AdvSCanner: Generating Adversarial Smart Contracts to Exploit Reentrancy Vulnerabilities Using LLM and Static Analysis

Executing, verifying and enforcing credible transactions on permissionless blockchains is done using smart contracts. A key challenge with smart contracts is ensuring their correctness and security. To address this challenge, we present a fully automated technique, SolAnalyser, for vulnerability detection over Solidity smart contracts that uses both static and dynamic analysis. Analysis techniques in the literature rely on static analysis with a high rate of false positives or lack support for vulnerabilities like out of gas, unchecked send, timestamp dependency. Our tool, SolAnalyser, supports automated detection of 8 different vulnerability types that currently lack wide support in existing tools, and can easily be extended to support other types. We also implemented a fault seeding tool that injects different types of vulnerabilities in smart contracts. We use the mutated contracts for assessing the effectiveness of different analysis tools. Our experiment uses 1838 real contracts from which we generate 12866 mutated contracts by artificially seeding 8 different vulnerability types. We evaluate the effectiveness of our technique in revealing the seeded vulnerabilities and compare against five existing popular analysis tools - Oyente, Securify, Maian, SmartCheck and Mythril. This is the first large scale evaluation of existing tools that compares their effectiveness by running them on a common set of contracts. We find that our technique outperforms all five existing tools in supporting detection of all 8 vulnerability types and in achieving higher precision and recall rate. SolAnalyser was also faster in analysing the different vulnerabilities than any of the existing tools in our experiment.

Smart contracts are executable programs that enable the building of a\nprogrammable trust mechanism between multiple entities without the need of a\ntrusted third-party. Researchers have developed several security scanners in\nthe past couple of years. However, many of these analyzers either do not scale\nwell, or if they do, produce many false positives. This issue is exacerbated\nwhen bugs are triggered only after a series of interactions with the functions\nof the contract-under-test. A depth-n vulnerability, refers to a vulnerability\nthat requires invoking a specific sequence of n functions to trigger. Depth-n\nvulnerabilities are time-consuming to detect by existing automated analyzers,\nbecause of the combinatorial explosion of sequences of functions that could be\nexecuted on smart contracts.\n In this paper, we present a technique to analyze depth-n vulnerabilities in\nan efficient and scalable way by combining symbolic execution and data\ndependency analysis. A significant advantage of combining symbolic with static\nanalysis is that it scales much better than symbolic alone and does not have\nthe problem of false positive that static analysis tools typically have. We\nhave implemented our technique in a tool called MPro, a scalable and automated\nsmart contract analyzer based on the existing symbolic analysis tool\nMythril-Classic and the static analysis tool Slither. We analyzed 100 randomly\nchosen smart contracts on MPro and our evaluation shows that MPro is about\nn-times faster than Mythril-Classic for detecting depth-n vulnerabilities,\nwhile preserving all the detection capabilities of Mythril-Classic.\n

