-
Immutable in Principle, Upgradeable by Design: Exploratory Study of Smart Contract Upgradeability
Authors:
Ilham Qasse,
Mohammad Hamdaqa,
Björn Þór Jónsson
Abstract:
Smart contracts, known for their immutable nature to ensure trust via automated enforcement, have evolved to require upgradeability due to unforeseen vulnerabilities and the need for feature enhancements post-deployment. This contradiction between immutability and the need for modifications has led to the development of upgradeable smart contracts. These contracts are immutable in principle yet up…
▽ More
Smart contracts, known for their immutable nature to ensure trust via automated enforcement, have evolved to require upgradeability due to unforeseen vulnerabilities and the need for feature enhancements post-deployment. This contradiction between immutability and the need for modifications has led to the development of upgradeable smart contracts. These contracts are immutable in principle yet upgradable by design, allowing updates without altering the underlying data or state, thus preserving the contract's intent while allowing improvements. This study aims to understand the application and implications of upgradeable smart contracts on the Ethereum blockchain. By introducing a dataset that catalogs the versions and evolutionary trajectories of smart contracts, the research explores key dimensions: the prevalence and adoption patterns of upgrade mechanisms, the likelihood and occurrences of contract upgrades, the nature of modifications post-upgrade, and their impact on user engagement and contract activity. Through empirical analysis, this study identifies upgradeable contracts and examines their upgrade history to uncover trends, preferences, and challenges associated with modifications. The evidence from analyzing over 44 million contracts shows that only 3% have upgradeable characteristics, with only 0.34% undergoing upgrades. This finding underscores a cautious approach by developers towards modifications, possibly due to the complexity of upgrade processes or a preference for maintaining stability. Furthermore, the study shows that upgrades are mainly aimed at feature enhancement and vulnerability mitigation, particularly when the contracts' source codes are accessible. However, the relationship between upgrades and user activity is complex, suggesting that additional factors significantly affect the use of smart contracts beyond their evolution.
△ Less
Submitted 1 July, 2024;
originally announced July 2024.
-
A Context-Driven Approach for Co-Auditing Smart Contracts with The Support of GPT-4 code interpreter
Authors:
Mohamed Salah Bouafif,
Chen Zheng,
Ilham Ahmed Qasse,
Ed Zulkoski,
Mohammad Hamdaqa,
Foutse Khomh
Abstract:
The surge in the adoption of smart contracts necessitates rigorous auditing to ensure their security and reliability. Manual auditing, although comprehensive, is time-consuming and heavily reliant on the auditor's expertise. With the rise of Large Language Models (LLMs), there is growing interest in leveraging them to assist auditors in the auditing process (co-auditing). However, the effectivenes…
▽ More
The surge in the adoption of smart contracts necessitates rigorous auditing to ensure their security and reliability. Manual auditing, although comprehensive, is time-consuming and heavily reliant on the auditor's expertise. With the rise of Large Language Models (LLMs), there is growing interest in leveraging them to assist auditors in the auditing process (co-auditing). However, the effectiveness of LLMs in smart contract co-auditing is contingent upon the design of the input prompts, especially in terms of context description and code length. This paper introduces a novel context-driven prompting technique for smart contract co-auditing. Our approach employs three techniques for context sco** and augmentation, encompassing code sco** to chunk long code into self-contained code segments based on code inter-dependencies, assessment sco** to enhance context description based on the target assessment goal, thereby limiting the search space, and reporting sco** to force a specific format for the generated response. Through empirical evaluations on publicly available vulnerable contracts, our method demonstrated a detection rate of 96\% for vulnerable functions, outperforming the native prompting approach, which detected only 53\%. To assess the reliability of our prompting approach, manual analysis of the results was conducted by expert auditors from our partner, Quantstamp, a world-leading smart contract auditing company. The experts' analysis indicates that, in unlabeled datasets, our proposed approach enhances the proficiency of the GPT-4 code interpreter in detecting vulnerabilities.
△ Less
Submitted 26 June, 2024;
originally announced June 2024.
-
Smart Contract Upgradeability on the Ethereum Blockchain Platform: An Exploratory Study
Authors:
Ilham Qasse,
Mohammad Hamdaqa,
Björn Þór Jónsson
Abstract:
Context: Smart contracts are computerized self-executing contracts that contain clauses, which are enforced once certain conditions are met. Smart contracts are immutable by design and cannot be modified once deployed, which ensures trustlessness. Despite smart contracts' immutability benefits, upgrading contract code is still necessary for bug fixes and potential feature improvements. In the past…
▽ More
Context: Smart contracts are computerized self-executing contracts that contain clauses, which are enforced once certain conditions are met. Smart contracts are immutable by design and cannot be modified once deployed, which ensures trustlessness. Despite smart contracts' immutability benefits, upgrading contract code is still necessary for bug fixes and potential feature improvements. In the past few years, the smart contract community introduced several practices for upgrading smart contracts. Upgradeable contracts are smart contracts that exhibit these practices and are designed with upgradeability in mind. During the upgrade process, a new smart contract version is deployed with the desired modification, and subsequent user requests will be forwarded to the latest version (upgraded contract). Nevertheless, little is known about the characteristics of the upgrading practices, how developers apply them, and how upgrading impacts contract usage.
Objectives: This paper aims to characterize smart contract upgrading patterns and analyze their prevalence based on the deployed contracts that exhibit these patterns. Furthermore, we intend to investigate the reasons why developers upgrade contracts (e.g., introduce features, fix vulnerabilities) and how upgrades affect the adoption and life span of a contract in practice.
