Examining the effectiveness of transformer-based smart contract vulnerability scan

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-08-14 DOI:10.1016/j.jss.2025.112593

Emre Balci , Timucin Aydede , Gorkem Yilmaz , Ece Gelal Soyak

{"title":"Examining the effectiveness of transformer-based smart contract vulnerability scan","authors":"Emre Balci , Timucin Aydede , Gorkem Yilmaz , Ece Gelal Soyak","doi":"10.1016/j.jss.2025.112593","DOIUrl":null,"url":null,"abstract":"<div><div>Smart contracts can be used for various scenarios, from automating transactions in decentralized finance to managing supply chain logistics, or ensuring the integrity of digital assets. However, smart contracts may expose vulnerabilities that may be exploited, which can lead to financial losses and disruptions in decentralized applications. These vulnerabilities involve decision logic, branching, sequencing, and interaction with other Ethereum addresses, and therefore are challenging to detect. In this work, we study the effectiveness of smart contract vulnerability detection using deep learning. We propose VASCOT, a Vulnerability Analyzer for Smart COntracts using Transformers, which performs sequential analysis of Ethereum Virtual Machine (EVM) bytecode and incorporates a sliding window mechanism to overcome input length constraints. To assess VASCOT’s detection efficacy, we construct a dataset of 16,469 verified Ethereum contracts deployed in 2022, and annotate it using trace analysis with concrete validation to mitigate false positives. VASCOT’s performance is then compared against a state-of-the-art LSTM-based vulnerability detection model on both our dataset and an older public dataset. Our findings highlight the strengths and limitations of each model, providing insights into their detection capabilities and generalizability.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"231 ","pages":"Article 112593"},"PeriodicalIF":4.1000,"publicationDate":"2025-08-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121225002626","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Smart contracts can be used for various scenarios, from automating transactions in decentralized finance to managing supply chain logistics, or ensuring the integrity of digital assets. However, smart contracts may expose vulnerabilities that may be exploited, which can lead to financial losses and disruptions in decentralized applications. These vulnerabilities involve decision logic, branching, sequencing, and interaction with other Ethereum addresses, and therefore are challenging to detect. In this work, we study the effectiveness of smart contract vulnerability detection using deep learning. We propose VASCOT, a Vulnerability Analyzer for Smart COntracts using Transformers, which performs sequential analysis of Ethereum Virtual Machine (EVM) bytecode and incorporates a sliding window mechanism to overcome input length constraints. To assess VASCOT’s detection efficacy, we construct a dataset of 16,469 verified Ethereum contracts deployed in 2022, and annotate it using trace analysis with concrete validation to mitigate false positives. VASCOT’s performance is then compared against a state-of-the-art LSTM-based vulnerability detection model on both our dataset and an older public dataset. Our findings highlight the strengths and limitations of each model, providing insights into their detection capabilities and generalizability.

查看原文本刊更多论文

检验基于变压器的智能合约漏洞扫描的有效性

智能合约可用于各种场景，从分散金融中的自动化交易到管理供应链物流，或确保数字资产的完整性。然而，智能合约可能暴露出可能被利用的漏洞，这可能导致分散应用程序的财务损失和中断。这些漏洞涉及决策逻辑、分支、排序以及与其他以太坊地址的交互，因此很难检测到。在这项工作中，我们研究了使用深度学习的智能合约漏洞检测的有效性。我们提出VASCOT，一个使用变压器的智能合约漏洞分析器，它对以太坊虚拟机（EVM）字节码进行顺序分析，并结合滑动窗口机制来克服输入长度限制。为了评估VASCOT的检测效率，我们构建了一个由2022年部署的16,469个经过验证的以太坊合约组成的数据集，并使用带有具体验证的跟踪分析对其进行注释，以减少误报。然后将VASCOT的性能与我们的数据集和较旧的公共数据集上最先进的基于lstm的漏洞检测模型进行比较。我们的研究结果突出了每个模型的优点和局限性，提供了对它们的检测能力和普遍性的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.