Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Do you still need a manual smart contract audit? (2306.12338v2)

Published 21 Jun 2023 in cs.CR

Abstract: We investigate the feasibility of employing LLMs for conducting the security audit of smart contracts, a traditionally time-consuming and costly process. Our research focuses on the optimization of prompt engineering for enhanced security analysis, and we evaluate the performance and accuracy of LLMs using a benchmark dataset comprising 52 Decentralized Finance (DeFi) smart contracts that have previously been compromised. Our findings reveal that, when applied to vulnerable contracts, both GPT-4 and Claude models correctly identify the vulnerability type in 40% of the cases. However, these models also demonstrate a high false positive rate, necessitating continued involvement from manual auditors. The LLMs tested outperform a random model by 20% in terms of F1-score. To ensure the integrity of our study, we conduct mutation testing on five newly developed and ostensibly secure smart contracts, into which we manually insert two and 15 vulnerabilities each. This testing yielded a remarkable best-case 78.7% true positive rate for the GPT-4-32k model. We tested both, asking the models to perform a binary classification on whether a contract is vulnerable, and a non-binary prompt. We also examined the influence of model temperature variations and context length on the LLM's performance. Despite the potential for many further enhancements, this work lays the groundwork for a more efficient and economical approach to smart contract security audits.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (52)
  1. A survey of attacks on ethereum smart contracts. In International conference on principles of security and trust, pages 164–186. Springer, 2017.
  2. A survey of attacks on ethereum smart contracts (sok). In Matteo Maffei and Mark Ryan, editors, Principles of Security and Trust, pages 164–186, Berlin, Heidelberg, 2017. Springer Berlin Heidelberg.
  3. Consensus in the age of blockchains. arXiv preprint arXiv:1711.03936, 2017.
  4. Sok: Consensus in the age of blockchains. In Proceedings of the 1st ACM Conference on Advances in Financial Technologies, pages 183–198, 2019.
  5. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 104–121. IEEE, 2015.
  6. Ethainter: A smart contract security analyzer for composite vulnerabilities. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2020, page 454–469, New York, NY, USA, 2020. Association for Computing Machinery. doi:10.1145/3385412.3385990.
  7. Vandal: A scalable security analysis framework for smart contracts, 2018. URL: https://arxiv.org/abs/1809.03981, doi:10.48550/ARXIV.1809.03981.
  8. Language models are few-shot learners. Advances in neural information processing systems, 33:1877–1901, 2020.
  9. A survey on ethereum systems security: Vulnerabilities, attacks, and defenses. ACM Comput. Surv., 53(3), jun 2020. doi:10.1145/3391195.
  10. Soda: A generic online detection framework for smart contracts. In NDSS, 2020.
  11. What developers want and need from program analysis: An empirical study. ASE ’16, page 332–343, New York, NY, USA, 2016. Association for Computing Machinery. doi:10.1145/2970276.2970347.
  12. ConsenSys. Consensys/mythril: Security analysis tool for evm bytecode. supports smart contracts built for ethereum, hedera, quorum, vechain, roostock, tron and other evm-compatible blockchains. URL: https://github.com/ConsenSys/mythril.
  13. Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020.
  14. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. volume 9604, pages 79–94, 02 2016. doi:10.1007/978-3-662-53357-4_6.
  15. Slither: a static analysis framework for smart contracts. In 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pages 8–15. IEEE, 2019.
  16. ETHBMC: A bounded model checker for smart contracts. In 29th USENIX Security Symposium (USENIX Security 20), pages 2757–2774. USENIX Association, August 2020. URL: https://www.usenix.org/conference/usenixsecurity20/presentation/frank.
  17. Blockchain large language models. arXiv preprint arXiv:2304.12749, 2023.
  18. Echidna: Effective, usable, and fast fuzzing for smart contracts. URL: https://agroce.github.io/issta20.pdf.
  19. Online detection of effectively callback free objects with applications to smart contracts. Proceedings of the ACM on Programming Languages, 2(POPL):1–28, 2017.
  20. Halborn. Explained: The level finance hack may 2023, 2023. URL: https://www.halborn.com/blog/post/explained-the-level-finance-hack-may-2023.
  21. A comprehensive survey on smart contract construction and execution: Paradigms, tools, and systems, Feb 2021.
  22. Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, page 259–269, New York, NY, USA, 2018. Association for Computing Machinery. URL: https://doi.org/10.1145/3238147.3238177.
