MANDO: Graph Embedding for Vulnerability Detection

• MANDO is an advanced framework that fuses heterogeneous control-flow and call graphs to enable both contract-level and line-level vulnerability detection in Ethereum smart contracts.
• It introduces customized metapath extraction and employs a multi-metapath heterogeneous graph attention network to capture rich relational semantics from smart contract code.
• Experimental evaluations demonstrate that MANDO outperforms traditional static analysis methods, achieving improvements of 11.35% to 70.81% in F1-scores for vulnerability detection.

MANDO (Multi-level grAph embeddiNg for fine-grained Detection of smart cOntract vulnerabilities) is an advanced graph-based learning framework designed for the detection of vulnerabilities in Ethereum smart contracts. It introduces heterogeneous contract graph representations, customized metapath extraction, and a multi-metapath attention network, achieving both coarse-grained (contract-level) classification and fine-grained (line-level) localization of vulnerabilities. MANDO demonstrates significant improvements over prior homogeneous graph embedding and static analysis approaches in both accuracy and diagnostic resolution.

1. Heterogeneous Graph Construction

MANDO models smart contract code as fused heterogeneous graphs encompassing both control-flow and call relationships. The construction begins with two graphs:

• Heterogeneous Control-Flow Graph (HCFG): Nodes represent distinct code statement types such as ENTRY_POINT, EXPRESSION, IF, RETURN, NEW_VARIABLE, IF_LOOP, END_LOOP. Edges encode semantic relations: NEXT (sequential execution), TRUE/FALSE (branching), and loop constructs.
• Heterogeneous Call Graph (HCG): Nodes correspond to FUNCTION_NAME, FALLBACK_NODE, etc., while edges capture INTERNAL_CALL (intra-contract) and EXTERNAL_CALL (inter-contract) relations.

MANDO fuses these graphs such that each function node in the call graph anchors the entry point of its control-flow graph. Call edges connect different control-flow graphs, resulting in a unified heterogeneous graph that jointly expresses local (line-level) and global (contract-level) interactions.

2. Customized Metapath Extraction

To capture rich relational semantics, MANDO introduces the concept of customized metapaths. Formally, a metapath is a sequence:

$$A_1 \xrightarrow{R_1} A_2 \xrightarrow{R_2} \ldots \xrightarrow{R_l} A_{l+1}$$

where $A$ denotes node types and $R$ denotes edge types, defining a composite relation $R = R_1 \circ R_2 \circ \ldots \circ R_l$. Due to the high variability and cardinality of node and edge types in contract graphs, complete enumeration of long metapaths is infeasible. MANDO extracts length-2 metapaths, capturing pairwise node-type relations. For example, (ENTRY_POINT $\to$ IF $\to$ ENTRY_POINT) allows modeling loop or missing connections. This approach decomposes complex interactions into manageable local segments, retaining higher-order semantics without combinatorial explosion.

3. Multi-Metapath Heterogeneous Graph Attention Network

MANDO employs a custom attention network over the heterogeneous contract graph, operating as follows:

1. Topological Embedding: Initial node embeddings $e_i^{(\phi)}$ are generated using existing methods (node2vec, GCN, LINE, metapath2vec), respecting node type $\phi$.
2. Type-Specific Linear Transformation:

$e'_i^{(\phi)} = W_\phi \cdot e_i^{(\phi)}$

where $W_\phi$ is a learned matrix per node type.

1. Metapath-Based Attention: For each node pair $(i, j)$ connected via metapath $\Phi_t^{(\phi)}$, an attention score is computed:

$a_{ij}^{\left(\Phi_t^{(\phi)}\right)} = \operatorname{softmax}_j(\text{att}([e'_i^{(\phi)}, e'_j^{(\phi)}]; \Phi_t^{(\phi)}))$

with $\text{att}(\cdot)$ as a multi-layer perceptron over concatenated embeddings.

2. Metapath Embedding Aggregation:

$M_{i,t}^{(\phi)} = \sigma \left( \sum_{j \in \mathcal{N}^{(\Phi_t)}_i} a_{ij}^{(\Phi_t^{(\phi)})} \cdot e'_j^{(\phi)} \right)$

where $\sigma$ is an activation (e.g., ReLU).

3. Node Representation Aggregation:

$$M_{i}^{(\phi)} = \frac{1}{|\mathcal{N}^{(\phi)}|} \sum_t M_{i,t}^{(\phi)}$$

Multi-level embeddings are thus formed for each node by averaging over available metapath types; contract-level representations are obtained by combining all node embeddings.

4. Hierarchical Vulnerability Detection

MANDO’s vulnerability detection framework is comprised of two phases:

• Phase 1 – Coarse-Grained Detection: The global contract embedding is input to a multi-layer perceptron classifier (softmax output), yielding a binary label (vulnerable or clean) at the contract level.
• Phase 2 – Fine-Grained Detection: For flagged contracts, each node’s learned embedding is classified as either vulnerable or non-vulnerable, aligning detection granularity with single lines or statements in the code.

This dual-phase model enables not only the identification of affected contracts but also precise localization of faulty lines, enhancing diagnostic utility for developers.

5. Experimental Evaluation and Comparative Performance

MANDO was extensively evaluated using datasets of real Ethereum smart contracts, including SmartBugs Curated and SolidiFI-Benchmark. Results show:

• Contract-level detection: MANDO’s fused heterogeneous graph approach consistently outperforms baseline homogeneous graph embedders (node2vec, LINE, GCN, metapath2vec) in F1-score.
• Fine-grained detection: MANDO achieves line-level vulnerability localization, reporting improvements over traditional static analysis and neural methods between 11.35% and 70.81% F1-score. This demonstrates the utility of capturing heterogeneous relational semantics and customized metapath contexts.

The combination of advanced graph representations, lightweight metapath extraction, and multi-level attention yields representations that more accurately encode code semantics, directly correlating with improved predictive accuracy.

6. Technical Formulation

Relevant mathematical operations facilitating multi-level embedding learning are as follows:

• Type-Specific Transformation: $e'_i^{(\phi)} = W_\phi \cdot e_i^{(\phi)}$
• Attention Weight: $a_{ij}^{(\Phi_t^{(\phi)})} = \operatorname{softmax}_j(\text{att}([e'_i^{(\phi)}, e'_j^{(\phi)}]; \Phi_t^{(\phi)}))$
• Metapath Embedding: $M_{i,t}^{(\phi)} = \sigma \left( \sum_{j \in \mathcal{N}_i^{(\Phi_t)}} a_{ij}^{(\Phi_t^{(\phi)})} \cdot e'_j^{(\phi)} \right)$
• Aggregate Node Embedding: $$M_{i}^{(\phi)} = (1/|\mathcal{N}^{(\phi)}|) \sum_t M_{i,t}^{(\phi)}$$

7. Significance and Outlook

MANDO establishes a systematic methodology for learning heterogeneous graph structures in Ethereum smart contract codebases. Through dynamic metapath extraction and multi-level attention, MANDO is the first learning-based system demonstrated to deliver line-level vulnerability detection on large-scale code graphs. The architecture shows marked improvements over manual static analysis and prior homogeneous graph frameworks. This suggests potential extensibility to other programming languages and domains where fine-grained vulnerability localization is crucial, and highlights the importance of semantic relational learning in automated code security analysis.

A plausible implication is that similar graph-based architectures—leveraging metapath attention and multi-scale embeddings—may generalize to broader security-critical applications, including program verification and bug triaging in non-blockchain environments. Further research may focus on scaling metapath extraction to deeper contexts and optimizing attention mechanisms for variable graph topology sizes.