SmartInv: Multimodal Learning for Smart Contract Invariant Inference
- URL: http://arxiv.org/abs/2411.09217v1
- Date: Thu, 14 Nov 2024 06:28:57 GMT
- Title: SmartInv: Multimodal Learning for Smart Contract Invariant Inference
- Authors: Sally Junsong Wang, Kexin Pei, Junfeng Yang,
- Abstract summary: We present SmartInv, an accurate and fast smart contract invariant inference framework.
Our key insight is that the expected behavior of smart contracts relies on understanding and reasoning across multimodal information.
We evaluate SmartInv on real-world contracts and re-discover bugs that resulted in multi-million dollar losses.
- Score: 10.468390413756863
- License:
- Abstract: Smart contracts are software programs that enable diverse business activities on the blockchain. Recent research has identified new classes of "machine un-auditable" bugs that arise from both transactional contexts and source code. Existing detection methods require human understanding of underlying transaction logic and manual reasoning across different sources of context (i.e. modalities), such as code, dynamic transaction executions, and natural language specifying the expected transaction behavior. To automate the detection of ``machine un-auditable'' bugs, we present SmartInv, an accurate and fast smart contract invariant inference framework. Our key insight is that the expected behavior of smart contracts, as specified by invariants, relies on understanding and reasoning across multimodal information, such as source code and natural language. We propose a new prompting strategy to foundation models, Tier of Thought (ToT), to reason across multiple modalities of smart contracts and ultimately to generate invariants. By checking the violation of these generated invariants, SmartInv can identify potential vulnerabilities. We evaluate SmartInv on real-world contracts and re-discover bugs that resulted in multi-million dollar losses over the past 2.5 years (from January 1, 2021 to May 31, 2023). Our extensive evaluation shows that SmartInv generates (3.5X) more bug-critical invariants and detects (4$\times$) more critical bugs compared to the state-of-the-art tools in significantly (150X) less time. \sys uncovers 119 zero-day vulnerabilities from the 89,621 real-world contracts. Among them, five are critical zero-day bugs confirmed by developers as ``high severity.''
Related papers
- Automated Invariant Generation for Solidity Smart Contracts [2.4181711081104282]
We propose a novel invariant generation framework, INVCON+, for Solidity smart contracts.
INVCON+ extends the existing invariant detector, InvCon, to automatically produce verified contract invariants.
We evaluate INVCON+ on 361 ERC20 and 10 ERC721 real-world contracts, as well as common ERC20 vulnerability benchmarks.
arXiv Detail & Related papers (2024-01-01T03:37:30Z) - Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study [44.25093111430751]
In 2023 alone, such vulnerabilities led to substantial financial losses exceeding a billion of US dollars.
Various tools have been developed to detect and mitigate vulnerabilities in smart contracts.
This study investigates the gap between the effectiveness of existing security scanners and the vulnerabilities that still persist in practice.
arXiv Detail & Related papers (2023-12-27T11:26:26Z) - MuFuzz: Sequence-Aware Mutation and Seed Mask Guidance for Blockchain Smart Contract Fuzzing [19.606053533275958]
We develop a sequence-aware mutation and seed mask guidance strategy for smart contract fuzzing.
We implement our designs into a new smart contract fuzzer named MuFuzz, and extensively evaluate it on three benchmarks.
Overall, MuFuzz achieves higher branch coverage than state-of-the-art fuzzers (up to 25%) and detects 30% more bugs than existing bug detectors.
arXiv Detail & Related papers (2023-12-07T18:32:19Z) - Formally Verifying a Real World Smart Contract [52.30656867727018]
We search for a tool capable of formally verifying a real-world smart contract written in a recent version of Solidity.
In this article, we present our search for a tool capable of formally verifying a real-world smart contract written in a recent version of Solidity.
arXiv Detail & Related papers (2023-07-05T14:30:21Z) - SmartBugs 2.0: An Execution Framework for Weakness Detection in Ethereum
Smart Contracts [0.757843972001219]
Smart contracts are blockchain programs that often handle valuable assets.
To support developers in identifying and eliminating vulnerabilities, methods and tools for the automated analysis have been proposed.
We present SmartBugs 2.0, a modular execution framework for smart contract analysis.
arXiv Detail & Related papers (2023-06-08T09:22:25Z) - Generation Probabilities Are Not Enough: Uncertainty Highlighting in AI Code Completions [54.55334589363247]
We study whether conveying information about uncertainty enables programmers to more quickly and accurately produce code.
We find that highlighting tokens with the highest predicted likelihood of being edited leads to faster task completion and more targeted edits.
arXiv Detail & Related papers (2023-02-14T18:43:34Z) - Deep Smart Contract Intent Detection [5.642524477190184]
textscSmartIntentNN is a deep learning model designed to automatically detect development intent in smart contracts.
We trained and evaluated textscSmartIntentNN on a dataset comprising over 40,000 real-world smart contracts.
arXiv Detail & Related papers (2022-11-19T15:40:26Z) - Using Developer Discussions to Guide Fixing Bugs in Software [51.00904399653609]
We propose using bug report discussions, which are available before the task is performed and are also naturally occurring, avoiding the need for additional information from developers.
We demonstrate that various forms of natural language context derived from such discussions can aid bug-fixing, even leading to improved performance over using commit messages corresponding to the oracle bug-fixing commits.
arXiv Detail & Related papers (2022-11-11T16:37:33Z) - An Empirical Study on Real Bug Fixes from Solidity Smart Contract
Projects [37.39791127265096]
We conduct an empirical study on historical bug fixes from 46 real-world Solidity smart contract projects.
We distill four findings during the process to explore these four questions.
We provide actionable implications to improve the current approaches to fixing bugs in Solidity smart contracts.
arXiv Detail & Related papers (2022-10-21T14:26:53Z) - Smart Contract Vulnerability Detection: From Pure Neural Network to
Interpretable Graph Feature and Expert Pattern Fusion [48.744359070088166]
Conventional smart contract vulnerability detection methods heavily rely on fixed expert rules.
Recent deep learning approaches alleviate this issue but fail to encode useful expert knowledge.
We develop automatic tools to extract expert patterns from the source code.
We then cast the code into a semantic graph to extract deep graph features.
arXiv Detail & Related papers (2021-06-17T07:12:13Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.