  23. Why don’t software developers use static analysis tools to find bugs? In Proceedings of the 2013 International Conference on Software Engineering, ICSE ’13, page 672–681. IEEE Press, 2013.
  24. Zeus: Analyzing safety of smart contracts. In NDSS, 2018.
  25. Ethereum smart contract analysis tools: A systematic review. IEEE Access, 10:57037–57062, 2022. doi:10.1109/ACCESS.2022.3169902.
  26. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 254–269, New York, NY, USA, 2016. Association for Computing Machinery. doi:10.1145/2976749.2978309.
  27. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 1186–1189, 2019. doi:10.1109/ASE.2019.00133.
  28. Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.
  29. Smart contract vulnerabilities: Vulnerable does not imply exploited. In 30th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 21), 2021.
  30. Verx: Safety verification of smart contracts. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1661–1677, 2020. doi:10.1109/SP40000.2020.00024.
  31. The blockchain imitation game. In USENIX Security Symposium, 2023.
  32. Towards automated security analysis of smart contracts based on execution property graph. arXiv preprint arXiv:2305.14046, 2023.
  33. Cefi vs. defi–comparing centralized to decentralized finance. arXiv preprint arXiv:2106.08157, 2021.
  34. An empirical study of defi liquidations: Incentives, risks, and instabilities. In Proceedings of the 21st ACM Internet Measurement Conference, page 336–350. ACM, 2021.
  35. Quantifying blockchain extractable value: How dark is the forest? In 2022 IEEE Symposium on Security and Privacy (SP), pages 198–214. IEEE, 2022.
  36. Attacking the defi ecosystem with flash loans for fun and profit. In International Conference on Financial Cryptography and Data Security, pages 3–32. Springer, 2021.
  37. Language models are unsupervised multitask learners. OpenAI blog, 1(8):9, 2019.
  38. Sereum: Protecting existing smart contracts against re-entrancy attacks. In NDSS, 2019.
  39. Fahad Saleh. Blockchain without waste: Proof-of-stake. The Review of financial studies, 34(3):1156–1190, 2021.
  40. Why can’t johnny fix vulnerabilities: A usability evaluation of static analysis tools for security. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pages 221–238. USENIX Association, August 2020. URL: https://www.usenix.org/conference/soups2020/presentation/smith.
  41. Verismart: A highly precise safety verifier for ethereum smart contracts, 2019. arXiv:1908.11227.
  42. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, page 67–82, New York, NY, USA, 2018. Association for Computing Machinery. doi:10.1145/3243734.3243780.
  43. Chain of thought prompting elicits reasoning in large language models. CoRR, abs/2201.11903, 2022. URL: https://arxiv.org/abs/2201.11903, arXiv:2201.11903.
  44. Quantifying developers’ adoption of security tools. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, page 260–271, New York, NY, USA, 2015. Association for Computing Machinery. doi:10.1145/2786805.2786816.
  45. Do you need a blockchain? In 2018 Crypto Valley Conference on Blockchain Technology (CVCBT), pages 45–54. IEEE, 2018.
  46. Harvey: A greybox fuzzer for smart contracts. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2020, page 1398–1409, New York, NY, USA, 2020. Association for Computing Machinery. doi:10.1145/3368089.3417064.
  47. Zellic. Safemoon exploit explained, 2023. URL: https://www.zellic.io/blog/safemoon-exploit-explained.
  48. {{\{{TXSPECTOR}}\}}: Uncovering attacks in ethereum from transactions. In 29th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 20), pages 2775–2792, 2020.
  49. On the just-in-time discovery of profit-generating transactions in defi protocols. arXiv preprint arXiv:2103.02228, 2021.
  50. High-frequency trading on decentralized on-chain exchanges. In 2021 IEEE Symposium on Security and Privacy (SP), pages 428–445. IEEE, 2021.
  51. Sok: Decentralized finance (defi) attacks. IEEE Symposium on Security and Privacy, 2023.
  52. An ever-evolving game: Evaluation of real-world attacks and defenses in ethereum ecosystem. In 29th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 20), pages 2793–2810, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Isaac David (5 papers)
  2. Liyi Zhou (20 papers)
  3. Kaihua Qin (22 papers)
  4. Dawn Song (229 papers)
  5. Lorenzo Cavallaro (32 papers)
  6. Arthur Gervais (32 papers)
Citations (39)
View on Semantic Scholar
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube