计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (12): 367-373.doi: 10.11896/jsjkx.241100076

• 信息安全 • 上一篇    下一篇

基于异构图和指令序列的智能合约字节码漏洞检测方法

宋建华1,3,4, 曹凯2, 张龑2,3   

  1. 1 湖北大学网络空间安全学院 武汉 430062
    2 湖北大学计算机与信息工程学院 武汉 430062
    3 智能感知系统与安全教育部重点实验室 武汉 430062
    4 智能网联汽车网络安全湖北省工程研究中心 武汉 430062
  • 收稿日期:2024-11-13 修回日期:2025-02-22 出版日期:2025-12-15 发布日期:2025-12-09
  • 通讯作者: 张龑(zhangyan@hubu.edu.cn)
  • 作者简介:(sjhhubu@126.com)
  • 基金资助:
    国家自然科学基金(62377009);湖北省重大攻关项目(JD)(2023BAA018);湖北省重点研发计划重点项目(2021BAA184,2021BAA188);湖北省高等学校人文社会科学重点研究基地绩效评价信息管理研究中心课题(2020JX01);湖北省科技计划重大科技专项(2024BAA008)

Smart Contract Bytecode Vulnerability Detection Method Based on Heterogeneous Graphs and Instruction Sequences

SONG Jianhua1,3,4 , CAO Kai2, ZHANG Yan2,3   

  1. 1 School of Cyber Science and Technology, Hubei University, Wuhan 430062, China
    2 School of Computer Science and Information Engineering, Hubei University, Wuhan 430062, China
    3 Key Laboratory of Intelligent Sensing System and Security, Ministry of Education, Wuhan 430062, China
    4 Hubei Engineering Research Center of Cyber Security for Intelligent Connected Vehicles, Wuhan 430062, China
  • Received:2024-11-13 Revised:2025-02-22 Published:2025-12-15 Online:2025-12-09
  • About author:SONG Jianhua,born in 1973,Ph.D,professor,postgraduate supervisor,is a member of CCF(No.27785M).Her main research interest is network and information security.
    ZHANG Yan,born in 1974,Ph.D,professor,postgraduate supervisor.His main research interest is code security.
  • Supported by:
    This work was supported by the National Natural Science Foundation of China(62377009),Major Project of Hubei Province(JD)(2023BAA018),Key Project of Hubei Provincial Key R & D Program(2021BAA184,2021BAA188),Research Center for Performance Evaluation and Information Management of Key Research Bases for Humanities and Social Sciences in Hubei Provincial Colleges and Universities(2020JX01) and Major Science and Technology Special Project of Hubei Science and Technology Plan(2024BAA008).

PDF (PC)

7

摘要: 近年来,智能合约安全问题日益突出,漏洞检测成为关键挑战。在源代码不公开的情况下,字节码检测方法备受关注。然而,现有深度学习方法通常仅基于序列或图结构,难以全面捕捉漏洞特征。为此,提出一种基于异构图和指令序列的智能合约字节码漏洞检测方法RGCN-ResNet1D(Relational Graph Convolutional Network and ResNet-based 1D Convolutional Network)。该方法将字节码建模为异构图和指令序列,分别利用关系图卷积网络(RGCN)提取结构特征和基于ResNet的一维卷积网络(ResNet1D)提取序列特征,并融合两类特征进行漏洞检测。同时,设计了一种基于误分类样本数量动态调整权重的交叉熵损失函数,有效缓解训练集类别不平衡问题。实验结果表明,RGCN-ResNet1D在检测整数溢出、时间戳依赖和自毁3类漏洞时,F1得分分别为95.43%,90.67%和92.31%,显著优于对比方法。