Smart contracts (SCs) have become an essential component in the world of decentralized applications, automating transactions across blockchain networks without the need for intermediaries, and with this rise in adoption, the technology has also brought forth growing concern due to security vulnerabilities, which have led to serious financial damage, and the problem is far from being solved. Traditional auditing methods often struggle to capture the more intricate vulnerabilities hidden within smart contract logic, particularly owing to the irreversible nature of blockchain transactions. Given these challenges, researchers have been actively exploring more advanced detection techniques. Despite progress, many existing studies tend to focus narrowly on specific methods, whether static analysis, dynamic testing, or machine learning models, without offering a comprehensive comparison across all available approaches. This fragmented landscape leaves a noticeable gap for practitioners looking for a well-rounded understanding of smart contract security solutions. To address this, our study set out to systematically review the existing body of work, analysing 21 reviewed studies published between 2020 and 2024. The primary aim was to combine the diverse techniques that have been proposed for detecting vulnerabilities in smart contracts, ranging from static and dynamic analyses to more recent AI-driven models, graph-based techniques, and hybrid systems, critically evaluating their strengths, weaknesses, and practical effectiveness. The methodology followed a structured approach. We searched major research databases, IEEE Xplore, ACM Digital Library, SpringerLink, ScienceDirect, and Scopus—using carefully crafted search queries to ensure that we captured the most relevant and up-to-date papers. Our findings revealed that AI-based methods, especially those leveraging deep neural networks and graph neural networks, have achieved impressive detection accuracy in controlled environments. For example, models such as ContractWard and SCVDIE-ENSEMBLE reported Micro-F1 scores of 98.48% and 95.46%, respectively, but these models also have a trade-off—they demand high computational resources, which limits their real-world deployment in resource-constrained settings. On the other hand, lighter tools such as Slither and NeuCheck offer faster detection and lower resource usage but might fall short in regard to identifying more complex or new vulnerabilities. We also noticed a growing trend towards real-time monitoring tools, such as SODA and GPTScan, which aim to strike a balance by reducing false positives while providing proactive security measures. However, several challenges remain unresolved where many AI-driven models still rely heavily on labelled datasets, which may not generalize well to novel attack patterns. Scalability is another concern, especially for models that are computationally intensive.

Background: Millions of smart contracts have been deployed to Ethereum for providing various applications. Recent studies discovered many severe security and performance issues in smart contracts by applying static program analysis techniques to them. Given a smart contract, the majority of these analysis techniques need to first construct its control flow graph, which connects basic blocks through control flow transfers (CFTs), before conducting further analysis. Aims: The objective of this work is to understand the capabilities of static program analysis techniques to identify CFTs, and to investigate how static program analysis techniques can be improved if the CFTs are complemented. Method: We perform a comprehensive empirical study on six widely-used tools for smart contract analysis by using all deployed smart contracts to understand their capabilities to recognize CFTs. We capture all execution traces of all smart contracts to evaluate the number of CFTs covered by traces that are not found by those tools. We enhance a state-of-the-art tool, OYENTE for discovering vulnerabilities in smart contracts with the CFTs covered by traces to investigate how the tool is improved. Results: These studied tools fail to identify all CFTs due to several reasons, e.g., incomplete code patterns. Execution traces effectively complement these tool in recognizing CFTs. By including the CFTs covered by traces, the false negative rate of OYENTE can be reduced by up to 30%. Conclusions: Our study underlines the ineffectiveness of static analysis techniques due to the incapabilities of CFT identification.

Ethereum has emerged as the most popular smart contract platform, with hundreds of thousands of contracts stored on the blockchain and covering diverse application scenarios, such as auctions, trading platforms, or elections. Given the financial nature of smart contracts, security vulnerabilities may lead to catastrophic consequences and, even worse, can hardly be fixed as data stored on the blockchain, including the smart contract code itself, are immutable. An automated security analysis of these contracts is thus of utmost interest, but at the same time technically challenging. This is as e.g., Ethereum's transaction-oriented programming mechanisms feature a subtle semantics, and since the blockchain data at execution time, including the code of callers and callees, are not statically known. In this work, we present eThor, the first sound and automated static analyzer for EVM bytecode, which is based on an abstraction of the EVM bytecode semantics based on Horn clauses. In particular, our static analysis supports reachability properties, which we show to be sufficient for capturing interesting security properties for smart contracts (e.g., single-entrancy) as well as contract-specific functional properties. Our analysis is proven sound against a complete semantics of EVM bytecode, and a large-scale experimental evaluation on real-world contracts demonstrates that eThor is practical and outperforms the state-of-the-art static analyzers: specifically, eThor is the only one to provide soundness guarantees, terminates on 94% of a representative set of real-world contracts, and achieves an F-measure (which combines sensitivity and specificity) of 89%.

