Smart Contract Vulnerability Detection Based on Symbolic Execution and Graph Neural Networks

Smart contracts are deployed and represented as bytecodes in blockchain networks, and these bytecodes are machine-readable codes. Only a small number of deployed smart contracts have their verified human-readable code publicly accessible to blockchain users. To improve the understandability of deployed smart contracts, we explored rule-based classification of smart contracts using iterative integration of fingerprints of relevant function interfaces and keywords. Our classification system included categories for standard contracts such as ERC20, ERC721, and ERC1155, and non-standard contracts like FinDApps, cross-chain, governance, and proxy. To do this, we first identified the core function fingerprints for all ERC token contracts. We then used an adapted header extractor tool to verify that these fingerprints occurred in all of the implemented functions within the bytecode. For the non-standard contracts, we took an iterative approach, identifying contract interfaces and relevant fingerprints for each specific category. To classify these contracts, we created a rule that required at least two occurrences of a relevant fingerprint keyword or interface. This rule was stricter for standard contracts: the 100% occurrence requirement ensures that we only identify compliant token contracts. For non-standard contracts, we required a minimum of two relevant fingerprint occurrences to prevent hash collisions and the unintentional use of keywords. After developing the classifier, we evaluated its performance on sample datasets. The classifier performed very well, achieving an F1 score of over 99% for standard contracts and a solid 93% for non-standard contracts. We also conducted a risk analysis to identify potential vulnerabilities that could reduce the classifier’s performance, including hash collisions, an incomplete rule set, manual verification bottlenecks, outdated data, and semantic misdirection or obfuscation of smart contract functions. To address these risks, we proposed several solutions: continuous monitoring, continuous data crawling, and extended rule refinement. The classifier’s modular design allows for these manual updates to be easily integrated. While semantic-based risks cannot be completely eliminated, symbolic execution can be used to verify the expected behavior of ERC token contract functions with a given set of inputs to identify malicious contracts. Lastly, we applied the classifier on contracts deployed Ethereum main network.

The rise of connected and automated vehicles has transformed in-vehicle infotainment (IVI) systems into critical gateways linking user interfaces, vehicular networks, and cloud-based fleet services. A concerning architectural reality is that hardcoded credentials like access point names (APNs) in IVI firmware create a cross-layer attack surface where local exposure can escalate into entire vehicle fleets being remotely compromised. To address this risk, we propose a cross-layer security framework that integrates firmware extraction, symbolic execution, and targeted fuzzing to reconstruct authentic IVI-to-backend interactions and uncover high-impact web vulnerabilities such as server-side request forgery (SSRF) and broken access control. Applied across seven diverse automotive systems, including major original equipment manufacturers (OEMs) (Mercedes-Benz, Tesla, SAIC, FAW-VW, Denza), Tier-1 supplier Bosch, and advanced driver assistance systems (ADAS) vendor Minieye, our approach exposes systemic anti-patterns and demonstrates a fully realized exploit that enables remote control of approximately six million Mercedes-Benz vehicles. All 23 discovered vulnerabilities, including seven CVEs, were patched within one month. In closed automotive ecosystems, we argue that the true measure of efficacy lies not in maximizing code coverage but in discovering actionable, fleet-wide attack paths, which is precisely what our approach delivers.

High-quality test cases are vital for ensuring software reliability and security. However, existing symbolic execution tools generally rely on single-path search strategies, have limited feature extraction capability, and exhibit unstable model predictions. These limitations make them prone to local optima in complex or cross-scenario tasks and hinder their ability to balance testing quality with execution efficiency. To address these challenges, this paper proposes a Deep Active Ensemble Learning Framework for symbolic execution path exploration. During training, the framework integrates active learning with ensemble learning to reduce annotation costs and improve model robustness, while constructing a heterogeneous model pool to leverage complementary model strengths. In the testing stage, a dynamic ensemble mechanism based on sample similarity adaptively selects the optimal predictive model to guide symbolic path exploration. In addition, a gated graph neural network is employed to extract structural and semantic features from the control flow graph, improving program behavior understanding. To balance efficiency and coverage, a dynamic sliding window mechanism based on branch density enables real-time window adjustment under path complexity awareness. Experimental results on multiple real-world benchmark programs show that the proposed framework detects up to 16 vulnerabilities and achieves a cumulative 27.5% increase in discovered execution paths in hybrid fuzzing. Furthermore, the dynamic sliding window mechanism raises the F1 score to 93%.

