Abstract – The rapid proliferation of blockchain-based decentralized applications has introduced critical security challenges ranging from vulnerable smart contracts to privacy leakage in on-chain transactions. Existing tools address these challenges in isolation, leaving practitioners to integrate disparate solutions. OmniShield is a unified, open-source blockchain security platform that consolidates AI-powered smart contract vulnerability scanning, zero-knowledge proof (ZKP) private transfers, and a private QBFT consensus network into a single cohesive system. The scanner combines static pattern analysis, symbolic execution, and a Gemini-LLM reasoning layer to detect reentrancy, integer overflow, access-control flaws, and twelve other vulnerability classes with severity ratings. Private transfers leverage Groth16 zk-SNARKs over Circom circuits so balances remain hidden on-chain while cryptographic validity is enforced. The underlying network runs on Hyperledger Besu with QBFT consensus, providing Byzantine-fault-toleran block production. Experimental results show the scanner correctly identifies known vulnerabilities in benchmark contracts, ZKP proof generation completes in under 15 seconds on consumer hardware, and end-to-end private transfers finalize within two consensus rounds. OmniShield demonstrates that enterprise-grade blockchain security can be packaged as an accessible, developer-friendly platform. Key Words: blockchain security, smart contract analysis, zero-knowledge proofs, zk-SNARKs, Hyperledger Besu, QBFT consensus, AI vulnerability scanner, reentrancy, Solidity.

The formal semantics of blockchain smart contracts are the foundation of formal verification. They can be used to establish formal models to verify the security of contracts and help developers understand the specific execution rules of contracts. However, the mathematical logic involved in such modeling poses a high barrier to entry and cannot be directly integrated with other program analysis methods. This article proposes a semantic graph generation approach, KSG, for blockchain smart contracts. First, the semantic rules of the contract language are formally defined, and a semantic interpreter and prover are constructed to automatically transform smart contract code into a scalable semantic graph. This graph incorporates semantic control flow information, semantic data flow information, execution rules, and verification constraints. Next, the generated semantic graph can be utilized for vulnerability detection and symbolic execution and supports iterative optimization based on the analysis results. Finally, the detailed process of semantic graph generation and analysis is demonstrated through the verification of the reentrancy contract and the honeypot contract.

With the help of pact technology, a program that has been developed, the smart contract can take place between two or more entities without any third-party actor. Although smart contracts provide transparency and efficiency, security flaws in smart contracts have resulted in costly attacks, including re-entrancy, integer overflows, and access control violations. Current tools for intelligent contract verification, such as Mythril, Oyente, and Securify, mainly apply symbolic execution, taint analysis, and pattern matching to identify vulnerabilities. However, these tools have many false positives, take a lot of time to execute, and don't scale efficiently with large numbers of contracts. In this context, the paper presents VeriChain. This formal verification framework combines Control Flow Graph (CFG) analysis, symbolic execution, and static analysis to improve vulnerability detection and tackle the challenges above. VeriChain systematically constructs the contract’s Control Flow Graph (CFG), explores CFG execution paths with symbolic execution, and employs a set of rules for performing rule-based static analysis that can uncover vulnerabilities. Using CFG-based dependency tracking, VeriChain achieves enhanced analysis of dependencies among functions and coverage of execution paths, thereby reducing the number of false positives while achieving accurate detection results. The experimental results show that VeriChain obtains 98.3% detection accuracy, higher than Mythril, Oyente, and Securify. Compared to existing tools, VeriChain has a much lower false-positive rate (1 false alarm) and a much faster execution time (Running in only 2.3 seconds). This framework gives a structured security assessment by categorizing the vulnerabilities according to severity and execution traces, ensuring that the smart contracts are accessed under heavy security verification pre-deployment. With its ability to accomplish highly accurate results efficiently whilst providing structured ways to report on security, VeriChain will be an influential component in delivering safe, innovative contract launches to decentralized applications for blockchain developers and security analysts.

