Table of Contents
Fetching ...

HCC: A Language-Independent Hardening Contract Compiler for Smart Contracts

Jens-Rene Giesen, Sebastien Andreina, Michael Rodler, Ghassan O. Karame, Lucas Davi

TL;DR

HCC introduces a language‑independent hardening contract compiler that operates at the source level by constructing a code‑property graph (CPG) to model control‑ and data‑flow in smart contracts. The framework performs inter‑procedural and inter‑contract analysis, discovers vulnerability patterns, and automatically inserts targeted hardening patches before code generation, thereby preventing exploits while preserving functional behavior. Evaluated on 10k Solidity contracts and adapted to Hyperledger Fabric, HCC achieves high hardness against reentrancy and integer bugs with modest gas and runtime overhead, outperforming prior source‑level repair tools and maintaining compatibility with existing workflows. The work demonstrates practical, scalable security hardening across Ethereum and Fabric, with open‑source release and broad applicability through a generic CPG representation.

Abstract

Developing secure smart contracts remains a challenging task. Existing approaches are either impractical or leave the burden to developers for fixing bugs. In this paper, we propose the first practical smart contract compiler, called HCC, which automatically inserts security hardening checks at the source-code level based on a novel and language-independent code property graph (CPG) notation. The high expressiveness of our developed CPG allows us to mitigate all of the most common smart contract vulnerabilities, namely reentrancy, integer bugs, suicidal smart contracts, improper use of tx.origin, untrusted delegate-calls, and unchecked low-level call bugs. Our large-scale evaluation on 10k real-world contracts and several sets of vulnerable contracts from related work demonstrates that HCC is highly practical, outperforms state-of-the-art contract hardening techniques, and effectively prevents all verified attack transactions without hampering functional correctness.

HCC: A Language-Independent Hardening Contract Compiler for Smart Contracts

TL;DR

HCC introduces a language‑independent hardening contract compiler that operates at the source level by constructing a code‑property graph (CPG) to model control‑ and data‑flow in smart contracts. The framework performs inter‑procedural and inter‑contract analysis, discovers vulnerability patterns, and automatically inserts targeted hardening patches before code generation, thereby preventing exploits while preserving functional behavior. Evaluated on 10k Solidity contracts and adapted to Hyperledger Fabric, HCC achieves high hardness against reentrancy and integer bugs with modest gas and runtime overhead, outperforming prior source‑level repair tools and maintaining compatibility with existing workflows. The work demonstrates practical, scalable security hardening across Ethereum and Fabric, with open‑source release and broad applicability through a generic CPG representation.

Abstract

Developing secure smart contracts remains a challenging task. Existing approaches are either impractical or leave the burden to developers for fixing bugs. In this paper, we propose the first practical smart contract compiler, called HCC, which automatically inserts security hardening checks at the source-code level based on a novel and language-independent code property graph (CPG) notation. The high expressiveness of our developed CPG allows us to mitigate all of the most common smart contract vulnerabilities, namely reentrancy, integer bugs, suicidal smart contracts, improper use of tx.origin, untrusted delegate-calls, and unchecked low-level call bugs. Our large-scale evaluation on 10k real-world contracts and several sets of vulnerable contracts from related work demonstrates that HCC is highly practical, outperforms state-of-the-art contract hardening techniques, and effectively prevents all verified attack transactions without hampering functional correctness.
Paper Structure (39 sections, 11 equations, 10 figures, 5 tables)

This paper contains 39 sections, 11 equations, 10 figures, 5 tables.

Figures (10)

  • Figure 1: Architecture of hcc.
  • Figure 2: The CPG hcc constructs for the code from \ref{['lst:solexample']}.
  • Figure 3: Call Analysis during CPG enrichment for \ref{['lst:solexample']}.
  • Figure 4: Reentrancy Analysis and Hardening for \ref{['lst:solexample']}.
  • Figure 5: Cypher query for the call analysis described in \ref{['sec:solcpg']}.
  • ...and 5 more figures