Diversity and inclusion (D&I) are highly valued for equitable results in education, healthcare, and workplace domains, as outlined in the United Nations Sustainable Development Goals (SDGs) worldwide. In spite of the increased awareness, many obstacles still stand in the way of authentic inclusion-the unconscious bias and embedded inequality, intersectional exclusion, the symbolic execution of practices without the structure, etc. This systematic review aims to analyze the published empirical studies over the last few years (2019-2025) on the challenges to D&I and assess the efficiency of different strategies used in the world in different contexts. Seven databases, such as PubMed, Scopus, and Web of Science, were screened, and 20 articles were carefully chosen to be peer reviewed. The research cuts across developed and developing countries and covers various sectors. There were four dominant themes, including structural/systemic barriers, cultural insensitivity, intersectional exclusion, and tokenism. Some of the defined interventions, such as inclusive hiring practices, equity-oriented training, and a local policy framework, have a promising nature, whereas the other ones are not context-relevant or focus on causal factors. The results indicate that more complex, context-varying solutions that take into consideration cultural and regional variation as well as variation across institutions, are necessary. The review also indicates areas where research is lacking in areas that are underrepresented, like Africa and the Middle East. To conclude, the discussion of the D&I challenges demands long-term interdisciplinary investigations, the involvement of stakeholders, and global policy engagement to ensure meaningful and lasting inclusion.

A vulnerability in smart contracts refers to weaknesses in the code that can be exploited by attackers, leading to security breaches and unintended behavior. With the growing use of smart contracts in decentralized blockchain systems, particularly in internet of things (IoT) environments, ensuring their security has become increasingly critical. Traditional vulnerability detection techniques, such as formal verification and symbolic execution, face significant limitations, including high rates of false positives and negatives, scalability issues, and difficulty in detecting complex vulnerabilities. To address these challenges, this paper proposes semantic contract flow analysis and deep learning ensemble (SCADE) for smart contract vulnerability detection. SCADE leverages semantic flow analysis combined with an ensemble of deep learning models, including convolutional neural networks (CNN), bidirectional sequence encoder (BSE), layered probabilistic neural network (LPNN), and adaptive context learning network (ACLN), to detect vulnerabilities effectively. The methodology breaks down the smart contract code into structured components through a contract structure mapper, followed by extracting semantic paths and converting them into sequential vector representations. These representations are then processed through a deep learning ensemble to identify potential vulnerabilities such as reentrancy, timestamp dependency, code injection, and hardcoded gas amounts.

Abstract Many important hyperliveness properties, such as refinement and generalized non-interference, fall into the class of $$\forall \exists$$ hyperproperties, and require, for each execution trace of a system, the existence of another execution trace relating to the first one in a certain way. The alternation of quantifiers in the specification renders these hyperproperties extremely difficult to verify, or even just to test. Indeed, contrary to trace properties, where it suffices to find a single counterexample trace, refuting a $$\forall \exists$$ hyperproperty requires not only to find a trace, but also a proof that no second trace exists that satisfies the specified relation with the first trace. As a consequence, automated testing of $$\forall \exists$$ hyperproperties falls out of the scope of existing automated testing tools. In this paper, we present a fully automated approach to detect violations of $$\forall \exists$$ hyperproperties in synchronous and asynchronous infinite-state systems. Our approach extends bug-finding techniques based on symbolic execution with support for trace quantification. We provide a prototype implementation of our approach, and demonstrate its effectiveness on a set of challenging examples.

Large Language Models (LLMs) have emerged as a promising alternative to traditional static program analysis methods, such as symbolic execution, offering the ability to reason over code directly without relying on theorem provers or SMT solvers. However, LLMs are also inherently approximate by nature, and therefore face significant challenges in relation to the accuracy and scale of analysis in real-world applications. Such issues often necessitate the use of larger LLMs with higher token limits, but this requires enterprise-grade hardware (GPUs) and thus limits accessibility for many users. In this paper, we propose LLM-based symbolic execution —a novel approach that enhances LLM inference via a path-based decomposition of the program analysis tasks into smaller (more tractable) subtasks. The core idea is to generalize path constraints using a generic code-based representation that the LLM can directly reason over, and without translation into another (less-expressive) formal language. We implement our approach in the form of AutoBug, an LLM-based symbolic execution engine that is lightweight and language-agnostic, making it a practical tool for analyzing code that is challenging for traditional approaches. We show that AutoBug can improve both the accuracy and scale of LLM-based program analysis, especially for smaller LLMs that can run on consumer-grade hardware.

