Abstract
Smart contract is a new paradigm for the decentralized software system, which plays an important and key role in Blockchain-based application. The vulnerabilities in smart contracts are unacceptable, and some of which have caused significant economic losses. The machine learning, especially deep learning, is a very promising and potential approach to vulnerability detecting for smart contracts. At present, deep learning-based vulnerability detection methods have low accuracy, time-consuming, and too small application range. For dealing with these, we propose a novel deep learning-based vulnerability detection framework for smart contracts at opcode level, named as DL4SC. It orthogonally combines the Transformer encoder and CNN (convolutional neural networks) to detect vulnerabilities of smart contracts for the first time, and firstly exploit SSA (sparrow search algorithm) to automatically search model hyperparameters for vulnerability detection. We implement the framework DL4SC on deep learning platform Pytorch with Python, and compare it with existing works on the three public datasets and one dataset we collect. The experiment results show that DL4SC can accurately detect vulnerabilities of smart contracts, and performs better than state-of-the-art works for detecting vulnerabilities in smart contracts. The accuracy and F1-score of DL4SC are 95.29% and 95.68%, respectively.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bhargavan, K. et al.: Formal verification of smart contracts: Short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, pp. 91–96 (2016)
Brent, L. et al.: Vandal: A scalable security analysis framework for smart contracts. arXiv preprint arXiv:1809.03981, (2018)
Cai, J., Li, B., Zhang, J., Sun, X., Chen, B.: Combine sliced joint graph with graph neural networks for smart contract vulnerability detection. J. Syst. Softw. 195, 111550 (2023)
Dannen, C.: Introducing Ethereum and Solidity, vol. 1. Springer, Berlin (2017)
Fan, S., Fu, S., Xu, H., Cheng, X.: Al-SPSD: anti-leakage smart Ponzi schemes detection in blockchain. Inf. Process. Manage. 58(4), 102587 (2021)
Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), IEEE, pp. 8–15 (2019)
Feldman, Y. M., Sagiv, M., Shoham, S. Wilcox, J. R.: Learning the boundary of inductive invariants. In: Proceedings of the ACM on Programming Languages, vol. 5, no. POPL, pp. 1–30, (2021)
Feng, Y., Torlak, E., Bodík, R.: Summary-based symbolic evaluation for smart contracts. In: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, pp. 1141–1152 (2020)
Fey, G.: Assessing system vulnerability using formal verification techniques. In: International Doctoral Workshop on Mathematical and Engineering Methods in Computer Science (pp. 47–56) (Springer: 2011)
Fu, Y. : Evmfuzzer: detect evm vulnerabilities via fuzz testing. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1110–1114 (2019)
Gao, G., Xu, Z., Li, J., Yang, J., Zeng, T., Qi, G.-J.: Ctcnet: a cnn-transformer cooperation network for face image super-resolution. IEEE Trans. Image Process. 32, 1978–1991 (2023)
Gayvoronskaya, T., Meinel, C.: Blockchain: Hype or Innovation. Springer Nature, Berlin (2020)
Ghaleb, A., Rubin, J., Pattabiraman, K.: eTainter: detecting gas-related vulnerabilities in smart contracts. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 728–739 (2022)
Grech, N., Kong, M., Jurisevic, A., Brent, L., Scholz, B., Smaragdakis, Y.: Madmax: Surviving out-of-gas conditions in ethereum smart contracts. In: Proceedings of the ACM on Programming Languages, vol. 2, no. OOPSLA, pp. 1–27, (2018)
Grieco, G., Song, W., Cygan, A., Feist, J., Groce, A.: Echidna: effective, usable, and fast fuzzing for smart contracts. In: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 557–560 (2020)
Gupta, R., Patel, M.M., Shukla, A., Tanwar, S.: Deep learning-based malicious smart contract detection scheme for internet of things environment. Comput. Electr. Eng. 97, 107583 (2022)
He, D., Deng, Z., Zhang, Y., Chan, S., Cheng, Y., Guizani, N.: Smart contract vulnerability analysis and security audit. IEEE Netw. 34(5), 276–282 (2020)
He, J., Balunović, M., Ambroladze, N., Tsankov, P., Vechev, M.: Learning to fuzz from symbolic execution with application to smart contracts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 531–548 (2019)