Abstract In this paper we study a family of non-classical Jacobi polynomials with varying parameters of the form $$\alpha _n=n+1/2$$ α n = n + 1 / 2 and $$\beta _n=-n-1/2$$ β n = - n - 1 / 2 . We obtain global asymptotics for these polynomials, and use this to establish results on the location of their zeros. The analysis is based on the Riemann Hilbert formulation of Jacobi polynomials derived from the non-hermitian orthogonality introduced by [Kuijlaars, A., Martinez-Finkelshtein, A., Orive, R.: Orthogonality of Jacobi polynomials with general parameters. Electron. Trans. Numer. Anal. 19 , 1–17 (2005)]. This family of polynomials arises in the symbolic evaluation of integrals in the work of [Boros, G., Moll, V.: A sequence of unimodal polynomials. J. Math. Anal. Appl. 237 , 272–287 (1999)], [Boros, G., Moll, V.: An integral hidden in Gradshteyn and Ryzhik. J. Comput. Appl. Math., Elsevier 106 (2), 361–368 (1999), and corresponds to a limiting case, which is not considered in the works of [Kuijlaars, A., Martínez-Finkelshtein, A.: Strong asymptotics for Jacobi polynomials with varying nonstandard parameters. J. d’Analyse Math. 54 , 195–234 (2004)], [Kuijlaars, A., Martinez-Finkelshtein, A., Orive, R.: Orthogonality of Jacobi polynomials with general parameters. Electron. Trans. Numer. Anal. 19 , 1–17 (2005)], [Martínez-Finkelshtein, A., Martínez-González, P., Orive, R.: Zeros of Jacobi Polynomials with Varying Non-classical Parameters. Special functions, pp. 98–113. World Scientific, Singapore (2000)], [Martínez-Finkelshtein, A., Orive, R.: Riemann-Hilbert analysis for Jacobi polynomials orthogonal on a single contour. J. Approx. Theory 134 (2), 137–170 (2005)]. A remarkable feature in the analysis is encountered when performing the local analysis of the RHP near the origin, where the local parametrix introduces a pole.

Control Flow Flattening (CFF) is one of the control flow obfuscation techniques. It flattens control flows to conceal the sequential flow of programs. Researchers have utilized both static and dynamic approaches to deobfuscate CFF. Static methods primarily rely on symbolic execution, which leverages pattern-based information from CFF to perform effective analysis. However, these patterns can vary depending on the obfuscation tools used, and the deobfuscation techniques may only work for certain obfuscation tools. Dynamic approaches, on the other hand, face limitations as they may not cover all possible execution paths. We propose a static deobfuscation technique that is independent of obfuscation patterns. Our technique adopts abstract interpretation, which is a theoretical static analysis framework covering all execution paths. We define k-switch context sensitivity for the deobfuscation of CFF, which enables path-sensitive analysis to accurately identify the order of each execution path in obfuscated programs. Our approach utilizes the k-switch context sensitive analysis result to divide an obfuscated program into small fragments of sequentially executable blocks and reassemble the blocks to reconstruct the program’s original control flows. We demonstrate that our technique effectively reduces control flow complexity while preserving the semantics of the obfuscated program. Furthermore, by utilizing a binary lifter, we show that our method is also applicable to obfuscated binary code.

Symbolic evaluation of transfer matrices for the XXX model

Software testing ensures quality and reliability of software necessitates effective testing; however, traditional manual testing methods can be time-consuming and inefficient. Automated test case generation (ATCG) has emerged as a promising solution, utilizing metaheuristic algorithms to enhance efficiency, minimize human effort, and improve fault detection. This paper presents an in-depth review of metaheuristic techniques employed in ATCG, including Genetic Algorithms (GA), Particle Swarm Optimization (PSO), Simulated Annealing, and other evolutionary and swarm-based methods. It also explores hybrid models that integrate multiple metaheuristic strategies or combine them with machine learning and symbolic execution to boost performance. The study addresses key challenges such as scalability, computational complexity, and constraint handling, while discussing optimization strategies to improve the effectiveness, diversity, and efficiency of generated test cases. Additionally, it examines hybrid approaches like the Hybrid Harmony Search and Particle Swarm Optimization (HSPSO) framework, analyzing their advantages, limitations, and potential enhancements. By outlining current trends, open research challenges, and future directions, this paper provides valuable insights for researchers and practitioners in automated software testing.

