NumScout: Unveiling Numerical Defects in Smart Contracts Using LLM-Pruning Symbolic Execution

IF 6.5 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-03-28 DOI:10.1109/TSE.2025.3555622

Jiachi Chen;Zhenzhe Shao;Shuo Yang;Yiming Shen;Yanlin Wang;Ting Chen;Zhenyu Shan;Zibin Zheng

{"title":"NumScout: Unveiling Numerical Defects in Smart Contracts Using LLM-Pruning Symbolic Execution","authors":"Jiachi Chen;Zhenzhe Shao;Shuo Yang;Yiming Shen;Yanlin Wang;Ting Chen;Zhenyu Shan;Zibin Zheng","doi":"10.1109/TSE.2025.3555622","DOIUrl":null,"url":null,"abstract":"In recent years, the Ethereum platform has witnessed a proliferation of smart contracts, accompanied by exponential growth in total value locked (TVL). High-TVL smart contracts often require complex numerical computations, particularly in mathematical financial models used by many decentralized applications (DApps). Improper calculations can introduce numerical defects, posing potential security risks. Existing research primarily focuses on traditional numerical defects like integer overflow, and there is currently a lack of systematic research and effective detection methods targeting new types of numerical defects. In this paper, we identify five new types of numerical defects through the analysis of 1,199 audit reports by utilizing the open card method. Each defect is defined and illustrated with a code example to highlight its features and potential consequences. We also propose NumScout, a symbolic execution-based tool designed to detect these five defects. Specifically, the tool combines information from source code and bytecode, analyzing key operations such as comparisons and transfers, to effectively locate defects and report them based on predefined detection patterns. Furthermore, NumScout uses a large language model (LLM) to prune functions which are unrelated to numerical operations. This step allows symbolic execution to quickly enter the target function and improve runtime speed by 28.4%. We run NumScout on 6,617 real-world contracts and evaluated its performance based on manually labeled results. We find that 1,774 contracts contained at least one of the five defects, and the tool achieved an overall precision of 89.7%.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 5","pages":"1538-1553"},"PeriodicalIF":6.5000,"publicationDate":"2025-03-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10944552/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

In recent years, the Ethereum platform has witnessed a proliferation of smart contracts, accompanied by exponential growth in total value locked (TVL). High-TVL smart contracts often require complex numerical computations, particularly in mathematical financial models used by many decentralized applications (DApps). Improper calculations can introduce numerical defects, posing potential security risks. Existing research primarily focuses on traditional numerical defects like integer overflow, and there is currently a lack of systematic research and effective detection methods targeting new types of numerical defects. In this paper, we identify five new types of numerical defects through the analysis of 1,199 audit reports by utilizing the open card method. Each defect is defined and illustrated with a code example to highlight its features and potential consequences. We also propose NumScout, a symbolic execution-based tool designed to detect these five defects. Specifically, the tool combines information from source code and bytecode, analyzing key operations such as comparisons and transfers, to effectively locate defects and report them based on predefined detection patterns. Furthermore, NumScout uses a large language model (LLM) to prune functions which are unrelated to numerical operations. This step allows symbolic execution to quickly enter the target function and improve runtime speed by 28.4%. We run NumScout on 6,617 real-world contracts and evaluated its performance based on manually labeled results. We find that 1,774 contracts contained at least one of the five defects, and the tool achieved an overall precision of 89.7%.

查看原文本刊更多论文

NumScout：使用llm -剪枝符号执行揭示智能合约中的数字缺陷

近年来，以太坊平台见证了智能合约的激增，伴随着总价值锁定（TVL）的指数级增长。高tvl智能合约通常需要复杂的数值计算，特别是在许多分散应用程序（DApps）使用的数学金融模型中。不正确的计算会导致数值上的缺陷，带来潜在的安全风险。现有的研究主要集中在整数溢出等传统数值缺陷上，目前缺乏针对新型数值缺陷的系统研究和有效检测方法。本文利用开卡法对1199份审计报告进行分析，确定了五种新的数字缺陷类型。每个缺陷都被定义并用一个代码示例来说明，以突出其特征和潜在的后果。我们还提出了NumScout，这是一个基于符号执行的工具，旨在检测这五个缺陷。具体地说，该工具结合了来自源代码和字节码的信息，分析了关键操作，例如比较和传输，以有效地定位缺陷并根据预定义的检测模式报告它们。此外，NumScout使用大型语言模型（LLM）来修剪与数值运算无关的函数。此步骤允许符号执行快速进入目标函数，并将运行速度提高28.4%。我们在6,617个真实世界的合约上运行NumScout，并根据手动标记的结果评估其性能。我们发现1774个合同至少包含五个缺陷中的一个，并且该工具达到了89.7%的总体精度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.