Bridging the Gap: A Comparative Study of Academic and Developer Approaches to Smart Contract Vulnerabilities
- URL: http://arxiv.org/abs/2504.12443v1
- Date: Wed, 16 Apr 2025 19:20:00 GMT
- Title: Bridging the Gap: A Comparative Study of Academic and Developer Approaches to Smart Contract Vulnerabilities
- Authors: Francesco Salzano, Lodovica Marchesi, Cosmo Kevin Antenucci, Simone Scalabrino, Roberto Tonelli, Rocco Oliveto, Remo Pareschi,
- Abstract summary: We investigate the strategies adopted by Solidity developers to fix security vulnerabilities in smart contracts.<n>From non-aligned commits, we identified 27 novel fixing strategies not previously discussed in the literature.<n>These emerging patterns offer actionable solutions for securing smart contracts in underexplored areas.
- Score: 5.052062767357937
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: In this paper, we investigate the strategies adopted by Solidity developers to fix security vulnerabilities in smart contracts. Vulnerabilities are categorized using the DASP TOP 10 taxonomy, and fixing strategies are extracted from GitHub commits in open-source Solidity projects. Each commit was selected through a two-phase process: an initial filter using natural language processing techniques, followed by manual validation by the authors. We analyzed these commits to evaluate adherence to academic best practices. Our results show that developers often follow established guidelines for well-known vulnerability types such as Reentrancy and Arithmetic. However, in less-documented categories like Denial of Service, Bad Randomness, and Time Manipulation, adherence is significantly lower, suggesting gaps between academic literature and practical development. From non-aligned commits, we identified 27 novel fixing strategies not previously discussed in the literature. These emerging patterns offer actionable solutions for securing smart contracts in underexplored areas. To evaluate the quality of these new fixes, we conducted a questionnaire with academic and industry experts, who assessed each strategy based on Generalizability, Long-term Sustainability, and Effectiveness. Additionally, we performed a post-fix analysis by tracking subsequent commits to the fixed files, assessing the persistence and evolution of the fixes over time. Our findings offer an empirically grounded view of how vulnerabilities are addressed in practice, bridging theoretical knowledge and real-world solutions in the domain of smart contract security.
Related papers
- Thinking Longer, Not Larger: Enhancing Software Engineering Agents via Scaling Test-Time Compute [61.00662702026523]
We propose a unified Test-Time Compute scaling framework that leverages increased inference-time instead of larger models.<n>Our framework incorporates two complementary strategies: internal TTC and external TTC.<n>We demonstrate our textbf32B model achieves a 46% issue resolution rate, surpassing significantly larger models such as DeepSeek R1 671B and OpenAI o1.
arXiv Detail & Related papers (2025-03-31T07:31:32Z) - Vulnerability Detection in Ethereum Smart Contracts via Machine Learning: A Qualitative Analysis [0.0]
We analyze the state of the art in machine-learning vulnerability detection for smart contracts.
We discuss best practices to enhance the accuracy, scope, and efficiency of vulnerability detection in smart contracts.
arXiv Detail & Related papers (2024-07-26T10:09:44Z) - Contractual Reinforcement Learning: Pulling Arms with Invisible Hands [68.77645200579181]
We propose a theoretical framework for aligning economic interests of different stakeholders in the online learning problems through contract design.
For the planning problem, we design an efficient dynamic programming algorithm to determine the optimal contracts against the far-sighted agent.
For the learning problem, we introduce a generic design of no-regret learning algorithms to untangle the challenges from robust design of contracts to the balance of exploration and exploitation.
arXiv Detail & Related papers (2024-07-01T16:53:00Z) - Soley: Identification and Automated Detection of Logic Vulnerabilities in Ethereum Smart Contracts Using Large Language Models [1.081463830315253]
We empirically investigate logic vulnerabilities in real-world smart contracts extracted from code changes on GitHub.
We introduce Soley, an automated method for detecting logic vulnerabilities in smart contracts.
We examine mitigation strategies employed by smart contract developers to address these vulnerabilities in real-world scenarios.
arXiv Detail & Related papers (2024-06-24T00:15:18Z) - Multi-Agent Imitation Learning: Value is Easy, Regret is Hard [52.31989962031179]
We study a multi-agent imitation learning (MAIL) problem where we take the perspective of a learner attempting to coordinate a group of agents.
Most prior work in MAIL essentially reduces the problem to matching the behavior of the expert within the support of the demonstrations.
While doing so is sufficient to drive the value gap between the learner and the expert to zero under the assumption that agents are non-strategic, it does not guarantee to deviations by strategic agents.
arXiv Detail & Related papers (2024-06-06T16:18:20Z) - Vulnerabilities of smart contracts and mitigation schemes: A Comprehensive Survey [0.6554326244334866]
This paper presents a literature review combined with an experimental report that aims to assist developers in developing secure smarts.
It provides a list of frequent vulnerabilities and corresponding mitigation solutions.
It evaluates the community most widely used tools by executing and testing them on sample smart contracts.
arXiv Detail & Related papers (2024-03-28T19:36:53Z) - Fixing Smart Contract Vulnerabilities: A Comparative Analysis of
Literature and Developer's Practices [6.09162202256218]
We refer to vulnerability fixing in the ways found in the literature as guidelines.
It is not clear to what extent developers adhere to these guidelines, nor whether there are other viable common solutions and what they are.
The goal of our research is to fill knowledge gaps related to developers' observance of existing guidelines and to propose new and viable solutions to security vulnerabilities.
arXiv Detail & Related papers (2024-03-12T09:55:54Z) - Robust Representation Learning for Unreliable Partial Label Learning [86.909511808373]
Partial Label Learning (PLL) is a type of weakly supervised learning where each training instance is assigned a set of candidate labels, but only one label is the ground-truth.
This is known as Unreliable Partial Label Learning (UPLL) that introduces an additional complexity due to the inherent unreliability and ambiguity of partial labels.
We propose the Unreliability-Robust Representation Learning framework (URRL) that leverages unreliability-robust contrastive learning to help the model fortify against unreliable partial labels effectively.
arXiv Detail & Related papers (2023-08-31T13:37:28Z) - Pre-deployment Analysis of Smart Contracts -- A Survey [0.27195102129095]
We present a systematic review of the literature on smart contract vulnerabilities and methods.
Specifically, we enumerate and classify smart contract vulnerabilities and methods by the properties they address.
Several patterns about the strengths of different methods emerge through this classification process.
arXiv Detail & Related papers (2023-01-15T12:36:56Z) - Semantic-Preserving Adversarial Code Comprehension [75.76118224437974]
We propose Semantic-Preserving Adversarial Code Embeddings (SPACE) to find the worst-case semantic-preserving attacks.
Experiments and analysis demonstrate that SPACE can stay robust against state-of-the-art attacks while boosting the performance of PrLMs for code.
arXiv Detail & Related papers (2022-09-12T10:32:51Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z) - Leveraging Expert Consistency to Improve Algorithmic Decision Support [62.61153549123407]
We explore the use of historical expert decisions as a rich source of information that can be combined with observed outcomes to narrow the construct gap.
We propose an influence function-based methodology to estimate expert consistency indirectly when each case in the data is assessed by a single expert.
Our empirical evaluation, using simulations in a clinical setting and real-world data from the child welfare domain, indicates that the proposed approach successfully narrows the construct gap.
arXiv Detail & Related papers (2021-01-24T05:40:29Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.