Method: We collect deployed smart contracts metadata and source codes to identify contracts that exhibit certain upgrade patterns (upgradeable contracts) based on a set of policies. Then we trace smart contract versions for each upgradable contract and identify the changes in contract versions using similarity and vulnerabilities detection tools. Finally, we plan to analyze the impact of upgrading on contract usage based on the number of transactions received and the lifetime of the contract version.
△ Less
Submitted 13 April, 2023;
originally announced April 2023.
-
AutoMESC: Automatic Framework for Mining and Classifying Ethereum Smart Contract Vulnerabilities and Their Fixes
Authors:
Majd Soud,
Ilham Qasse,
Grischa Liebel,
Mohammad Hamdaqa
Abstract:
Due to the risks associated with vulnerabilities in smart contracts, their security has gained significant attention in recent years. However, there is a lack of open datasets on smart contract vulnerabilities and their fixes that allows for data-driven research. Towards this end, we propose an automated method for mining and classifying Ethereum's smart contract vulnerabilities and their correspo…
▽ More
Due to the risks associated with vulnerabilities in smart contracts, their security has gained significant attention in recent years. However, there is a lack of open datasets on smart contract vulnerabilities and their fixes that allows for data-driven research. Towards this end, we propose an automated method for mining and classifying Ethereum's smart contract vulnerabilities and their corresponding fixes from GitHub and from the Common Vulnerabilities and Exposures (CVE) records in the National Vulnerability Database. We implemented the proposed method in a fully automated framework, which we call AutoMESC. AutoMESC uses seven of the most well-known smart contract security tools to classify and label the collected vulnerabilities based on vulnerability types. Furthermore, it collects metadata that can be used in data-intensive smart contract security research (e.g., vulnerability detection, vulnerability classification, severity prediction, and automated repair). We used AutoMESC to construct a sample dataset and made it publicly available. Currently, the dataset contains 6.7K smart contracts' vulnerability-fix pairs written in Solidity. We assess the quality of the constructed dataset in terms of accuracy, provenance, and relevance, and compare it with existing datasets. AutoMESC is designed to collect data continuously and keep the corresponding dataset up-to-date with newly discovered smart contract vulnerabilities and their fixes from GitHub and CVE records.
△ Less
Submitted 20 December, 2022;
originally announced December 2022.
-
Chat2Code: Towards conversational concrete syntax for model specification and code generation, the case of smart contracts
Authors:
Ilham Qasse,
Shailesh Mishra,
Mohammad Hamdaqa
Abstract:
The revolutionary potential of automatic code generation tools based on Model-Driven Engineering (MDE) frameworks has yet to be realized. Beyond their ability to help software professionals write more accurate, reusable code, they could make programming accessible for a whole new class of non-technical users. However, non-technical users have been slow to embrace these tools. This may be because t…
▽ More
The revolutionary potential of automatic code generation tools based on Model-Driven Engineering (MDE) frameworks has yet to be realized. Beyond their ability to help software professionals write more accurate, reusable code, they could make programming accessible for a whole new class of non-technical users. However, non-technical users have been slow to embrace these tools. This may be because their concrete syntax is often patterned after the operations of textual or graphical interfaces. The interfaces are common, but users would need more extensive, precise and detailed knowledge of them than they can be assumed to have, to use them as concrete syntax.
Conversational interfaces (chatbots) offer a much more accessible way for non-technical users to generate code. In this paper, we discuss the basic challenge of integrating conversational agents within Model-Driven Engineering (MDE) frameworks, then turn to look at a specific application: the auto-generation of smart contract code in multiple languages by non-technical users, based on conversational syntax. We demonstrate how this can be done, and evaluate our approach by conducting user experience survey to assess the usability and functionality of the chatbot framework.
△ Less
Submitted 21 December, 2021;
originally announced December 2021.
-
iContractBot: A Chatbot for Smart Contracts' Specification and Code Generation
Authors:
Ilham Qasse,
Shailesh Mishra,
Mohammad Hamdaqa
Abstract:
Recently, Blockchain technology adoption has expanded to many application areas due to the evolution of smart contracts. However, develo** smart contracts is non-trivial and challenging due to the lack of tools and expertise in this field. A promising solution to overcome this issue is to use Model-Driven Engineering (MDE), however, using models still involves a learning curve and might not be s…
▽ More
Recently, Blockchain technology adoption has expanded to many application areas due to the evolution of smart contracts. However, develo** smart contracts is non-trivial and challenging due to the lack of tools and expertise in this field. A promising solution to overcome this issue is to use Model-Driven Engineering (MDE), however, using models still involves a learning curve and might not be suitable for non-technical users. To tackle this challenge, chatbot or conversational interfaces can be used to assess the non-technical users to specify a smart contract in gradual and interactive manner.
In this paper, we propose iContractBot, a chatbot for modeling and develo** smart contracts. Moreover, we investigate how to integrate iContractBot with iContractML, a domain-specific modeling language for develo** smart contracts, and instantiate intention models from the chatbot. The iContractBot framework provides a domain-specific language (DSL) based on the user intention and performs model-to-text transformation to generate the smart contract code. A smart contract use case is presented to demonstrate how iContractBot can be utilized for creating models and generating the deployment artifacts for smart contracts based on a simple conversation.
△ Less
Submitted 16 March, 2021;
originally announced March 2021.