Projects per year
Abstract
Access control (AC) vulnerabilities are among the most critical security threats to smart contracts. Despite extensive research, they remain widespread and damaging in the Ethereum ecosystem. To understand and advance the current state-of-the-art (SOTA) in AC vulnerability detection, we first curate a diverse dataset of 180 real-world AC vulnerabilities from CVE entries, DeFiHackLabs incidents, and Code4rena audit reports.Using this dataset, we conduct a systematic benchmark study along three dimensions. First, we develop a cause-based taxonomy and analyze the prevalence and evolution of AC vulnerabilities. Second, we evaluate six SOTA tools, including two from industry and four from academia, revealing low recall (3% to 8%) and significant blind spots. To understand these failures, we examine 1.2 million deployed contracts and uncover practical gaps in AC protection mechanisms overlooked by existing tools. Finally, we assess the potential of large language models (LLMs) for AC vulnerability detection and show that LLMs detect 53–75% of vulnerabilities, outperforming traditional tools but facing challenges such as hallucinations and scalability. Our findings highlight the need for hybrid approaches that combine static analysis with LLM-based semantic reasoning to address the complexity of modern AC vulnerabilities.
| Original language | English |
|---|---|
| Title of host publication | 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025: Proceedings |
| Publisher | IEEE |
| Pages | 1995-2007 |
| Number of pages | 13 |
| ISBN (Electronic) | 9798350357332 |
| DOIs | |
| Publication status | Published - Nov 2025 |
| Event | 2025 40th IEEE/ACM International Conference on Automated Software Engineering - Seoul, Korea, Republic of Duration: 16 Nov 2025 → 20 Nov 2025 |
Publication series
| Name | IEEE/ACM International Conference on Automated Software Engineering |
|---|---|
| Publisher | IEEE |
| ISSN (Print) | 1938-4300 |
| ISSN (Electronic) | 2643-1572 |
Conference
| Conference | 2025 40th IEEE/ACM International Conference on Automated Software Engineering |
|---|---|
| Abbreviated title | ASE 2025 |
| Country/Territory | Korea, Republic of |
| City | Seoul |
| Period | 16/11/25 → 20/11/25 |
Funding
This research is partially supported by a research fund provided by HSBC, HKUST TLIP Grant FF612, and Lingnan Grant SUG-002/2526. This research is also supported by the National Research Foundation, Singapore, and DSO National Laboratories under the AI Singapore Programme (AISG Award No: AISG4-GC-2023-008-1B); by the National Research Foundation Singapore and the Cyber Security Agency under the National Cybersecurity R&D Programme (NCRP25-P04-TAICeN); and by the Prime Minister’s Office, Singapore under the Campus for Research Excellence and Technological Enterprise (CREATE) Programme.
Keywords
- Smart Contracts
- Access Control
- Vulnerability Detection
- Large Language Models
Fingerprint
Dive into the research topics of 'Have We Solved Access Control Vulnerability Detection in Smart Contracts? A Benchmark Study'. Together they form a unique fingerprint.Projects
- 1 Active
-
Understanding and Testing the Security of Large Language Model Context Protocols (MCP)
WU, D. (PI)
1/09/25 → 31/08/27
Project: Grant Research