Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fixing Smart Contract Vulnerabilities: A Comparative Analysis of Literature and Developer's Practices

Francesco Salzano, Simone Scalabrino, Rocco Oliveto, Remo Pareschi

TL;DR

This work tackles the gap between literature-proposed vulnerability-fixing guidelines for Solidity smart contracts and real-world developer practices. It combines a literature-grounded catalog of fixes with an empirical pipeline that mines GitHub for vulnerability-fixing commits, then uses manual analysis to assess adherence to the DASP TOP 10 categories and uncover novel fixes. Preliminary results from a pilot indicate developers sometimes implement fixes not captured in existing guidelines, such as a bounded-denial-of-service repair, suggesting valuable new directions for automation and guideline refinement. The study aims to produce public datasets and insights to improve SC security practices and guide future auto-repair tools.

Abstract

Smart Contracts are programs running logic in the Blockchain network by executing operations through immutable transactions. The Blockchain network validates such transactions, storing them into sequential blocks of which integrity is ensured. Smart Contracts deal with value stakes, if a damaging transaction is validated, it may never be reverted, leading to unrecoverable losses. To prevent this, security aspects have been explored in several fields, with research providing catalogs of security defects, secure code recommendations, and possible solutions to fix vulnerabilities. In our study, we refer to vulnerability fixing in the ways found in the literature as guidelines. However, it is not clear to what extent developers adhere to these guidelines, nor whether there are other viable common solutions and what they are. The goal of our research is to fill knowledge gaps related to developers' observance of existing guidelines and to propose new and viable solutions to security vulnerabilities. To reach our goal, we will obtain from Solidity GitHub repositories the commits that fix vulnerabilities included in the DASP TOP 10 and we will conduct a manual analysis of fixing approaches employed by developers. Our analysis aims to determine the extent to which literature-based fixing strategies are followed. Additionally, we will identify and discuss emerging fixing techniques not currently documented in the literature. Through qualitative analysis, we will evaluate the suitability of these new fixing solutions and discriminate between valid approaches and potential mistakes.

Fixing Smart Contract Vulnerabilities: A Comparative Analysis of Literature and Developer's Practices

TL;DR

This work tackles the gap between literature-proposed vulnerability-fixing guidelines for Solidity smart contracts and real-world developer practices. It combines a literature-grounded catalog of fixes with an empirical pipeline that mines GitHub for vulnerability-fixing commits, then uses manual analysis to assess adherence to the DASP TOP 10 categories and uncover novel fixes. Preliminary results from a pilot indicate developers sometimes implement fixes not captured in existing guidelines, such as a bounded-denial-of-service repair, suggesting valuable new directions for automation and guideline refinement. The study aims to produce public datasets and insights to improve SC security practices and guide future auto-repair tools.

Abstract

Smart Contracts are programs running logic in the Blockchain network by executing operations through immutable transactions. The Blockchain network validates such transactions, storing them into sequential blocks of which integrity is ensured. Smart Contracts deal with value stakes, if a damaging transaction is validated, it may never be reverted, leading to unrecoverable losses. To prevent this, security aspects have been explored in several fields, with research providing catalogs of security defects, secure code recommendations, and possible solutions to fix vulnerabilities. In our study, we refer to vulnerability fixing in the ways found in the literature as guidelines. However, it is not clear to what extent developers adhere to these guidelines, nor whether there are other viable common solutions and what they are. The goal of our research is to fill knowledge gaps related to developers' observance of existing guidelines and to propose new and viable solutions to security vulnerabilities. To reach our goal, we will obtain from Solidity GitHub repositories the commits that fix vulnerabilities included in the DASP TOP 10 and we will conduct a manual analysis of fixing approaches employed by developers. Our analysis aims to determine the extent to which literature-based fixing strategies are followed. Additionally, we will identify and discuss emerging fixing techniques not currently documented in the literature. Through qualitative analysis, we will evaluate the suitability of these new fixing solutions and discriminate between valid approaches and potential mistakes.
Paper Structure (11 sections, 3 figures, 1 table)

This paper contains 11 sections, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Empirical Study Design
  4. Study Context
  5. Finding Candidate Repositories
  6. Mining Commits
  7. Filtering Commits
  8. Experimental Procedure
  9. Preliminary Results
  10. Limitations, Challenges and Mitigation
  11. Conclusion

Figures (3)

  • Figure 1: Overall workflow to answer RQ1
  • Figure 2: Overall workflow to answer RQ2
  • Figure 3: Denial of service patched by a commit.