Fuzzing is an effective technique to detect vulnerabilities in smart contracts. The challenge of smart contract fuzzing lies in the statefulness of contracts, which indicates that certain vulnerabilities can only be manifested in specific contract states. State-of-the-art fuzzers may generate and execute a plethora of meaningless or redundant transaction sequences during fuzzing, incurring a penalty in efficiency. To this end, we present DepFuzz, a hybrid fuzzer for efficient smart contract fuzzing, which introduces a symbolic execution module into the feedback-based fuzzer. Guided by the distance-based function dependencies between functions, DepFuzz can efficiently yield meaningful transaction sequences that contribute to vulnerability exposure or code coverage. The experiments on 286 benchmark smart contracts and 500 large real-world smart contracts corroborate that, compared to state-of-the-art approaches, DepFuzz achieves higher instruction coverage rate and uncovers many more vulnerabilities with less time.

Multiple successful compositional symbolic execution (CSE) tools and platforms exploit separation logic (SL) for compositional verification and/or incorrectness separation logic (ISL) for compositional bug-finding, including VeriFast, Viper, Gillian, CN, and Infer-Pulse. Previous work on the Gillian platform, the only CSE platform that is parametric on the memory model, meaning that it can be instantiated to different memory models, suggests that the ability to use custom memory models allows for more flexibility in supporting analysis of a wide range of programming languages, for implementing custom automation, and for improving performance. However, the literature lacks a satisfactory formal foundation for memory-model-parametric CSE platforms. In this paper, inspired by Gillian, we provide a new formal foundation for memory-model-parametric CSE platforms. Our foundation advances the state of the art in four ways. First, we mechanise our foundation (in the interactive theorem prover Rocq). Second, we validate our foundation by instantiating it to a broad range of memory models, including models for C and CHERI. Third, whereas previous memory-model-parametric work has only covered SL analyses, we cover both SL and ISL analyses. Fourth, our foundation is based on standard definitions of SL and ISL (including definitions of function specification validity, to ensure sound interoperation with other tools and platforms also based on standard definitions).

Malware analysis typically involves three steps:obfuscation, infection, and malicious action. Many antivirus methods fail because obfuscation hides control structures. This paper provides an overview of dynamic symbolic execution (DSE) applied to binary code, especially x86. DSE is considered the most powerful technique for deobfuscation and can automatically recover control structures such as control‑flow graphs. Several DSE tools target x86 (e.g., angr, Mayhem, S2E, KLEE‑MC, and BE‑PUM); we examine their design choices and trade‑offs. Finally, we evaluate the effectiveness of control‑flow graph similarity for tasks such as packer identification and original entry point (OEP) detection.

With the widespread application of digital technology and the dissemination of consumerist ideology, the consumption behavior. of Generation Z university students (born between 1995 and 2009) exhibits significant ritualistic characteristics. These are primarily manifested in three aspects: the prioritization of symbolic value, gamification experiences, and community-based interaction. Taking blind box consumption as a case study and drawing upon Baudrillard's theory of symbolic consumption, this paper provides a profound insight into the multifaceted impacts of ritualistic consumption on college student demographic: economic independence is undermined by excessive spending and debt cycles; individual subjectivity is dissolved by symbolic evaluation systems within “information cocoons ”; and values tend towards utilitarianism amid material worship and spiritual impoverishment. The article reveals the underlying causes from three perspectives: social-cultural permeation, algorithmic manipulation, and individual psychological compensation. Consequently, a three-pronged governance pathway is proposed: Society needs to curb the alienation of consumerism through policy regulation and cultural reconstruction; universities should reform. educational evaluation systems and strengthen consumer literacy education; and individuals must reshape rational consumption concepts through cognitive upgrading and relational reconstruction.

