Impact of Code Transformation on Detection of Smart Contract Vulnerabilities

TL;DR

This paper introduces a semantic-preserving code transformation technique to generate diverse smart contract vulnerabilities, revealing limitations of current detection tools and significantly expanding vulnerability datasets.

Contribution

It proposes a novel method for augmenting smart contract datasets with transformed code that preserves semantics but introduces new vulnerabilities, enhancing detection evaluation.

Findings

Generated vulnerabilities often bypass existing tools

False negative rate increased up to 100%

Dataset size increased by at least 2.5 times

Abstract

While smart contracts are foundational elements of blockchain applications, their inherent susceptibility to security vulnerabilities poses a significant challenge. Existing training datasets employed for vulnerability detection tools may be limited, potentially compromising their efficacy. This paper presents a method for improving the quantity and quality of smart contract vulnerability datasets and evaluates current detection methods. The approach centers around semantic-preserving code transformation, a technique that modifies the source code structure without altering its semantic meaning. The transformed code snippets are inserted into all potential locations within benign smart contract code, creating new vulnerable contract versions. This method aims to generate a wider variety of vulnerable codes, including those that can bypass detection by current analysis tools. The paper experiments evaluate the method's effectiveness using tools like Slither, Mythril, and CrossFuzz, focusing on metrics like the number of generated vulnerable samples and the false negative rate in detecting these vulnerabilities. The improved results show that many newly created vulnerabilities can bypass tools and the false reporting rate goes up to 100% and increases dataset size minimum by 2.5X.