He, D., Wu, R., Li, X., Chan, S., Guizani, M.: Detection of vulnerabilities of blockchain smart contracts, IEEE Internet Things J., (2023)
Hessenauer, S.: Batch Overflow bug on Ethereum ERC20 token contracts and SafeMath. https://blog.matryx.ai/batch-overflow-bug-on-ethereum-erc20-token-contracts-and-safemath-f9ebcc137434 (2018)
Howell, J.: Top 10 DeFi Hacks You Should Know. https://101blockchains.com/top-defi-hacks/ (2022)
Hu, T., et al.: Transaction-based classification and detection approach for Ethereum smart contract. Inf. Process. Manage 58(2), 102462 (2021)
Hu, T., Li, B., Pan, Z., Qian, C.: Detect defects of solidity smart contract based on the knowledge graph. IEEE Trans. Reliabil. (2023)
Huang, T.H.-D.: Hunting the ethereum smart contract: Color-inspired inspection of potential attacks. arXiv preprint arXiv:1807.01868, (2018)
Huang, J., et al.: Hunting vulnerable smart contracts via graph embedding based bytecode matching. IEEE Trans. Inf. Forensics Secur. 16, 2144–2156 (2021)
Huang, J., Zhou, K., Xiong, A., Li, D.: Smart contract vulnerability detection model based on multi-task learning. Sensors 22(5), 1829 (2022)
Ji, S., Wu, J., Qiu, J., Dong, J.: Effuzz: efficient fuzzing by directed search for smart contracts. Inf. Softw. Technol. 159, 107213 (2023)
Jiang, B., Liu, Y., Chan, W.K.: Contractfuzzer: Fuzzing smart contracts for vulnerability detection. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 259–269 (2018)
Jie, W., et al.: A novel extended multimodal AI framework towards vulnerability detection in smart contracts. Inf. Sci. 636, 118907 (2023)
Jin, H., Wang, Z., Wen, M., Dai, W., Zhu, Y., Zou, D.: Aroc: an automatic repair framework for on-chain smart contracts. IEEE Trans. Softw. Eng. 48(11), 4611–4629 (2021)
Kalra, S., Goel, S., Dhawan, M., Sharma, S.: Zeus: analyzing safety of smart contracts. In: Ndss, pp. 1–12 (2018)
Li, J., Zhao, B., Zhang, C.: Fuzzing: a survey. Cybersecurity 1(1), 1–13 (2018)
Li, B., Pan, Z., Hu, T.: Redefender: detecting reentrancy vulnerabilities in smart contracts automatically. IEEE Trans. Reliab. 71(2), 984–999 (2022)
Li, J. et al.: Multi-label text classification via hierarchical Transformer-CNN. In: 2022 14th International Conference on Machine Learning and Computing (ICMLC), pp. 120–125 (2022)
Liao, J.-W., Tsai, T.-T., He, C.-K., Tien, C.-W.: Soliaudit: Smart contract vulnerability assessment based on machine learning and fuzz testing. In: 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), IEEE, pp. 458–465 (2019)
Lin, G., Wen, S., Han, Q.-L., Zhang, J., Xiang, Y.: Software vulnerability detection using deep neural networks: a survey. Proc. IEEE 108(10), 1825–1848 (2020)
Liu, C., Liu, H., Cao, Z., Chen, Z., Chen, B., Roscoe, B.: Reguard: finding reentrancy bugs in smart contracts. In: Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, pp. 65–68 (2018)
Liu, Z., Qian, P., Wang, X., Zhuang, Y., Qiu, L., Wang, X.: Combining graph neural networks with expert knowledge for smart contract vulnerability detection, IEEE Trans. Knowled. Data Eng, (2021a)
Liu, Z., Qian, P., Wang, X., Zhu, L., He, Q., Ji, S.: Smart contract vulnerability detection: from pure neural network to interpretable graph feature and expert pattern fusion. arXiv preprint arXiv:2106.09282, (2021b)
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269 (2016)
Ma, F., et al.: Pluto: exposing vulnerabilities in inter-contract scenarios. IEEE Trans. Softw. Eng. 48(11), 4380–4396 (2021)
Ma, J., Hao, Z., Sun, W.: Enhancing sparrow search algorithm via multi-strategies for continuous optimization problems. Inf. Process. Manage. 59(2), 102854 (2022)
Mehar, M.I., et al.: Understanding a revolutionary and flawed grand experiment in blockchain: the DAO attack. J. Cases Inform. Technol. 21(1), 19–32 (2019)
Mossberg, M. et al.: Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In: 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), IEEE, pp. 1186–1189 (2019)
Mueller, B.: Smashing ethereum smart contracts for fun and real profit. HITB SECCONF Amsterdam 9, 54 (2018)
“Mythril.” 2017. [Online]. Available: https://github.com/ConsenSys/mythril.
