and (Eds.), Vol. 139. PMLR, 11941–11952. Retrieved from
DOI: DOI: https://proceedings.mlr.press/v139/yasunaga21a.htmlGoogle Scholar - [73] . 2022. SelfAPR: Self-supervised program repair with test execution diagnostics. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE’22).
DOI: Google ScholarDigital Library - [74] . 2022. Neural program repair with execution-based backpropagation. In Proceedings of the 44th International Conference on Software Engineering (ICSE’22). Association for Computing Machinery, New York, NY, 1506–1518.
DOI: Google ScholarDigital Library - [75] . 2020. Smart contract repair. ACM Trans. Softw. Eng. Methodol. 29, 4, Article
27 (Sep. 2020), 32 pages.DOI: Google ScholarDigital Library - [76] . 2019. Predictive mutation testing. IEEE Trans. Softw. Eng. 45, 9 (2019), 898–918.
DOI: Google ScholarDigital Library - [77] . 2020. SMARTSHIELD: Automatic smart contract protection made easy. In Proceedings of the IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER’20). 23–34.
DOI: Google ScholarCross Ref - [78] . 2017. The Dao attack paradoxes in propositional logic. In Proceedings of the 4th International Conference on Systems and Informatics (ICSAI’17). 1743–1746.
DOI: Google ScholarCross Ref - [79] . 2022. Web service QoS prediction via collaborative filtering: A survey. IEEE Trans. Serv. Comput. 15, 4 (2022), 2455–2472.
DOI: Google ScholarCross Ref - [80] . 2020. Automatic detection and repair recommendation of directive defects in Java API documentation. IEEE Trans. Softw. Eng. 46, 9 (2020), 1004–1023.
DOI: Google ScholarCross Ref - [81] . 2021. A Syntax-guided Edit Decoder for Neural Program Repair. Association for Computing Machinery, New York, NY, 341–353.
DOI: Google ScholarDigital Library - [82] . 2021. Smart contract development: Challenges and opportunities. IEEE Trans. Softw. Eng. 47, 10 (2021), 2084–2106.
DOI: Google ScholarCross Ref
Index Terms
- Smart Contract Code Repair Recommendation based on Reinforcement Learning and Multi-metric Optimization
Recommendations
sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart Contracts
Smart contracts are becoming appealing targets for hackers because of the vast amount of cryptocurrencies under their control. Asset loss due to the exploitation of smart contract codes has increased significantly in recent years. To guarantee that smart ...
Smart Contract Repair
Continuous Special Section: AI and SESmart contracts are automated or self-enforcing contracts that can be used to exchange assets without having to place trust in third parties. Many commercial transactions use smart contracts due to their potential benefits in terms of secure peer-to-...
Studying differentiated code to support smart contract update
AbstractSmart contracts have received a lot of attention. A smart contract is a program that runs on a blockchain. Some recent studies reveal that most of the smart contracts on the Ethereum blockchain are highly similar. An inexperienced smart contract ...
Comments