The increased adoption of smart contracts in many industries has made them an attractive target for cybercriminals, leading to millions of dollars in losses. Thus, deploying smart contracts with detected vulnerabilities (known to developers) are not acceptable, and fixing all the detected vulnerabilities is needed, which incurs high manual labor cost without effective tool support. To fill this need, in this paper, we propose ContractFix, a novel framework that automatically generates security patches for vulnerable smart contracts. ContractFix is a general framework that can incorporate different fix patterns for different types of vulnerabilities. Users can use it as a security fix-it tool that automatically applies patches and verifies the patched contracts before deploying the contracts. To address the unique challenges in fixing smart contract vulnerabilities, given an input smart contract, \tool conducts our proposed ensemble identification based on multiple static verification tools to identify vulnerabilities that are amenable for automatic fix. Then, ContractFix generates patches using template-based fix patterns and conducts program analysis (program dependency computation and pointer analysis) for smart contracts to accurately infer and populate the parameter values for the fix patterns. Finally, ContractFix performs static verification that guarantees the patched contract is free of vulnerabilities. Our evaluations on $144$ real vulnerable contracts demonstrate that \tool can successfully fix $94\%$ of the detected vulnerabilities ($565$ out of $601$) and preserve the expected behaviors of the smart contracts.

翻译：随着智能合约在各行业的广泛采用，其已成为网络犯罪分子的诱人目标，导致数百万美元的损失。因此，部署存在已知漏洞的智能合约是不可接受的，而修复所有已检测漏洞需要大量人工成本，且缺乏有效的工具支持。为满足这一需求，本文提出ContractFix——一种新型框架，可自动为易受攻击的智能合约生成安全补丁。ContractFix是一个通用框架，能够针对不同类型的漏洞整合不同的修复模式。用户可将其作为安全修复工具使用，在部署合约前自动应用补丁并验证修复后的合约。为应对智能合约漏洞修复的独特挑战，给定输入智能合约，该框架基于多重静态验证工具执行我们提出的集成识别方法，以识别适合自动修复的漏洞。随后，ContractFix利用基于模板的修复模式生成补丁，并对智能合约进行程序分析（程序依赖计算与指针分析），以准确推断并填充修复模式的参数值。最后，ContractFix执行静态验证，确保修复后的合约不存在漏洞。我们在144个真实漏洞合约上的评估表明，该框架成功修复了94%的已检测漏洞（601个中的565个），并保留了智能合约的预期行为。