Motivated by the immutable nature of Ethereum smart contracts and of their transactions, quite many approaches have been proposed to detect defects and security problems before smart contracts become persistent in the blockchain and they are granted control on substantial financial value. Because smart contracts source code might not be available, static analysis approaches mostly face the challenge of analysing compiled Ethereum bytecode, that is available directly from the official blockchain. However, due to the intrinsic complexity of Ethereum bytecode (especially in jump resolution), static analysis encounters significant obstacles that reduce the accuracy of exiting automated tools. This paper presents a novel static analysis algorithm based on the symbolic execution of the Ethereum operand stack that allows us to resolve jumps in Ethereum bytecode and to construct an accurate control-flow graph (CFG) of the compiled smart contracts. EtherSolve is a prototype implementation of our approach. Experimental results on a significant set of real world Ethereum smart contracts show that EtherSolve improves the accuracy of the execrated CFGs with respect to the state of the art available approaches. Many static analysis techniques are based on the CFG representation of the code and would therefore benefit from the accurate extraction of the CFG. For example, we implemented a simple extension of EtherSolve that allows to detect instances of the re-entrancy vulnerability.

This paper examines blockchain smart contract software assurance through the lens of static analysis. Smart contracts are immutable. Once they are deployed, it is impossible to patch or redevelop the smart contracts on active chains. This paper explores specific blockchain smart contract bugs to further understand categories of vulnerabilities for bug detection prior to smart contract deployment. Specifically, this work focuses on smart contract concerns in Solidity v0.6.2 which are unchecked by static analysis tools. Solidity, influenced by C++, Python and JavaScript, is designed to target the Ethereum Virtual Machine (EVM). Many, if not all, of the warnings we categorize are currently neither integrated into Solidity static analysis tools nor earlier versions of the Solidity compiler itself. Thus, the prospective bug detection lies entirely on smart contract developers and the Solidity compiler to determine if contracts potentially qualify for bugs, concerns, issues, and vulnerabilities. We aggregate and categorize these known concerns into categories and build a model for integrating the checking of these categories into a static analysis tool engine. The static analysis engine could be employed prior to deployment to improve smart contract software assurance. Finally, we connect our fault categories with other tools to show that our introduced categories are not yet considered during static analysis.KeywordsBlockchainSmart contractsSolidityEthereum Virtual Machine (EVM)Software AssuranceStatic analysis

With the blooming of blockchain-based smart contracts in decentralized applications, the security problem of smart contracts has become a critical issue, as vulnerable contracts have resulted in severe financial losses. Existing research works have explored vulnerability detection methods based on fuzzing, symbolic execution, formal verification, and static analysis. In this paper, we propose two static analysis approaches called ASGVulDetector and BASGVulDetector for detecting vulnerabilities in Ethereum smart contacts from source-code and bytecode perspectives, respectively. First, we design a novel intermediate representation called abstract semantic graph (ASG) to capture both syntactic and semantic features from the program. ASG is based on syntax information but enriched by code structures, such as control flow and data flow. Then, we apply two different training models, i.e., graph neural network (GNN) and graph matching network (GMN), to learn the embedding of ASG and measure the similarity of the contract pairs. In this way, vulnerable smart contracts can be identified by calculating the similarity to labeled ones. We conduct extensive experiments to evaluate the superiority of our approaches to state-of-the-art competitors. Specifically, ASGVulDetector improves the best of three source-code-only static analysis tools (i.e., SmartCheck, Slither, and DR-GCN) regarding the F1 score by 12.6% on average, while BASGVulDetector improves that of the three detection tools supporting bytecode (i.e., ContractFuzzer, Oyente, and Securify) regarding the F1 score by 25.6% on average. We also investigate the effectiveness and advantages of the GMN model for detecting vulnerabilities in smart contracts.