Nakamoto, S.: “Bitcoin: A peer-to-peer electronic cash system,” Decentralized Business Review, p. 21260, (2008)
Nikolić, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663 (2018)
Palladino, S.: The parity wallet hack explained, OpenZeppelin blog, https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7, 2017.
Perez, D., Livshits, B.: Smart contract vulnerabilities: vulnerable does not imply exploited. In: USENIX Security Symposium, pp. 1325–1341 (2021)
Qian, S., Ning, H., He, Y., Chen, M.: Multi-label vulnerability detection of smart contracts based on Bi-LSTM and attention mechanism. Electronics 11(19), 3260 (2022)
Rodler, M., Li, W., Karame, G.O., Davi, L.: Sereum: Protecting existing smart contracts against re-entrancy attacks. arXiv preprint arXiv:1812.05934, (2018)
Sendner, C. et al.: Smarter contracts: detecting vulnerabilities in smart contracts with deep transfer learning, (2023).
Shi, L., Du, J., Cheng, G., Liu, X., Xiong, Z., Luo, J.: Cross-media search method based on complementary attention and generative adversarial network for social networks. Int. J. Intell. Syst. 37(8), 4393–4416 (2022)
Sun, X., Tu, L., Zhang, J., Cai, J., Li, B., Wang, Y.: ASSBert: active and semi-supervised bert for smart contract vulnerability detection. J. Inform. Secur. Appl. 73, 103423 (2023)
Sun, Y., Gu, L.: Attention-based machine learning model for smart contract vulnerability detection. In: Journal of Physics: Conference Series, IOP Publishing, p. 012004 (2021)
Szabo, N.: Smart contracts: building blocks for digital markets. EXTROPY: J. Transhumanist Thought (16) 18(2), 28 (1996)
Thomas, J.B., Chaudhari, S.G., Shihabudheen, K.V., Verma, N.K.: CNN-based transformer model for fault detection in power system networks. IEEE Trans. Instrum. Meas. 72, 1–10 (2023)
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: Smartcheck: Static analysis of ethereum smart contracts. In: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9–16 (2018)
Torres, C.F., Schütte, J., State, R.: Osiris: Hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 664–676 (2018)
Tsankov, P., Dan, A., Drachsler-Cohen, D., Gervais, A., Buenzli, F., Vechev, M.: Securify: Practical security analysis of smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67–82 (2018)
Vaswani, A. et al.: Attention is all you need, Adv. Neural Inform. Process. Syst., vol. 30, (2017)
Vivar, A.L., Orozco, A.L.S., Villalba, L.J.G.: A security framework for ethereum smart contracts. Comput. Commun. 172, 119–129 (2021)
Wang, X., He, J., Xie, Z., Zhao, G., Cheung, S.-C.: ContractGuard: defend ethereum smart contracts with embedded intrusion detection. IEEE Trans. Serv. Comput. 13(2), 314–328 (2019)
Wang, W., Song, J., Xu, G., Li, Y., Wang, H., Su, C.: Contractward: automated vulnerability detection models for ethereum smart contracts. IEEE Trans. Netw. Sci. Eng. 8(2), 1133–1144 (2020)
Wang, L., Cheng, H., Zheng, Z., Yang, A., Zhu, X.: Ponzi scheme detection via oversampling-based Long Short-Term Memory for smart contracts. Knowl.-Based Syst. 228, 107312 (2021)
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151(2014), 1–32 (2014)
Wu, H., Dong, H., He, Y., Duan, Q.: Smart contract vulnerability detection based on hybrid attention mechanism model. Appl. Sci. 13(2), 770 (2023)
Xing, C., Chen, Z., Chen, L., Guo, X., Zheng, Z., Li, J.: A new scheme of vulnerability analysis in smart contract with machine learning. Wireless Networks, pp. 1–10, (2020)