Static analysis is a critical methodology for ensuring the quality, security, and safety of embedded, cyber-physical, and electronic software systems, particularly as such systems become increasingly complex and tightly coupled with hardware and real-time constraints. Through a systematic study of the literature, this paper summarizes the State-of-the-Art in static program analysis. We develop a comprehensive taxonomy of fundamental techniques, including model checking, abstract interpretation, data-flow analysis, and symbolic execution, and examine their application in modern analysis tools used in electronic and safety-critical systems. The survey thoroughly reviews applications across key domains, including vulnerability detection, automotive and embedded software verification, smart contract auditing, and AI-enabled electronic systems. We also critically analyze persistent challenges, including tool integration, scalability limitations, and the trade-off between analysis precision and soundness. Finally, by discussing emerging trends and future research directions—such as machine-learning-enhanced analysis and hybrid static–dynamic techniques—this work provides a structured framework to guide future research and industrial practice in the development of reliable electronic systems.

Smart contracts are self-executing programs deployed on blockchain platforms that facilitateautomated and decentralized transactions. However, once deployed, they become immutable, makingthem vulnerable to catastrophic exploits, such as reentrancy, access control misconfiguration, integeroverflow, and front-running. The need for proof and verification is urgent, as evidenced by other highprofile,capital-draining incidents, such as the DAO attack and Parity wallet vulnerabilities. Abstract:We present ContractFuzzer, a systematic fuzzer for detecting vulnerabilities in Ethereum smartcontracts. Existing tools are based on static analysis, symbolic execution, or heuristic detection, andthus typically impose high false positives, low completeness, and limited formal verification. In thispaper, we introduce SmartScan, a formal verification framework that systematically checks smartcontract security by integrating FSM modeling and CTL-based model checking in nuXmv. Ourmethodology performs automatic parsing of Solidity code, automated generation of FSM and BIPmodels, conversion to the SMV format, and verification of CTL security properties. It responds todetected violations with automated counterexample generation to assist in debugging and iterative reverification.For validation, SmartScan will be tested on 10 different types of Solidity contracts thataddress 14 critical vulnerabilities. Our experimental results show 95.4% detection accuracy, 3.2% falsepositive rate, and 2.8% false negative rate, with 100% verification coverage, and average verificationtime of 3–7 seconds for each property, outperforming state-of-the-art tools in both coverage andprecision. SmartScan: SmartScan has a wide-ranging practical utility in discovering and diagnosingvulnerabilities such as reentrancy and access control issues, which it has been applied in, such as in acase study of a DeFi Lending contract. SmartScan provides a scalable, precise, and developer-centricapproach to improve the confidence and reliability of blockchain applications by combining exhaustiveformal verification of smart contracts with automated counterexample generation.

Symbolic execution is a powerful technique that can accurately synthesize program inputs for program testing through constraint solving. Applying symbolic execution effectively means that we must solve two searching problems efficiently. One is to search through the many program paths and the other is, given a particular path condition, to search through the numerous variable assignments to identify one satisfying solution. With few exceptions, existing symbolic execution engines treat constraint solvers as black boxes. As a result, the two searches are completely separated, which results in much redundancy (i.e., the same variable assignments may be tried for solving many program paths). Existing attempts on addressing this issue include those approaches based on constrained Horn clauses (in which the whole program is encoded as one constraint) and one preliminary attempt on caching and reusing partial solving results from the constraint solver. In this work, we propose SEC , which systematically computes the reward of concretizing a program path (for symbolic execution) and a variable (for constraint solving) and uses the reward as guide for integrating the two searches. We implemented SEC based on KLEE and evaluated it on a diverse set of programs. The results show that SEC is effective, i.e., achieving 15% more code coverage than the state-of-the-art baseline symbolic execution engines. Furthermore, we show that SEC can be readily combined with a state-of-the-art concolic testing engine to improve its performance