Optimizing smart contract vulnerability detection via multi-modality code and entropy embedding

EOSIO smart contracts are programs that can be collectively executed by a network of mutually untrusted nodes. As EOSIO smart contracts manage valuable assets, they become high-value targets and are subjected to more and more attacks. Tools for protecting EOSIO smart contracts are imperative. This paper proposes EOSIOAnalyzer, an effective static secu-rity analysis framework for EOSIO smart contracts to counter the three most common attacks. The framework consists of three components, the control flow graph builder, the static analyzer and the vulnerability detector. This paper implements an approach to transforming low-level Wasm bytecode into a high-level intermediate representation (Register Transfer Language). Besides, this paper also implements vulnerability detection speci-fications for three popular EOSIO smart contracts vulnerabilities, including Fake EOS Transfer, Forged Transfer Notification and Block Information Dependency. As a proof of concept, this paper conducts experiments to evaluate the effectiveness and efficiency of the EOSIOAnalyzer. The experiment results show that the detection accuracy of the three vulnerabilities is 100 %, 98.8 % and 100%, respectively.

Static analysis is a critical methodology for ensuring the quality, security, and safety of embedded, cyber-physical, and electronic software systems, particularly as such systems become increasingly complex and tightly coupled with hardware and real-time constraints. Through a systematic study of the literature, this paper summarizes the State-of-the-Art in static program analysis. We develop a comprehensive taxonomy of fundamental techniques, including model checking, abstract interpretation, data-flow analysis, and symbolic execution, and examine their application in modern analysis tools used in electronic and safety-critical systems. The survey thoroughly reviews applications across key domains, including vulnerability detection, automotive and embedded software verification, smart contract auditing, and AI-enabled electronic systems. We also critically analyze persistent challenges, including tool integration, scalability limitations, and the trade-off between analysis precision and soundness. Finally, by discussing emerging trends and future research directions—such as machine-learning-enhanced analysis and hybrid static–dynamic techniques—this work provides a structured framework to guide future research and industrial practice in the development of reliable electronic systems.

The security of smart contracts has drawn attention in recent years due to their immutability and ability to hold assets. Existing machine learning and deep learning methods addressing vulnerabilities in smart contracts often partially combine pooled features from first the contract source code, second, the build based approach made of features extracted during source code compilation, and third, the bytecode approach relying on features obtained from the Ethereum virtual machine bytecode analysis. Together those three approaches form the full-stack, and they are usually being conducted under static analysis thanks to its speed of execution. However, to the best of our knowledge, no single work has yet simultaneously undertaken a full-stack intralayer and cross-layer features fusion for smart contracts vulnerability assessment under static analysis, without making use of expert-based patterns nor without manually fusing the various features extracted from shuffled partial combinations of layers in the full-stack. This paper introduces a full-stack hierarchical fusion of static features for smart contracts vulnerability detection. In our construction, we associate each layer of the full-stack to a modality and leverage automatic intramodality and crossmodality pooled features fusion from state-of-the-art artificial neural networks and deep neural networks. Additionally, our models are applied to the hierarchy of power set layers in the full-stack, without any expert-based rule. Furthermore, our work aims to assess the increase in vulnerability detection performance and provide guidance for future research on smart contracts vulnerability detection.

In the rapidly evolving landscape of decentralized systems, ensuring the integrity and trustworthiness of smart contracts is paramount for developers. This paper presents a comprehensive strategy for enhancing smart contract security by focusing on specific high-risk areas, including Integer Overflow, Dangerous Delegate Calls, Timestamp Dependency, Reentrancy Vulnerabilities, Race Conditions, and Sybil attacks. Despite the growing significance of smart contracts in blockchain ecosystems, a notable research gap exists in the development of specialized tools capable of providing real-time vulnerability detection and mitigation guidance. To bridge this gap, our research introduces the ‘GRIFFIN’ - Smart Contracts. Vulnerability Detector is a powerful tool that has been rigorously tested and validated. Our study has yielded significant results, demonstrating the efficacy of the GRIFFIN in proactively identifying and mitigating critical vulnerabilities within a diverse dataset of 12,000 real-world solidity smart contracts. The tool leverages state-of-the-art static analysis techniques and machine learning algorithms, achieving superior accuracy rates when compared to existing solutions. This heightened accuracy not only empowers developers but also boosts the overall robustness and dependability of smart contract ecosystems. The cornerstone of our research is the development and validation of a practical, user-centric solution. By providing actionable insights, code snippets, and real-time feedback to developers, GRIFFIN equips them with the knowledge and tools needed to address vulnerabilities swiftly and effectively. This innovative approach is not merely an academic endeavor but a significant stride towards cultivating resilient and dependable smart contract environments. It instills a culture of security-conscious development practices, ensuring that the smart contracts crucial to decentralized systems can operate with the highest level of trust and reliability. Index Terms— Smart Contracts; Integer overflow; Dangerous Delegate call; Timestamp Dependence; Reentrancy Attack; Race Condition; Sybil Attack; Static Analysis; Detection

