Abstract
Smart contracts are prone to various vulnerabilities, leading to substantial financial losses over time. Current analysis tools mainly target vulnerabilities with fixed control- or data-flow patterns, such as re-entrancy and integer overflow. However, a recent study on Web3 security bugs revealed that about 80% of these bugs cannot be audited by existing tools due to the lack of domain-specific property description and checking. Given recent advances in Large Language Models (LLMs), it is worth exploring how Generative Pre-training Transformer (GPT) could aid in detecting logic vulnerabilities. In this paper, we propose GPTScan, the first tool combining GPT with static analysis for smart contract logic vulnerability detection. Instead of relying solely on GPT to identify vulnerabilities, which can lead to high false positives and is limited by GPT's pre-trained knowledge, we utilize GPT as a versatile code understanding tool. By breaking down each logic vulnerability type into scenarios and properties, GPTScan matches candidate vulnerabilities with GPT. To enhance accuracy, GPTScan further instructs GPT to intelligently recognize key variables and statements, which are then validated by static confirmation. Evaluation on diverse datasets with around 400 contract projects and 3K Solidity files shows that GPTScan achieves high precision (over 90%) for token contracts and acceptable precision (57.14%) for large projects like Web3Bugs. It effectively detects ground-truth logic vulnerabilities with a recall of over 70%, including 9 new vulnerabilities missed by human auditors. GPTScan is fast and cost-effective, taking an average of 14.39 seconds and 0.01 USD to scan per thousand lines of Solidity code. Moreover, static confirmation helps GPTScan reduce two-thirds of false positives.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the IEEE/ACM 46th International Conference on Software Engineering |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 2048-2060 |
| Number of pages | 13 |
| ISBN (Electronic) | 9798400702174 |
| DOIs | |
| Publication status | Published - 20 May 2024 |
| Externally published | Yes |
| Event | 46th ACM/IEEE International Conference on Software Engineering - Lisbon, Portugal Duration: 14 Apr 2024 → 20 Apr 2024 |
Conference
| Conference | 46th ACM/IEEE International Conference on Software Engineering |
|---|---|
| Abbreviated title | ICSE 2024 |
| Country/Territory | Portugal |
| City | Lisbon |
| Period | 14/04/24 → 20/04/24 |
Bibliographical note
Acknowledgements:We thank Dawei Zhou, Zhe Wang, Guorui Fan, Liwei Tan, Hao Zhang, and other colleagues at MetaTrust Labs for their help with GPTScan, as well as anonymous reviewers for their constructive feedback.
Publisher Copyright:
© 2024 ACM.
Funding
This research/project is supported by the National Research Foundation Singapore and DSO National Laboratories under the AI Singapore Programme (AISG Award No: AISG2-RP-2020- 019), the National Research Foundation, Singapore, and the Cyber Security Agency under its National Cybersecurity R&D Programme (NCRP25-P04-TAICeN). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore and Cyber Security Agency of Singapore.
Fingerprint
Dive into the research topics of 'GPTScan: Detecting Logic Vulnerabilities in Smart Contracts by Combining GPT with Program Analysis'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver