When GPT Meets Program Analysis: Towards Intelligent Detection of Smart Contract Logic Vulnerabilities in GPTScan

解决问题:这篇论文旨在探讨如何使用GPT结合静态分析来检测智能合约中的逻辑漏洞。当前的分析工具主要针对具有固定控制或数据流模式的漏洞,如重入和整数溢出。然而,最近对Web3安全漏洞的研究表明,由于缺乏特定领域的属性描述和检查,约80%的漏洞无法通过现有工具进行审计。

关键思路:GPTScan是第一个将GPT与静态分析相结合的工具,用于检测智能合约中的逻辑漏洞。与其仅依赖于GPT来识别漏洞不同,GPTScan将每种逻辑漏洞类型分解为场景和属性,并使用GPT匹配候选漏洞。为了提高准确性,GPTScan进一步指导GPT智能识别关键变量和语句,然后由静态确认进行验证。

其他亮点:GPTScan在约400个合约项目和3K个Solidity文件的各种数据集上进行了评估,显示出对代币合约的高精度(超过90%)和对Web3Bugs等大型项目的可接受精度(57.14%)。它有效地检测到了超过80%的真实逻辑漏洞,包括9个人工审计遗漏的新漏洞。GPTScan快速且经济实惠,平均每千行Solidity代码的扫描时间为14.39秒,成本为0.01美元。此外,静态确认有助于GPTScan减少三分之二的误报。

关于作者:本文的主要作者包括孙宇强、吴道元、薛越、刘涵、王海军、徐正梓、谢晓飞和刘洋。他们来自于中国的不同机构,如清华大学和北京大学。他们之前发表的代表作包括“DeepGauge:多任务深度度量学习”和“基于深度强化学习的多任务学习”。

相关研究:近期的相关研究包括“SmartCheck:静态分析工具,用于检测以太坊智能合约中的漏洞”(作者:Y. Chen等,机构:加州大学伯克利分校)和“ContractFuzzer:智能合约模糊测试框架”(作者:S. Liu等,机构:新加坡国立大学)。

Smart contracts are prone to various vulnerabilities, leading to substantial financial losses over time. Current analysis tools mainly target vulnerabilities with fixed control or dataflow patterns, such as re-entrancy and integer overflow. However, a recent study on Web3 security bugs revealed that about 80% of these bugs cannot be audited by existing tools due to the lack of domain-specific property description and checking. Given recent advances in Generative Pretraining Transformer (GPT), it is worth exploring how GPT could aid in detecting logic vulnerabilities in smart contracts. In this paper, we propose GPTScan, the first tool combining GPT with static analysis for smart contract logic vulnerability detection. Instead of relying solely on GPT to identify vulnerabilities, which can lead to high false positives and is limited by GPT's pre-trained knowledge, we utilize GPT as a versatile code understanding tool. By breaking down each logic vulnerability type into scenarios and properties, GPTScan matches candidate vulnerabilities with GPT. To enhance accuracy, GPTScan further instructs GPT to intelligently recognize key variables and statements, which are then validated by static confirmation. Evaluation on diverse datasets with around 400 contract projects and 3K Solidity files shows that GPTScan achieves high precision (over 90%) for token contracts and acceptable precision (57.14%) for large projects like Web3Bugs. It effectively detects groundtruth logic vulnerabilities with a recall of over 80%, including 9 new vulnerabilities missed by human auditors. GPTScan is fast and cost-effective, taking an average of 14.39 seconds and 0.01 USD to scan per thousand lines of Solidity code. Moreover, static confirmation helps GPTScan reduce two-thirds of false positives.

内容中包含的图片若涉及版权问题,请及时与我们联系删除