With the evolution of technology, blockchain a swiftly impending phenomenon i.e., "decentralized computing” is observed. The emergence of Smart Contracts (SC) has resulted in advancements in the application of blockchain technology. The Ethereum network’s computing capabilities and functionalities are founded on the basis of SC. A smart contract is a self-executing agreement between buyer and seller with the terms of the settlement between them, written directly as lines of code, existing across a distributed decentralized blockchain network. It is a decentralized software that runs on a blockchain autonomously, consistently, and publicly. Conversely, due to the complex semantics of fundamental domain-specific languages and their testability, constructing reliable and secure SC can be extremely difficult. SC might contain some vulnerabilities. Security vulnerabilities can originate from financial tribulations; there are a number of notorious events that specify blockchain SC could comprise numerous code-security vulnerabilities. Security and privacy of blockchain-based SC are very important, we must first identify their vulnerabilities before implementing them widely. Therefore, the purpose of this paper is to conduct a comprehensive experimental evaluation of two current security testing tools: Remix solidity static analysis plugin and Solium which are used for static analysis of SC. We have conducted an empirical analysis of SC for finding tangible and factual evidence, controlled by the scientific approach. The methodology’s first step is to gather all of the Ethereum SC and store them in a repository. The next step is to use the Remix solidity static analysis plugin and Solium to perform vulnerability assessments. The last step is to analyze the result of both tools and evaluate them on the basis of accuracy and effectiveness. The goal of this empirical analysis is to evaluate the two FOSS tools: Remix solidity static analysis plugin and Solium on the basis of accuracy and effectiveness. Some research questions were considered to reach the stated goal: What automated tools and frameworks are proposed in supporting the state-of-the-art empirical approach to SC vulnerability detection? How accurate are security analysis tools? And which tool has more accuracy rate? How effectively security analysis tools are detecting vulnerabilities in SC? And which is the most effective security analysis tool? We investigated the effectiveness and accuracy of security code analysis tools on Ethereum by testing them on a random sample of vulnerable contracts. The results indicate that the tools have significant discrepancies when it comes to certain security characteristics. In terms of effectiveness and accuracy, the Remix plugin outperformed and beat the other tool.

Ethereum smart contracts are a special type of computer programs. Once deployed on the blockchain, they cannot be modified. This presents a significant challenge to the security of smart contracts. Previous research has proposed static and dynamic detection tools to identify vulnerabilities in smart contracts. These tools check contract vulnerabilities based on predefined rules, and the accuracy of detection strongly depends on the design of the rules. However, the constant emergence of new vulnerability types and strategies for vulnerability protection leads to numerous false positives and false negatives by tools. To address this problem, we analyze the characteristics of vulnerabilities in smart contracts and the corresponding protection strategies. We convert the contracts' bytecode into an intermediate representation to extract semantic information of the contracts. Based on this semantic information, we establish a set of detection rules based on semantic facts and implement a vulnerability detection tool SafeCheck using static program analysis methods. The tool is used to detect six common types of vulnerabilities in smart contracts. We have extensively evaluated SafeCheck on real Ethereum smart contracts and compared it to other tools. The experimental results show that SafeCheck performs better in smart contract vulnerability detection compared to other typical tools, with a high F‐measure (up to 83.1%) for its entire dataset.