关键词: 智能合约字节码, 漏洞检测, 异构图, 字节码指令序列, 深度学习

Abstract: In recent years,the security issues of smart contracts have become increasingly prominent,and vulnerability detection has become a key challenge.In scenarios where source code is not publicly available,bytecode-based detection methods have attracted significant attention.However,existing deep learning methods typically rely solely on sequences or graph structures,which makes it difficult to fully capture vulnerability features.To address this,this paper proposes a smart contract bytecode vulnerability detection method based on heterogeneous graphs and instruction sequences,called RGCN-ResNet1D(Relational Graph Convolutional Network and ResNet-based 1D Convolutional Network).This method models bytecode as a heterogeneous graph and instruction sequence,using a Relational Graph Convolutional Network(RGCN) to extract structural features and a ResNet-based 1D Convolutional Network(ResNet1D) to extract sequential features,and then fuses the two types of features for vulnerability detection.A cross-entropy loss function is also designed,which dynamically adjusts the weight based on the number of misclassified samples,effectively alleviating the class imbalance problem in the training set.Experimental results show that RGCN-ResNet1D achieves F1 scores of 95.43%,90.67%,and 92.31% for detecting integer overflow,timestamp dependency,and self-destruct vulnerabilities,respectively,significantly outperforming the comparison methods.

Key words: Smart contracts bytecode, Vulnerability detection, Heterogeneous graph, Bytecode instruction sequence, Deep learning

中图分类号: 

  • TP309
[1]SIEGEL D.Understanding the DAO attack[EB/OL].https://www.coindesk.com/understanding-dao-hack-journalists.
[2]BlockCAT.On the Parity multi-sig wallet attack[EB/OL].https://medium.com/blockcat/on-the-parity-multi-sig-wallet-attack-83fb5e7f4b8c.
[3]PRETROV S.Another Parity wallet hack explained[EB/OL].https://medium.com/@Pr0Ger/another-parity-wallet-hack-expl-ained-847ca46a2e1c.
[4]Wikipedia.Poly network exploit[EB/OL].https://en.wikipedia.org/wiki/Poly_Network_exploit.
[5]QIAN P,LIU Z G,HE Q M,et al.A Survey of Security Vulnerability Detection Techniques for Smart Contracts [J].Journal of Software,2022,33(8):3059-3085.
[6]HILDENBRANDT E,SAXENA M,RODRIGUES N,et al.Kevm:A complete formal semantics of the ethereum virtual machine[C]//2018 IEEE 31st Computer Security Foundations Symposium(CSF).IEEE,2018.
[7]AMANI S,BÉGEL M,BORTIN M,et al.Towards verifyingethereum smart contract bytecode in Isabelle/HOL[C]//Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs.2018:66-77.
[8]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:254-269.
[9]MUELLER B.A framework for bug hunting on the ethereum blockchain[J].ConsenSys/mythril,2017.
[10]JIANG B,LIU Y,CHAN W K.Contractfuzzer:Fuzzing smart contracts for vulnerability detection[C]//Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering.2018:259-269.
[11]ALBERT E,GORDILLO P,LIVSHITS B,et al.Ethir:A framework for high-level analysis of Ethereum bytecode[C]//Proceedings of International Symposium on Automated Technology for Verification and Analysis.Cham:Springer-Verlag,2018.
[12]TANN W J W,HAN X J,GUPTA S S,et al.Towards safersmart contracts:A sequence learning approach to detecting security threats[J].arXiv:1811.06632,2018.
[13]HU H W,XU Y D.SCSGuard:Deep SCAM detection forEthereum smart contracts[J].arXiv:2105.10426,2021.
[14]GU W Y,WANG G J,LI P Q,et al.Detecting unknown vulnerabilities in smart contracts with the CNN-BiLSTM model[J].International Journal of Information Security,2025,24(1):33.
[15]WANG Z F,WU W X,ZENG C Y,et al.Graph Neural Networks Enhanced Smart Contract Vulnerability Detection of Educational Blockchain[J].arXiv:2303.04477,2023.
[16]ZHANG J,LU G H,YU J.A Smart Contract Vulnerability Detection Method Based on Heterogeneous Contract Semantic Graphs and Pre-Training Techniques[J].Electronics,2024,13(18):3786.
[17]DUY P T,KHOA N H,QUYUE N H,et al.Vulnsense:efficient vulnerability detection in ethereum smart contracts by multimodal learning with graph neural network and language model[J].International Journal of Information Security,2025,24(1):48.
[18]ROSSINI M,ZICHICHI M,FERRETTI S.Smart contracts vulnerability classification through deep learning[C]//Proceedings of the 20th ACM Conference on Embedded Networked Sensor Systems.2022:1229-1230.
[19]ZHEN Z,ZHAO X,ZHANG J,et al.DA-GNN:A smart contract vulnerability detection method based on Dual Attention Graph Neural Network[J].Computer Networks,2024,242:110238.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发