Automated Vulnerability Injection in Solidity Smart Contracts: A Mutation-Based Approach for Benchmark Development

• URL: http://arxiv.org/abs/2504.15948v1
• Date: Tue, 22 Apr 2025 14:46:18 GMT
• Title: Automated Vulnerability Injection in Solidity Smart Contracts: A Mutation-Based Approach for Benchmark Development
• Authors: Gerardo Iuliano, Luigi Allocca, Matteo Cicalese, Dario Di Nucci,
• Abstract summary: This work evaluates whether mutation seeding can effectively inject vulnerabilities into Solidity-based smart contracts.<n>We propose MuSe, a tool to generate vulnerable smart contracts by leveraging pattern-based mutation operators.<n>We analyzed these vulnerable smart contracts using Slither, a static analysis tool, to determine its capacity to identify them and assess their validity.
• Score: 2.0074256613821033
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: The security of smart contracts is critical in blockchain systems, where even minor vulnerabilities can lead to substantial financial losses. Researchers proposed several vulnerability detection tools evaluated using existing benchmarks. However, most benchmarks are outdated and focus on a narrow set of vulnerabilities. This work evaluates whether mutation seeding can effectively inject vulnerabilities into Solidity-based smart contracts and whether state-of-the-art static analysis tools can detect the injected flaws. We aim to automatically inject vulnerabilities into smart contracts to generate large and wide benchmarks. We propose MuSe, a tool to generate vulnerable smart contracts by leveraging pattern-based mutation operators to inject six vulnerability types into real-world smart contracts. We analyzed these vulnerable smart contracts using Slither, a static analysis tool, to determine its capacity to identify them and assess their validity. The results show that each vulnerability has a different injection rate. Not all smart contracts can exhibit some vulnerabilities because they lack the prerequisites for injection. Furthermore, static analysis tools fail to detect all vulnerabilities injected using pattern-based mutations, underscoring the need for enhancements in static analyzers and demonstrating that benchmarks generated by mutation seeding tools can improve the evaluation of detection tools.

Related papers

• EthCluster: An Unsupervised Static Analysis Method for Ethereum Smart Contract [1.1923665587866032]
  We train a model using unsupervised learning to identify vulnerabilities in the Solidity source code of smart contracts.<n>To address the challenges associated with real-world smart contracts, our training data is derived from actual vulnerability samples.
  arXiv  Detail & Related papers  (2025-04-14T08:36:21Z)
• Are You Getting What You Pay For? Auditing Model Substitution in LLM APIs [60.881609323604685]
  Large Language Models (LLMs) accessed via black-box APIs introduce a trust challenge. Users pay for services based on advertised model capabilities. providers may covertly substitute the specified model with a cheaper, lower-quality alternative to reduce operational costs. This lack of transparency undermines fairness, erodes trust, and complicates reliable benchmarking.
  arXiv  Detail & Related papers  (2025-04-07T03:57:41Z)
• Impact of Code Transformation on Detection of Smart Contract Vulnerabilities [0.0]
  This paper presents a method for improving the quantity and quality of smart contract vulnerability datasets. The approach centers around semantic-preserving code transformation, a technique that modifies the source code structure without altering its semantic meaning. The improved results show that many newly created vulnerabilities can bypass tools and the false reporting rate goes up to 100%.
  arXiv  Detail & Related papers  (2024-10-29T03:08:25Z)
• The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
  Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
  arXiv  Detail & Related papers  (2024-09-10T10:12:37Z)
• Vulnerability Detection in Ethereum Smart Contracts via Machine Learning: A Qualitative Analysis [0.0]
  We analyze the state of the art in machine-learning vulnerability detection for smart contracts. We discuss best practices to enhance the accuracy, scope, and efficiency of vulnerability detection in smart contracts.
  arXiv  Detail & Related papers  (2024-07-26T10:09:44Z)
• Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? [14.974832502863526]
  In recent years, the importance of smart contract security has been heightened by the increasing number of attacks against them. To address this issue, a multitude of static application security testing (SAST) tools have been proposed for detecting vulnerabilities in smart contracts. In this paper, we propose an up-to-date and fine-grained taxonomy that includes 45 unique vulnerability types for smart contracts.
  arXiv  Detail & Related papers  (2024-04-28T13:40:18Z)
• Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study [44.25093111430751]
  In 2023 alone, such vulnerabilities led to substantial financial losses exceeding a billion of US dollars. Various tools have been developed to detect and mitigate vulnerabilities in smart contracts. This study investigates the gap between the effectiveness of existing security scanners and the vulnerabilities that still persist in practice.
  arXiv  Detail & Related papers  (2023-12-27T11:26:26Z)
• ASSERT: Automated Safety Scenario Red Teaming for Evaluating the Robustness of Large Language Models [65.79770974145983]
  ASSERT, Automated Safety Scenario Red Teaming, consists of three methods -- semantically aligned augmentation, target bootstrapping, and adversarial knowledge injection. We partition our prompts into four safety domains for a fine-grained analysis of how the domain affects model performance. We find statistically significant performance differences of up to 11% in absolute classification accuracy among semantically related scenarios and error rates of up to 19% absolute error in zero-shot adversarial settings.
  arXiv  Detail & Related papers  (2023-10-14T17:10:28Z)
• CONTRACTFIX: A Framework for Automatically Fixing Vulnerabilities in Smart Contracts [12.68736241704817]
  ContractFix is a framework that automatically generates security patches for vulnerable smart contracts. Users can use it as a security fix-it tool that automatically applies patches and verifies the patched contracts.
  arXiv  Detail & Related papers  (2023-07-18T01:14:31Z)
• Enhancing Smart Contract Security Analysis with Execution Property Graphs [48.31617821205042]
  We introduce Clue, a dynamic analysis framework specifically designed for a runtime virtual machine.<n>Clue captures critical information during contract executions, employing a novel graph-based representation, the Execution Property Graph.<n> evaluation results reveal Clue's superior performance with high true positive rates and low false positive rates, outperforming state-of-the-art tools.
  arXiv  Detail & Related papers  (2023-05-23T13:16:42Z)
• Exploring Robustness of Unsupervised Domain Adaptation in Semantic Segmentation [74.05906222376608]
  We propose adversarial self-supervision UDA (or ASSUDA) that maximizes the agreement between clean images and their adversarial examples by a contrastive loss in the output space. This paper is rooted in two observations: (i) the robustness of UDA methods in semantic segmentation remains unexplored, which pose a security concern in this field; and (ii) although commonly used self-supervision (e.g., rotation and jigsaw) benefits image tasks such as classification and recognition, they fail to provide the critical supervision signals that could learn discriminative representation for segmentation tasks.
  arXiv  Detail & Related papers  (2021-05-23T01:50:44Z)
• ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning [80.85273827468063]
  Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable. We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts. We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
  arXiv  Detail & Related papers  (2021-03-23T15:04:44Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.