Directed Grey-Box Fuzzing (DGF) can improve bug exposure efficiency by stressing bug-prone areas. Recent studies have modeled DGF as the problem of finding and optimizing paths to reach target sites. However, they still face the “ multi-path ” challenge. When a target site is reachable by multiple paths, it is crucial to comprehensively evaluate and effectively select these paths, as this affects the fuzzer’s choice between reaching target sites via optimal paths and enhancing path diversity toward targets to expose hidden bugs in non-optimal paths. In this article, we propose MultiGo, a directed hybrid fuzzer designed for multi-path optimization. First, we propose a new fitness metric called path difficulty to comprehensively evaluate the promising paths. This metric uses the Poisson distribution to estimate the probability of exploring basic blocks along execution paths based on statistical block frequency, distinguishing between optimal and challenging paths. With path difficulty as a key factor, a customized Contextual Multi-Armed Bandit (CMAB) model is employed to efficiently optimize path scheduling by comprehensively considering the impact of testing conditions on path scheduling. We introduce the concept of the fuzzing context to represent and evaluate testing conditions, which encompass factors such as path characteristics (e.g., path difficulty), the testing agent (e.g., fuzzing or symbolic execution), and the testing goal (e.g., path exploitation or exploration). Then, the CMAB model predicts the expected rewards for scheduling paths under different testing agents and goals, thereby optimizing path scheduling. By leveraging the CMAB model, MultiGo enhances DGF’s capability to explore easier paths and symbolic execution’s capacity to handle more complex ones, enabling efficient target reaching through optimal paths while ensuring sufficient coverage of non-optimal paths. MultiGo is evaluated on 136 target sites of 41 real-world programs from 3 benchmarks. The experimental results show that MultiGo outperforms the state-of-the-art directed fuzzers (AFLGo, SelectFuzz, Beacon, WindRanger, and DAFL) and hybrid fuzzers (SymCC and SymGo) in reaching target sites and exposing known vulnerabilities. Moreover, MultiGo also discovered 14 undisclosed vulnerabilities.

The growing deployment of the Internet of Things (IoT), especially in critical infrastructure, has increased the need for identity systems that are scalable and robust against attacks. However, existing centralized systems have fundamental weaknesses, especially where adversaries use artificial intelligence (AI)-based techniques, such as generative spoofing, model poisoning, and deepfakes to create fake identities. In this paper, we present a novel blockchain-based IoT security system that combines decentralized identity verification, zero-knowledge proofs, Byzantine-resistant federated learning, and formal verification of smart contracts. The proposed architecture eliminates single points of trust, allows device registration while preserving privacy, and provides defense against AI-driven attacks through formally modeled state transitions. Experimental results show that this method shows significant improvements over previous frameworks, including a 48% reduction in false acceptance rate during GAN-based spoofing and speedup the ZKP verification. This work provides a blockchain-enabled identity management system for IoT to encounter AI-based threats and maintain a balance between performance and security with the help of adversarial simulation, symbolic execution, and threshold cryptography.

Universal hash functions are a widely-used, fundamental building block in constructing more complex cryptographic schemes. This makes achieving high efficiency, both at the design and implementation level, an utmost priority. Using simple polynomial hash functions over prime fields is a popular choice; Poly1305 is a particular instance of such an approach that is standardized and widely deployed. However, even for simple polynomial hash functions, there are significant challenges in designing fast implementations. Firstly, there is a large set of choices for algorithmic parameters such as finite field and limb sizes. Secondly, the complexity and diversity of modern vector instruction set architectures (ISAs) makes performance evaluation, and subsequent parameter selection difficult. In this paper we present SPHGen, a program generator for simple polynomial hash functions. SPHGen takes as input the field parameters and outputs highly optimized code for a given vector ISA. The generated code is automatically verified by means of symbolic execution, ensuring functional correctness. Accompanying SPHGen is an accurate model that predicts the runtime of each generated program. Using SPHGen, one can readily identify the Pareto front of Pareto-optimal hash function parameters w.r.t. the security-performance trade-offs, and, when using the model, even without running any code. SPHGen and the model can be retargeted to different vector ISAs and languages; we consider AVX2, AVX512, AVX512_IFMA, and Jasmin as examples. We generate Jasmin code to ensure memory safety and constant-time execution. We report benchmarks showing that SPHGen offers significant performance improvements over the best previous non-vectorized code. In addition, for large messages, our automatically generated code offers speedups of up to 37% compared to the highly-optimized implementation of Poly1305 in OpenSSL, which is hand-coded in assembly.

