Computer Science ›› 2026, Vol. 53 ›› Issue (7): 422-432.doi: 10.11896/jsjkx.250500008

• Information Security • Previous Articles     Next Articles

OptimalFix:Complete Framework for Efficient Detection and Patch of Vulnerabilities in SmartContracts Automatically

CHEN Shanshan, JING Ningkang   

  1. School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210003,China
  • Received:2025-05-06 Revised:2025-08-15 Online:2026-07-15 Published:2026-07-10
  • About author:CHEN Shanshan,born in 1980,Ph.D,associate professor.Her main research interests include large-scale distributed storage architecture and system performance optimization,blockchain technology.

Abstract: Ethereum smart contracts have attracted significant attention in recent years,but their security vulnerabilities could result in substantial financial losses,highlighting the importance of detecting and patching these vulnerabilities.However,recent research primarily focuses on vulnerability detection rather than notable repair tools,which could result in high costs for manual repair.To address this challenge,this paper introduces OptimalFix,a novel framework that integrates vulnerability detection and patch,automatically generating secure patches for unsafe smart contracts.OptimalFix converts smart contracts into an intermediate representation and employs static detection to quickly identify and locate vulnerabilities.Subsequently,it conducts static program analysis,such as false positive filtering and program dependency analysis.The framework then generates patches using a template-based approach and selects the optimal template based on the results of the earlier static analysis,including detection outcomes and program analysis.OptimalFix is evaluated on three datasets,successfully fixing 90.2% of the vulnerabilities,with an average cost of only 900 milliseconds and a 6.7% increase in gas consumption.

Key words: Smart contract, Vulnerability detection, Static program analysis, Patching

CLC Number: 

