A Comprehensive Understanding on Smart Contract Automated Repair
In the beginning
While existing tools are able to identify vulnerabilities and highlight the affected code lines in smart contracts, they exhibit certain limitations in automatically providing patches. In this context, smart contract automated repair is emerged as a countermeasure. Unfortunately, due to the immutability of the underlying blockchain, the smart contract cannot be updated once deployed. Therefore, traditional program repair techniques cannot be applied to smart contracts. This makes it challenging to fix vulnerabilities in smart contracts. Recently, several efforts have been proposed to automatically patch vulnerabilities in smart contracts and DeFi protocols, leading to a new branch of smart contract security.
Smart Contract Automated Repair Tools
sGuard
Nguyen et al. (2021b)[1] propose an automatic fixing approach that can transform smart contracts to be free of 4 kinds of vulnerabilities. Given a smart contract, sGuard works in two phases: 1) collects a finite set of symbolic execution traces of the smart contract and then performs static analysis on the collected traces to identify potential vulnerabilities, and 2) applies specific fixing patterns for each type of bug at the source code level. Unfortunately, sGuard performs source code rewriting without further analysis of the interactions be- tween different functions and the global dependencies of memory variables. The lack of such analysis in smart contract patching typically results in the destruc- tion of the functionality of the original contract.
EVMPatch
Rodler et al. (2021)[2] present an automated repair framework, called EVMPatch, to patch faulty smart contracts. EVMPatch works in two main steps. In the first step, based on designed patch rules, EVMPatch uses a bytecode rewriting engine to fix a basic block that has a vulnerability and appends the fixed block to the end of the contract. In the second step, after fixing a contract, EVMPatch replays some of the historical transactions of the original contract on a local Ethereum client to verify that the fixed contract is correct by observing whether attack transactions are blocked and whether other transactions are normal. However, EVMPatch only works when the vulnera- bility is located within a single bytecode basic block, while having difficulties in handling vulnerabilities across separated basic blocks.
Aroc
Jin et al. (2021)[3] propose a smart contract repairer named Aroc that can automatically fix vulnerable on-chain contracts without updating the con- tract code. Aroc consists of three main components: 1) an information extrac- tion module, which captures the variable dependencies, path constraints, and contract metadata to synthesize patches given vulnerable contract source code and bug types; 2) a patch generation module, which produces patches according to the repair templates; 3) an enhanced EVM, which binds the generated patches to fix the vulnerable contract and block the malicious transactions. However, Aroc only works on its own enhanced EVM, and the binding features cannot yet be accepted by the official Ethereum.
SCRepair
Yu et al. (2020)[4] propose an automated smart contract repair tool SCRepair using a genetic programming search method. SCRepair performs parallel genetic repair by partitioning the large search space of candidate patches into smaller mutually exclusive search spaces that can be processed individually. Considering the gas consumption of patches, SCRepair integrates a gas-awareness technique that compares candidate patches in terms of gas cost, thus screening out the patches that are useful and lower gas cost. Notably, SCRepair suffers from the inherent problems: 1) the generated patches are incomplete, which can sometimes lead to ineffectiveness, 2) the selected patches may break the functionality of the original contract, and 3) it is unable to repair the off-chain contracts.
HCC
Giesen et al. (2022)[5] develop a smart contract compiler called HCC that can insert security hardening checks into the contract source code automatically. HCC designs a code property graph (CPG) to model the control and data flows of the contract and find potential bugs. HCC then mitigates the discovered bugs by inserting hardening patches. Hardening patches in HCC are expressed as graph patterns that are used as templates for CPG-level patches against bugs. However, HCC has difficulty repairing vulnerabilities in complex DeFi protocols because it is unable to recover complete CPGs from intertwined DeFi protocols.
Elysium
Ferreira Torres et al. (2022)[6] propose Elysium, a scalable tool to- wards automated repair for smart contracts at the bytecode level. The overall workflow of this tool is illustrated in Fig. 1, which consists of four phases: 1) bug location, which is responsible for detecting and localizing bugs in the byte- code; 2) context inference, which extracts the control flow graph of the bytecode and infers the context information of the CFG; 3) patch generation, which pro- duces patches by inserting previously inferred context information into given patch templates; 4) bytecode rewriting, which injects the generated patches into the CFG and transforms it back into bytecode.
SmartShield
Zhang et al. (2020)[7] develop a bytecode rectification system SMARTSHIELD to automatically fix three types of bugs in smart contracts. The overall workflow of SMARTSHIELD consists of three steps: 1) extracting the abstract syntax tree (AST) and the unfixed bytecode of a smart contract to capture its bytecode-level semantic information; 2) generating the patches to repair the insecure control flows and data operations based on the semantic information; 3) outputting the patched bytecode and a bug repair report.
DeFinery
Tolmach et al. (2022)[8] design an approach that enables property- based automated repair of DeFi protocols while providing formal correctness guarantees. DeFinery is the first attempt to repair functional specification violations in DeFi smart contracts. DeFinery consists of two main modules: 1) a semantic analysis part, which symbolically executes a smart contract with respect to a property and a sequence of functions that lead to its violation; 2) a patch generation part, which provides a patched version of a smart contract that satisfies the property. Notably, the patch generation module of DeFinery is built on SCRepair. DeFinery extends a set of statements that are defined in SCRepair, combines the semantic analysis module to perform the patch, and adds heuristics to select changes that are likely to repair the problem.
Discussion
(1) Current automated smart contract repair techniques only address limited types of vulnerabilities and are difficult to deal with complex smart contracts, such as DeFi protocols.
(2) There is still a lack of effective verifiers to prove the correctness of patches and validate whether the intended functionality of the patched contract is equivalent to the original contract.
References
[1] Nguyen, T. D., Pham, L. H., & Sun, J. (2021, May). SGUARD: towards fixing vulnerable smart contracts automatically. In 2021 IEEE Symposium on Security and Privacy (SP) (pp. 1215–1229). IEEE.
[2] Rodler, M., Li, W., Karame, G. O., & Davi, L. (2021). {EVMPatch}: Timely and automated patching of ethereum smart contracts. In 30th USENIX Security Symposium (USENIX Security 21) (pp. 1289–1306).
[3] Jin, H., Wang, Z., Wen, M., Dai, W., Zhu, Y., & Zou, D. (2021). Aroc: An automatic repair framework for on-chain smart contracts. IEEE Transactions on Software Engineering, 48(11), 4611–4629.
[4] Yu, X. L., Al-Bataineh, O., Lo, D., & Roychoudhury, A. (2020). Smart contract repair. ACM Transactions on Software Engineering and Methodology (TOSEM), 29(4), 1–32.
[5] Giesen, J. R., Andreina, S., Rodler, M., Karame, G. O., & Davi, L. (2022). Practical mitigation of smart contract bugs. arXiv preprint arXiv:2203.00364.
[6] Ferreira Torres, C., Jonker, H., & State, R. (2022, October). Elysium: Context-aware bytecode-level patching to automatically heal vulnerable smart contracts. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (pp. 115–128).
[7] Zhang, Y., Ma, S., Li, J., Li, K., Nepal, S., & Gu, D. (2020, February). Smartshield: Automatic smart contract protection made easy. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER) (pp. 23–34). IEEE.
[8] Tolmach, P., Li, Y., & Lin, S. W. (2022, October). Property-Based Automated Repair of DeFi Protocols. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (pp. 1–5).