How do we find new memory safety bugs effectively when navigating a symbolic execution tree that suffers from the well-known path explosion challenge? Existing solutions either adopt path search heuristics to maximize coverage rate or chopped symbolic execution to skip uninteresting code (i.e., manually labeled as vulnerability-unrelated) during path exploration. However, most existing search heuristics are not vulnerability-oriented, and manual labeling of irrelevant code-to-be-skipped relies heavily on prior expert knowledge, making it hard to detect vulnerabilities effectively in practice. This paper proposes Vital , a new vulnerability-oriented path exploration for symbolic execution with two innovations. First, a new indicator (i.e., type-unsafe pointers) is suggested to approximate vulnerable paths. A pointer that is type-unsafe cannot be statically proven to be safely dereferenced without memory corruption. Our key hypothesis is that a path with more type-unsafe pointers is more likely to be vulnerable. Second, a new type-unsafe pointer-guided Monte Carlo Tree Search algorithm is implemented to guide the path exploration towards the areas that contain more unsafe pointers, aiming to increase the likelihood of detecting vulnerabilities. We built Vital on top of KLEE and compared it with existing path searching strategies and chopped symbolic execution. In the former, the results demonstrate that Vital could cover up to 90.03% more unsafe pointers and detect up to 57.14% more unique memory errors. In the latter, the results show that Vital could achieve a speedup of up to 30x execution time and a reduction of up to 20x memory consumption to detect known vulnerabilities without prior expert knowledge automatically. In practice, Vital also detected one previously unknown vulnerability (a new CVE ID is assigned), which has been fixed by developers.

The path explosion problem poses a significant barrier in the domain of software testing, making it nearly impossible to exhaustively explore all execution paths in large or complex software. Despite the extensive use of symbolic execution in the literature, the issue of path explosion remains largely unresolved. To address this limitation, we propose SymPcNSGA-Testing (Symbolic execution, Path Clustering, and Non-dominated Sorting Genetic Algorithm-II Testing), a hybrid methodology combining symbolic execution, path clustering, and multi-objective optimization using NSGA-II (Non-dominated Sorting Genetic Algorithm-II). Our approach aims to select a reduced yet representative set of execution paths that ensures maximum branch coverage while minimizing redundancy. SymPcNSGA-Testing operates in three stages: 1) symbolic execution with KLEE to explore the path space, 2) clustering of paths using the Ktest-cluster algorithm to group similar execution behaviors, and 3) multi-objective path optimization using NSGA-II, which selects representative paths that balance high branch coverage and minimal path set size. We evaluated our methodology on ten open-source programs from the Coreutils 9.5 package and compared it against several KLEE exploration strategies (DFS, BFS, NURS, Merging, and Covering-New). The results demonstrate that SymPcNSGA-Testing outperforms some of KLEE’s strategies by achieving high branch coverage while effectively mitigating the path explosion problem. This study highlights the benefits of combining symbolic analysis and evolutionary multi-objective optimization to enhance test efficiency in complex software systems.