Xu, Y., Hu, G., You, L., Cao, C.: A novel machine learning-based analysis model for smart contract vulnerability. Secur. Commun. Netw. 2021, 1–12 (2021)
Xue, Y., Ma, M., Lin, Y., Sui, Y., Ye, J., Peng, T.: Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contracts. In: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, pp. 1029–1040 (2020)a
Xue, J., Shen, B.: A novel swarm intelligence optimization approach: sparrow search algorithm. Syst. Sci. Control Eng. 8(1), 22–34 (2020). https://doi.org/10.1080/21642583.2019.1708830
Ye, J., Ma, M., Lin, Y., Ma, L., Xue, Y., Zhao, J.: Vulpedia: detecting vulnerable ethereum smart contracts via abstracted vulnerability signatures. J. Syst. Softw. 192, 111410 (2022)
Yu, X.L., Al-Bataineh, O., Lo, D., Roychoudhury, A.: Smart contract repair. ACM Trans. Softw. Eng. Methodol. 29(4), 1–32 (2020)
Yuan, F., Zhang, Z., Fang, Z.: An effective CNN and Transformer complementary network for medical image segmentation. Pattern Recogn. 136, 109228 (2023)
Zelinka, I., et al.: Impact of chaotic dynamics on the performance of metaheuristic optimization algorithms: an experimental analysis. Inf. Sci. 587, 692–719 (2022)
Zhang, L., et al.: SPCBIG-EC: a robust serial hybrid model for smart contract vulnerability detection. Sensors 22(12), 4621 (2022a)
Zhang, L., Wang, J., Wang, W., Jin, Z., Su, Y., Chen, H.: Smart contract vulnerability detection combined with multi-objective detection. Comput. Netw. 217, 109289 (2022b)
Zheng, P., Zheng, Z., Luo, X.: Park: accelerating smart contract vulnerability detection via parallel-fork symbolic execution. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 740–751 (2022)
Zhou, Q., Zheng, K., Zhang, K., Hou, L., Wang, X.: Vulnerability analysis of smart contract for blockchain-based IoT applications: a machine learning approach. IEEE Internet Things J. 9(24), 24695–24707 (2022a)
Zhou, Y., Shen, J., Zhang, X., Yang, W., Han, T., Chen, T.: Automatic source code summarization with graph attention networks. J. Syst. Softw. 188, 111257 (2022b)
Zhuang, Y., Liu, Z., Qian, P., Liu, Q., Wang, X., He, Q.: Smart contract vulnerability detection using graph neural network. In: IJCAI, pp. 3283–3290 (2020)
Zou, W., et al.: Smart contract development: challenges and opportunities. IEEE Trans. Softw. Eng. 47(10), 2084–2106 (2019)
Acknowledgements
The work was supported by Singapore-UK Cyber Security of EPSRC under Grant Nos. EP/N020170/1. We would like to extend our deepest respects to Professor Edmund M. Clarke at Carnegie Mellon University, USA, who received ACM Turing Award for his pioneering work of model checking and passed away on December 22, 2020. He inspired us a lot through his books and papers, especially the direct discussion about machine learning for system vulnerability detection. We also thank the editors and referees for their efforts in reviewing this work.
Author information
Authors and Affiliations
Contributions
YL: Conceptualization, Methodology, Supervision, Writing. CW: Conceptualization, Methodology, Software, Validation, Writing. YM: Methodology, Supervision, Reviewing, Editing.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no conflicts of interest in this work.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Liu, Y., Wang, C. & Ma, Y. DL4SC: a novel deep learning-based vulnerability detection framework for smart contracts. Autom Softw Eng 31, 24 (2024). https://doi.org/10.1007/s10515-024-00418-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10515-024-00418-z