Identifying Smart Contract Security Issues in Code Snippets from Stack OverflowACM SIGSOFT Distinguished Paper Award
Smart contract developers frequently seek solutions to developmental challenges on Q&A platforms such as Stack Overflow (SO). Although community responses often provide viable solutions, the embedded code snippets can also contain hidden vulnerabilities. Integrating such code directly into smart contracts may make them susceptible to malicious attacks. We conducted an online survey and received 74 responses from smart contract developers. The results of this survey indicate that the majority (86.4%) of participants do not sufficiently consider security when reusing SO code snippets. Despite the existence of various tools designed to detect vulnerabilities in smart contracts, these tools are typically developed for analyzing fully-completed smart contracts and thus are ineffective for analyzing typical code snippets as found on SO. We introduce SOChecker, the first tool designed to identify potential vulnerabilities in incomplete SO smart contract code snippets. SOChecker first leverages a fine-tuned Llama2 model for code completion, followed by the application of symbolic execution methods for vulnerability detection. Our experimental results, derived from a dataset comprising 897 code snippets collected from smart contract-related SO posts, demonstrate that SOChecker achieves an F1 score of 68.2%, greatly surpassing GPT-3.5 and GPT-4 (20.9% and 33.2% F1 Scores respectively). Our findings underscore the need to improve the security of code snippets from Q&A websites.
Fri 20 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 14:50 | Smart ContractsTechnical Papers at EI 10 Fritz Paschke Chair(s): Michael Pradel University of Stuttgart | ||
13:30 20mTalk | Empirical Study of Move Smart Contract Security: Introducing MoveScan for Enhanced Analysis Technical Papers Shuwei Song University of Electronic Science and Technology of China, Jiachi Chen Sun Yat-sen University, Ting Chen University of Electronic Science and Technology of China, Xiapu Luo Hong Kong Polytechnic University, Teng Li University of Electronic Science and Technology of China, Wenwu Yang University of Electronic Science and Technology of China, Leqing Wang University of Electronic Science and Technology of China, Weijie Zhang Jiangsu University of Science and Technology, Feng Luo Hong Kong Polytechnic University, Zheyuan He University of Electronic Science and Technology of China, Yi Lu BitsLab, Pan Li MoveBit DOI | ||
13:50 20mTalk | FunRedisp: Reordering Function Dispatch in Smart Contract to Reduce Invocation Gas Fees Technical Papers Yunqi Liu Nanjing University of Science and Technology, Wei Song Nanjing University of Science and Technology DOI | ||
14:10 20mTalk | Identifying Smart Contract Security Issues in Code Snippets from Stack OverflowACM SIGSOFT Distinguished Paper Award Technical Papers Jiachi Chen Sun Yat-sen University, Chong Chen Sun Yat-sen University, Jiang Hu Sun Yat-sen University, John Grundy Monash University, Yanlin Wang Sun Yat-sen University, Ting Chen University of Electronic Science and Technology of China, Zibin Zheng Sun Yat-sen University DOI Pre-print | ||
14:30 20mTalk | Midas: Mining Profitable Exploits in On-Chain Smart Contracts via Feedback-Driven Fuzzing and Differential Analysis Technical Papers Mingxi Ye Sun Yat-sen University, Xingwei Lin Zhejiang University, Yuhong Nan Sun Yat-sen University, Jiajing Wu Sun Yat-sen University, Zibin Zheng Sun Yat-sen University DOI | ||