The rapid evolution of large language models has revolutionized automated code generation. Even so, there are many ways to handle these types of issues individually; some methods try to improve generation quality by doing large-scale sampling, while other methods emphasize correctness by doing post-hoc testing, and yet other methods work to improve the efficiency of models by compressing them, but do not integrate these solutions into a complete system.We present CurricuForge, a comprehensive framework that synergistically combines curriculum reinforcement learning, test-driven development, symbolic execution, and multi-agent collaboration to achieve state-of-the-art performance in code generation tasks. Our approach introduces a novel architecture that progressively trains a distilled language model through carefully designed curriculum stages, where each stage incorporates increasingly complex programming constructs validated through symbolic execution and test-driven generation. The framework employs role-based collaborative agents that specialize in different aspects of code generation, from API schema interpretation to kernel-level optimization through fusion techniques. We further enhance the system with a Toolformer-inspired mechanism that enables dynamic tool invocation during code generation, allowing the model to leverage external resources and verification tools seamlessly. Extensive experiments across multiple benchmarks demonstrate that CurricuForge achieves significant improvements over baseline methods, with a 47.3% increase in functional correctness on HumanEval, 52.8% improvement on MBPP, and 41.2% enhancement on the CodeContests dataset. Our symbolic verification component reduces runtime errors by 68.4% while the curriculum learning strategy accelerates convergence by 3.2x compared to standard training approaches. The distilled model maintains 94.7% of the performance of its teacher model while reducing inference latency by 5.8x and model size by 7.2x, making it practical for deployment in resource-constrained environments. Through comprehensive ablation studies, we demonstrate that each component contributes significantly to the overall performance, with the curriculum learning and multi-agent collaboration showing particularly strong synergistic effects. Our work establishes a new paradigm for code generation systems that combines theoretical rigor with practical efficiency, paving the way for more reliable and scalable automated programming assistants.

Incremental symbolic execution aims to address the scalability challenges of traditional symbolic execution by concentrating on behavioural differences between program versions introduced during program evolution. Despite progress in the field, existing techniques often struggle to explore these behaviors both efficiently and accurately. In this paper, we introduce <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace>, a novel approach for incremental symbolic execution that improves efficiency by identifying and eliminating redundant paths. <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace> achieves this by summarizing previously explored paths and monitoring variables that may induce divergent incremental behaviors at each branching point. This summarization process enables <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace> to detect whether a newly explored path subsumes distinct incremental behaviors compared to prior explorations. By effectively pruning redundant paths that exhibit identical incremental behaviors as those previously explored, <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace> achieves a potentially exponential reduction in the number of explored paths. We implemented a prototype of <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace> and evaluated it on a diverse set of real-world applications. Experimental results demonstrate that <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace> outperforms state-of-the-art techniques by significantly reducing both path exploration and execution time. When applied to real-world commits from the GNU Coreutils project, <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">FENSE</monospace> achieved an average of 76% reduction in explored paths and a 139× speedup over <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">KLEE</monospace>.

ProxyLens: Symbolic Execution and Taint-Based Analysis of Proxy Contract Vulnerabilities on Ethereum

Since the advent of smart contracts, security vulnerabilities have remained a persistent challenge, compromsing both the reliability of contract execution and the overall stability of the virtual currency market. Consequently, the academic community has devoted increasing attention to these security risks. However, conventional approaches to vulnerability detection frequently exhibit limited accuracy. To address this limitation, the present study introduces a novel vulnerability detection framework called GNNSE that integrates symbolic execution with graph neural networks (GNNs). The proposed method first constructs semantic graphs to comprehensively capture the control flow and data flow dependencies within smart contracts. These graphs are subsequently processed using GNNs to efficiently identify contracts with a high likelihood of vulnerabilities. For these high-risk contracts, symbolic execution is employed to perform fine-grained, path-level analysis, thereby improving overall detection precision. Experimental results on a dataset comprising 10,079 contracts demonstrate that the proposed method achieves detection precisions of 93.58% for reentrancy vulnerabilities and 92.73% for timestamp-dependent vulnerabilities.

Mathematical Equations are manually input in computer systems which is relatively slow compared to manually writing the equations or writing software. With this project, we would like to create a user-friendly website that would allow the user to take an image of a mathematical equation, recognize the mathematical equation and provide the user with its solution. Our goal is to create a very user-friendly way of experimenting mathematical equations and remove the frustration of having to learn mathematical tools in order to experiment with mathematical equations. Because mathematics is such a broad subject, the digitization and evaluation of all mathematical symbols could prove to be very complicated. For this reason, only some of the mathematical symbols are considered for this project: digits (0-9), operators (+, -, * ,÷) and characters(y).