The article addresses current issues of software protection against malicious code and the detection of its manifestations during development and operation. It notes that modern methods of software analysis, particularly static and dynamic analysis, have both advantages and significant limitations, including a high number of false positives, low efficiency against polymorphic threats, and high computational resource requirements. As an optimal solution, the use of hybrid analysis is proposed, which combines the strengths of different approaches to improve the accuracy of vulnerability detection and reduce the number of erroneous results. The work presents a mathematical model for vulnerability detection based on symbolic execution and combined code analysis, as well as developed algorithms for constructing a reduced program path graph, calculating distance metrics to potentially dangerous code sections, and implementing directed dynamic symbolic execution. The methodology of vulnerability warning classification involves dividing them into three categories: confirmed, unconfirmed, and requiring additional inspection. This approach significantly reduces the complexity of analysis, improves the reliability of results, and automates the process of detecting potentially dangerous code. Particular attention is given to the formalization of concepts related to constraints on program path execution, symbolic conditions, and safety predicates. The obtained results demonstrate the effectiveness of hybrid analysis when working with large-scale projects where both speed and accuracy in threat detection are critical. The capabilities of the modular architecture of the hybrid analysis tool are examined, ensuring flexibility in expanding functionality and integrating new methods. An analysis of key software vulnerability metrics is conducted, which can be used to assess software security. Directions for further research are proposed, particularly improving symbolic execution algorithms to account for indirect dependencies and anti-analysis mechanisms. The research findings can be applied in the development of new systems and the modernization of existing code analysis tools aimed at enhancing software security.

Fuzzing is a promising validation method to detect design flaws as well as security vulnerabilities in a wide variety of electronic systems. Traditional fuzzing methods can outperform validation using random test vectors but they can lead to a coverage plateau due to the increasing number of hard-to-activate areas in complex hardware designs. While property checking aids in the exploration of hard-to-active scenarios in recent fuzzing solutions, they face several practical limitations, including inefficient utilization of fuzzing efforts and state space explosion for complex scenarios. This article introduces a novel approach to hardware fuzzing that synergistically integrates coverage-guided fuzzing with selective symbolic execution. Specifically, when hardware fuzzing reaches a coverage plateau, our framework utilizes selective symbolic execution to explore hard-to-activate areas. Unlike property-checking based fuzzing that tries to generate an input sequence from the start state, selective symbolic execution utilizes the existing fuzzing trajectory to produce a minimal input sequence to efficiently explore hard-to-activate areas. Extensive evaluation using four RISC-V based designs demonstrates that our framework can significantly improve both branch and toggle coverage compared to state-of-the-art fuzzing techniques. Our theoretical analysis and empirical results prove that our framework will always reach a coverage goal faster than existing fuzzing methods.

WebAssembly (WASM) has emerged as a crucial technology in smart contract development for several blockchain platforms. Unfortunately, since their introduction, WASM smart contracts have been subject to several security incidents caused by contract vulnerabilities, resulting in substantial economic losses. However, existing tools for detecting WASM contract vulnerabilities have accuracy limitations, one of the main reasons being the coarse-grained emulation of the on-chain data APIs. In this paper, we introduce WACANA, an analyzer for WASM contracts that accurately detects vulnerabilities through fine-grained emulation of on-chain data APIs. WACANA precisely simulates both the structure of on-chain data tables and their corresponding API functions, and integrates concrete and symbolic execution within a coverage-guided loop to balance accuracy and efficiency. Evaluations on a vulnerability dataset of 2,012 contracts show WACANA outperforming state-of-the-art tools in accuracy. Further validation on 5,602 real-world contracts confirms WACANA’s practical effectiveness.

Abstract Automatic exploit generation (AEG) refers to the process of automatically finding the path in the program that can trigger vulnerabilities and generate exploits. Typically, the process of finding vulnerabilities requires fuzzing and symbolic execution techniques. The existing AEG usually sets the preset environment ideally, which does not enable all protection mechanisms. This environment is not universally applicable in actual attacks. In the newest version of GCC, the default compilation configuration has enabled all protection mechanisms. In response to this situation, we propose an exploit generation system Protection Bypass Automatic Exploit Generator (PBAEG) which automatically detects some types of stack overflow vulnerabilities and format string vulnerabilities. Then PBAEG combines the above two vulnerabilities to generate exploits. PBAEG uses symbolic execution and dynamic binary analysis to find the above two vulnerabilities, adopts different exploit generation strategies for different protection mechanisms, and defeats Non-Executable, Position-Independent Executable, Canary, and Address Space Layout Randomization (ASLR) protection mechanisms. At the same time, for some difficult-to-exploit situations, advanced stack overflow exploitation methods are applied to generate exploits. Finally, we also use docker to simulate the remote environment to test the ability of PBAEG to attack the remote environment. Experiments show that PBAEG can complete the vulnerability detection and exploitation generation of 124 binary files, 22 capture-the-flag binary files, and 10 public software, which takes a shorter time than the existing AEG and covers more types of vulnerabilities. PBAEG adopts more vulnerability exploitation techniques, can generate exploits in the form of files by using pwntools, and successfully verifies the exploitations generated in the remote simulation environment.

