CodeBC: A More Secure Large Language Model for Smart Contract Code Generation in Blockchain
Lingxiang Wang, Hainan Zhang, Qinnan Zhang, Ziwei Wang, Hongwei Zheng, Jin Dong, Zhiming Zheng
TL;DR
CodeBC tackles the risk of insecure smart-contract code generated by LLMs by introducing a three-stage fine-tuning pipeline: code infilling to adapt LMs to Solidity, vulnerability detection to inject security knowledge, and tags-guided instruction fine-tuning to steer generation toward secure code. The model, evaluated on a Solidity-focused Blockchain-HumanEval suite built from OpenZeppelin and Slither-based datasets, outperforms strong baselines in both code quality (BLEU/CodeBLEU) and security metrics (compilability and vulnerability rate), while reducing reliance on expensive pairwise vulnerability annotations. The results demonstrate a cost-efficient, transferable approach for secure blockchain code generation, with ablations showing additive gains from each stage and transferability analyses indicating competitive performance even in non-Solidity languages when using vulnerability tagging. Overall, CodeBC advances practical secure code generation for smart contracts and provides a dataset and methodology to accelerate future work in this high-stakes domain.
Abstract
Large language models (LLMs) excel at generating code from natural language instructions, yet they often lack an understanding of security vulnerabilities. This limitation makes it difficult for LLMs to avoid security risks in generated code, particularly in high-security programming tasks such as smart contract development for blockchain. Researchers have attempted to enhance the vulnerability awareness of these models by training them to differentiate between vulnerable and fixed code snippets. However, this approach relies heavily on manually labeled vulnerability data, which is only available for popular languages like Python and C++. For low-resource languages like Solidity, used in smart contracts, large-scale annotated datasets are scarce and difficult to obtain. To address this challenge, we introduce CodeBC, a code generation model specifically designed for generating secure smart contracts in blockchain. CodeBC employs a three-stage fine-tuning approach based on CodeLlama, distinguishing itself from previous methods by not relying on pairwise vulnerability location annotations. Instead, it leverages vulnerability and security tags to teach the model the differences between vulnerable and secure code. During the inference phase, the model leverages security tags to generate secure and robust code. Experimental results demonstrate that CodeBC outperforms baseline models in terms of BLEU, CodeBLEU, and compilation pass rates, while significantly reducing vulnerability rates. These findings validate the effectiveness and cost-efficiency of our three-stage fine-tuning strategy, making CodeBC a promising solution for generating secure smart contract code.
