Fixing Smart Contract Vulnerabilities: A Comparative Analysis of Literature and Developer's Practices

TL;DR

This paper investigates how developers fix smart contract vulnerabilities in practice, comparing their approaches to existing guidelines and identifying new solutions through analysis of GitHub commits.

Contribution

It provides an empirical study on developer adherence to security guidelines and introduces new fixing techniques not yet documented in literature.

Findings

Developers often deviate from established security guidelines.

New fixing approaches are emerging outside of current literature.

Qualitative analysis assesses the validity of these new solutions.

Abstract

Smart Contracts are programs running logic in the Blockchain network by executing operations through immutable transactions. The Blockchain network validates such transactions, storing them into sequential blocks of which integrity is ensured. Smart Contracts deal with value stakes, if a damaging transaction is validated, it may never be reverted, leading to unrecoverable losses. To prevent this, security aspects have been explored in several fields, with research providing catalogs of security defects, secure code recommendations, and possible solutions to fix vulnerabilities. In our study, we refer to vulnerability fixing in the ways found in the literature as guidelines. However, it is not clear to what extent developers adhere to these guidelines, nor whether there are other viable common solutions and what they are. The goal of our research is to fill knowledge gaps related to developers' observance of existing guidelines and to propose new and viable solutions to security vulnerabilities. To reach our goal, we will obtain from Solidity GitHub repositories the commits that fix vulnerabilities included in the DASP TOP 10 and we will conduct a manual analysis of fixing approaches employed by developers. Our analysis aims to determine the extent to which literature-based fixing strategies are followed. Additionally, we will identify and discuss emerging fixing techniques not currently documented in the literature. Through qualitative analysis, we will evaluate the suitability of these new fixing solutions and discriminate between valid approaches and potential mistakes.