  • TP309
[1]SANTOS F,KOSTAKIS V.The DAO:a million dollar lesson in blockchain governance[EB/OL].http://technologygovernance.eu/eng/defended_theses/francisco_santos/.
[2]TIKHOMIROV S,VOSKRESENSKAYA E,IVANITSKIY I,et al.Smartcheck:Static analysis of ethereum smart contracts[C]//Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain.2018:9-16.
[3]CHEN Q S,HE X Y,XU W J,et al.Reentrancy Vulnerability Detection Based on Pre-training Technology and Expert Know-ledge[J].Computer Science,2022,49(11A):713-720.
[4]KALRA S,GOEL S,DHAWAN M,et al.Zeus:analyzing safety of smart contracts[C]//Ndss.2018:1-12.
[5]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB).IEEE,2019:8-15.
[6]CHEN Y,DAI H,YU X,et al.Improving Ponzi scheme contract detection using multi-channel TextCNN and transformer[J].Sensors,2021,21(19):6417.
[7]ASSIRI F Y,BIEMAN J M.The impact of search algorithms in automated program repair[J].Procedia Computer Science,2015,62:65-72.
[8]YUSTE J,DUARTE A,PARDO E G.An efficient heuristic algorithm for software module clustering optimization[J].Journal of Systems and Software,2022,190:111349.
[9]NGUYEN T D,PHAM L H,SUN J.SGUARD:towards fixing vulnerable smart contracts automatically[C]//2021 IEEE Symposium on Security and Privacy(SP).IEEE,2021:1215-1229.
[10]RODLER M,LI W,KARAME G O,et al.{EVMPatch}:Timely and automated patching of ethereum smart contracts[C]//30th Usenix Security Symposium(USENIX Security 21).2021:1289-1306.
[11]CHEN Q,ZHOU T,LIU K,et al.Tips:towards automatingpatch suggestion for vulnerable smart contracts[J].Automated Software Engineering,2023,30(2):31.
[12]DURIEUX T,FERREIRA J F,ABREU R,et al.Empirical review of automated analysis tools on 47,587 ethereum smart contracts[C]//Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering.2020:530-541.
[13]ZHANG P C,XIAO F,LUO X P.A framework and dataset for bugs in ethereum smart contracts[C]//2020 IEEE International Conference on Software Maintenance and Evolution(ICSME).IEEE,2020:139-150.
[14]GHALEB A,PATTABIRAMAN K.How effective are smartcontract analysis tools? evaluating smart contract static analysis tools using bug injection[C]//Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis.2020:415-427.
[15]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security(CCS).2016:254-269.
[16]AMRI S A L,ANIELLO L,SASSONE V.A review of upgradeable smart contract patterns based on openzeppelin technique[J].The Journal of The British Blockchain Association,2023,6(1):1-8.
[17]MENSE A,FLATSCHER M.Security vulnerabilities in ethe-reum smart contracts[C]//Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services.2018:375-380.
[18]LIU K,LI L,KOYUNCU A,et al.A critical review on the eva-luation of automated program repair systems[J].Journal of Systems and Software,2021,171:110817.
[19]WOOD G.Ethereum:A secure decentralised generalised transaction ledger[J].Ethereum project yellow paper,2014,151:1-32.
[20]LIU K,XU T T.Survey on automated vulnerability repair[J].Journal of Software,2023:35(1):136-158.
[21]LIU K,LI L,KOYUNCU A,et al.A critical review on the eva-luation of automated program repair systems[J].Journal of Systems and Software,2021,171:110817.
[22]LIU K,KOYUNCU A,KIM D,et al.TBar:Revisiting template-based automated program repair[C]//Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis.2019:31-42.
[23]LU N,WANG B,ZHANG Y,et al.NeuCheck:A more practical Ethereum smart contract security analysis tool[J].Software:Practice and Experience,2021,51(10):2065-2084.
[24]ZHAN P,XIAO F,LUO X.A framework and dataset for bugs in ethereum smart contracts[C]//2020 IEEE International Conference on Software Maintenance and Evolution(ICSME).IEEE,2020:139-150.
[25]FANG P,GAO P,PENG Y,et al.Contractfix:A framework for automatically fixing vulnerabilities in smart contracts[J].arXiv:2307.08912,2023.
[26]CLARK J,DEROSE S.XML path language(XPath)[EB/OL].(1999-11-16).https://www.renderx.com/~renderx/portal/Tests/xmlspec/xpath.pdf
[27]PARR T.The definitive ANTLR 4 reference[M].PRAGMATIC BOOKSHELF,2013.
[28]LIU K,KOYUNCU A,KIM D,et al.TBar:Revisiting template-based automated program repair[C]//Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis.2019:31-42.
[29]DIMITRIJEVIC' N,ZDRAVKOVIC'N.A review on security vulnerabilities of smart contracts written in solidity[EB/OL].https://www.eventiotic.com/eventiotic/files/Papers/URL/6d46e328-e12b-44e7-9005-839f3b5cf7cd.pdf.
[30]CHEN H,LUO X,SHI L,et al.Security challenges and defense approaches for blockchain-based services from a full-stack architecture perspective[J].Blockchain:Research and Applications,2023,4(3):100135.
[31]CHEN T,LI X,LUO X,et al.Under-optimized smart contracts devour your money[C]//2017 IEEE 24th International Conference on Software Analysis,Evolution and Reengineering(SANER).IEEE,2017:442-446.
[32]NAVAS E.Remix theory:The aesthetics of sampling[M].Birkhäuser,2014.
[1] ZHANG Yuanyuan, LIU Tieming, LIU Guoan, GE Xueshuai. Symbolic Execution-based Automated Verification Method for Binary Vulnerabilities [J]. Computer Science, 2026, 53(6A): 250600035-7.
[2] SONG Jianhua, HE Jiawei, ZHANG Yan. Dual-channel Source Code Vulnerability Detection Model Based on Contrastive Learning [J]. Computer Science, 2026, 53(3): 424-432.
[3] LI Chengyu, HUANG Ke, ZHANG Ruiheng , CHEN Wei. Heterogeneous Graph Attention Network-based Approach for Smart Contract Vulnerability
Detection
[J]. Computer Science, 2026, 53(2): 423-430.
[4] ZHOU Tao, DU Yongping, XIE Runfeng, HAN Honggui. Vulnerability Detection Method Based on Deep Fusion of Multi-dimensional Features from Heterogeneous Contract Graphs [J]. Computer Science, 2025, 52(9): 368-375.
[5] BAO Shenghong, YAO Youjian, LI Xiaoya, CHEN Wen. Integrated PU Learning Method PUEVD and Its Application in Software Source CodeVulnerability Detection [J]. Computer Science, 2025, 52(6A): 241100144-9.
[6] ZHANG Xuming, SHI Yaqing, HUANG Song, WANG Xingya, HU Jinchang, LU Jiangtao. Survey of Open-source Software Component Vulnerability Detection and Automatic RepairTechnology [J]. Computer Science, 2025, 52(6): 1-20.
[7] JIAO Jian, CHEN Ruixiang, HE Qiang, QU Kaiyang, ZHANG Ziyi. Study on Smart Contract Vulnerability Repair Based on T5 Model [J]. Computer Science, 2025, 52(4): 362-368.
[8] SONG Jianhua, CAO Kai, ZHANG Yan. Smart Contract Bytecode Vulnerability Detection Method Based on Heterogeneous Graphs and Instruction Sequences [J]. Computer Science, 2025, 52(12): 367-373.
[9] HAN Luchao, ZHANG Wei. Survey on Fuzz Testing Techniques for Network Protocols [J]. Computer Science, 2025, 52(11A): 241100173-9.
[10] YANG Ke, GUO Qinglei, SHEN Yiming, BAI Neng, SONG Wenting, WANG Weiyu. Privacy-preserving Cross-certificate System Authentication and Access Control Model for Material Supply Chain [J]. Computer Science, 2025, 52(11A): 250100131-10.
[11] REN Jiadong, LI Shangyang, REN Rong, ZHANG Bing, WANG Qian. Web Access Control Vulnerability Detection Approach Based on Site Maps [J]. Computer Science, 2024, 51(9): 416-424.
[12] SUN Li. Application,Challenge and New Strategy of Block Chain Technology in Metaverse [J]. Computer Science, 2024, 51(7): 373-379.
[13] TIAN Hongliang, XIAN Mingjie, GE Ping. Fine Grained Security Access Control Mechanism Based on Blockchain [J]. Computer Science, 2024, 51(6A): 230400080-7.
[14] XU Yiran, ZHOU Yu. Prompt Learning Based Parameter-efficient Code Generation [J]. Computer Science, 2024, 51(6): 61-67.
[15] LIU Wei, LIU Yuzhao, TANG Congke, WANG Yuanyuan, SHE Wei, TIAN Zhao. Study on Blockchain Based Federated Distillation Data Sharing Model [J]. Computer Science, 2024, 51(3): 39-47.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!