{"title":"ContractTinker: LLM-Empowered Vulnerability Repair for Real-World Smart Contracts","authors":"Che Wang, Jiashuo Zhang, Jianbo Gao, Libin Xia, Zhi Guan, Zhong Chen","doi":"arxiv-2409.09661","DOIUrl":null,"url":null,"abstract":"Smart contracts are susceptible to being exploited by attackers, especially\nwhen facing real-world vulnerabilities. To mitigate this risk, developers often\nrely on third-party audit services to identify potential vulnerabilities before\nproject deployment. Nevertheless, repairing the identified vulnerabilities is\nstill complex and labor-intensive, particularly for developers lacking security\nexpertise. Moreover, existing pattern-based repair tools mostly fail to address\nreal-world vulnerabilities due to their lack of high-level semantic\nunderstanding. To fill this gap, we propose ContractTinker, a Large Language\nModels (LLMs)-empowered tool for real-world vulnerability repair. The key\ninsight is our adoption of the Chain-of-Thought approach to break down the\nentire generation task into sub-tasks. Additionally, to reduce hallucination,\nwe integrate program static analysis to guide the LLM. We evaluate\nContractTinker on 48 high-risk vulnerabilities. The experimental results show\nthat among the patches generated by ContractTinker, 23 (48%) are valid patches\nthat fix the vulnerabilities, while 10 (21%) require only minor modifications.\nA video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.09661","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Smart contracts are susceptible to being exploited by attackers, especially
when facing real-world vulnerabilities. To mitigate this risk, developers often
rely on third-party audit services to identify potential vulnerabilities before
project deployment. Nevertheless, repairing the identified vulnerabilities is
still complex and labor-intensive, particularly for developers lacking security
expertise. Moreover, existing pattern-based repair tools mostly fail to address
real-world vulnerabilities due to their lack of high-level semantic
understanding. To fill this gap, we propose ContractTinker, a Large Language
Models (LLMs)-empowered tool for real-world vulnerability repair. The key
insight is our adoption of the Chain-of-Thought approach to break down the
entire generation task into sub-tasks. Additionally, to reduce hallucination,
we integrate program static analysis to guide the LLM. We evaluate
ContractTinker on 48 high-risk vulnerabilities. The experimental results show
that among the patches generated by ContractTinker, 23 (48%) are valid patches
that fix the vulnerabilities, while 10 (21%) require only minor modifications.
A video of ContractTinker is available at https://youtu.be/HWFVi-YHcPE.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