The robustness and reliability of blockchain applications, critically depend on thorough testing. This study introduces AGTS, an automated framework for generating smart contract test suites on Hyperledger Fabric, significantly reducing manual effort while improving test coverage and security. The framework integrates static and dynamic analysis, leveraging symbolic execution and fuzz testing to detect vulnerabilities. The project is implemented in C#, and uses three test cases: CoCoME, LibraryMS and LoanPS, with their requirements as input, and generates their closely related test cases. We generated 34 test cases for CoCoME, 32 for LibraryMS, and 28 for LoanPS. Combining the test cases, their executable scripts were generated. Finally, we tested all the targeted smart contracts rigorously against the predefined criteria. The generated scripts undergo the quality assurance using ShellCheck, deploying on the continuous integration system, that further enhances the reliability and maintainability of these tests. AGTS automates the entire process of test script creation and verification, drastically reducing the manual effort involved in preparing test cases. It facilitates rapid and thorough testing cycles by generating dedicated scripts that execute specific test scenarios on smart contracts, verifying their behavior and performance. By automating the tedious and error-prone task of writing test cases, AGTS accelerates the development process and fortifies the security framework of blockchain applications. Comprehensive evaluation of AGTS across diverse real world smart contracts demonstrated the effectiveness in defect detection, significantly outperforming existing methods. The contribution of AGTS extends beyond providing a practical testing tool, by offering developers a robust framework for ensuring the reliability and security of their smart contracts. AGTS not only expedites test preparation but also ensures comprehensive test coverage, thus improving the overall quality of blockchain applications.

Timed Büchi automata provide a very expressive formalism for expressing requirements of real-time systems. Online monitoring and active testing of embedded real-time systems can then be achieved by symbolic execution of such automata on the trace observed from the system. However, this direct construction is only faithful if the observation of the trace is immediate in the sense that the monitor (or test harness, respectively) can assign exact timestamps to the actions it observes. This is rarely true in practice due to the substantial and fluctuating parametric delays introduced by the circuitry connecting the observed system to its monitoring or testing device. We present purely zone-based online monitoring and testing algorithms, which handle such parametric delays exactly without recurrence to costly verification procedures for parametric timed automata. We have implemented our algorithms on top of the real-time model checking tool Uppaal , and report on encouraging initial results.

Analysis of binary executables implementing mathematical equations can benefit from the reverse engineering of semantic information about the implementation. Traditional algorithmic reverse engineering tools either do not recover semantic information or rely on dynamic analysis and symbolic execution with high reverse engineering time. Algorithmic tools also require significant re-engineering effort to target new platforms and languages. Recently, neural methods for decompilation have been developed to recover human-like source code, but they do not extract semantic information explicitly. We develop REMEND, a neural decompilation framework to reverse engineer math equations from binaries to explicitly recover program semantics like data flow and order of operations. REMEND combines a transformer encoder-decoder model for neural decompilation with algorithmic processing for enhanced symbolic reasoning necessary for math equations. REMEND is the first work to demonstrate that transformers for neural decompilation go beyond source code and reason about program semantics in the form of math equations. We train on a synthetically generated dataset containing multiple implementations and compilations of math equations to produce a robust neural decompilation model and demonstrate retargettability. REMEND obtains an accuracy of 89.8% to 92.4% across three Instruction Set Architectures (ISAs), three optimization levels, and two programming languages with a single trained model, extending the capability of state-of-the-art neural decompilers. We achieve high accuracy with a small model of upto 12 million parameters and an average execution time of 0.132 seconds per function. On a real-world dataset collected from open-source programs, REMEND generalizes better than state-of-the-art neural decompilers despite being trained with synthetic data, achieving 8% higher accuracy. The synthetic and real-world datasets are provided at https://hf.co/udiboy1209/REMEND .

Path-guided conformance test case generation for models with data and time using symbolic execution techniques