计算机科学

计算机科学 ›› 2026, Vol. 53 ›› Issue (2): 423-430.doi: 10.11896/jsjkx.241200144

• 信息安全 • 上一篇    下一篇

基于异构图注意力网络的智能合约漏洞检测方法

李诚宇1, 黄可2, 张锐恒3, 陈伟4   

  1. 1 电子科技大学电子科技大学(深圳)高等研究院 广东 深圳 518110
    2 电子科技大学计算机科学与工程学院 成都 611731
    3 南京信息技术研究院 南京 210036
    4 电子科技大学信息与软件工程学院 成都 610031
  • 收稿日期:2024-12-18 修回日期:2025-03-16 发布日期:2026-02-10
  • 通讯作者: 陈伟(chenwei@uestc.edu.cn)
  • 作者简介:(202222280626@std.uestc.edu.cn)
  • 基金资助:
    国家自然科学基金(U2336204);四川省科技厅项目(2023YFG0112,2024YFHZ0015)

Heterogeneous Graph Attention Network-based Approach for Smart Contract Vulnerability
Detection

LI Chengyu1, HUANG Ke2, ZHANG Ruiheng3 , CHEN Wei4   

  1. 1 Shenzhen Institute for Advanced Study,UESTC,University of Electronic Science and Technology of China,Shenzhen,Guangdong 518110,China
    2 School of Computer Science & Engineering,University of Electronic Science and Technology of China,Chengdu 611731,China
    3 Nanjing Institute of Information Technology,Nanjing 210036,China
    4 School of Information and Software Engineering,University of Electronic Science and Technology of China,Chengdu 610031,China
  • Received:2024-12-18 Revised:2025-03-16 Online:2026-02-10
  • About author:LI Chengyu,born in 1999,postgra-duate.His main research interest is blockchain security.
    CHEN Wei,born in 1978,Ph.D,asso-ciate professor.His main research in-terests include network security and blockchain security.
  • Supported by:
    National Natural Science Foundation of China(U2336204) and Science Foundation of Sichuan(2023YFG0112,2024YFHZ0015).

PDF (PC)

70

摘要: 以太坊等区块链平台智能合约的安全漏洞一直是业界关注的焦点。使用字节码分析和检测智能合约漏洞是当前的主流方法之一,其中符号执行等传统方法需借助预定义的漏洞知识建立规则检测漏洞,存在效率低、精度差等问题。基于深度学习的检测方法则缺乏对字节码程序语义的深入理解,并且难以在过滤编译过程中产生噪声的同时捕捉完整的控制流与数据流信息。针对以上问题,提出了一种构建关键语义图检测智能合约漏洞的方法,首先定义了特定的去噪预处理规则实现对合约数据去噪,同时保留漏洞相关的关键语义信息,然后提出了一种能够捕捉程序丰富语义的异构图表示方法,并设计了一个基于异构图注意力网络(Heterogeneous Graph Attention Network,HAN)的漏洞检测模型。实验结果表明,所提方法优于现有的智能合约漏洞检测方法,对于拒绝服务、整数溢出、时间戳依赖和未检查函数返回值漏洞,其F1值分别提升了17.75,5.94,28.94和27.85个百分点。

关键词: 智能合约, 智能合约安全, 图神经网络, 智能合约字节码

Abstract: Security vulnerabilities in smart contracts on blockchain platforms such as Ethereum have long been a focus of industry attention.Bytecode analysis and vulnerability detection have become one of the mainstream approaches for identifying smart contract vulnerabilities.However,traditional methods,such as symbolic execution,rely on predefined vulnerability rules,leading to inefficiencies and low precision.Deep learning-based methods,on the other hand,lack a comprehensive understanding of bytecode semantics and struggle to simultaneously filter noise generated during the compilation process while capturing complete control flow and data flow information.To address these challenges,this paper proposes a novel method for constructing critical semantic graphs to detect smart contract vulnerabilities.Firstly,a set of specific denoising preprocessing rules is defined to remove irrelevant data while preserving key semantic information related to vulnerabilities.Next,a heterogeneous graph representation method is introduced to capture rich program semantics.Finally,a vulnerability detection model based on the HAN is designed.Experimental results demonstrate that the proposed method outperforms existing approaches for smart contract vulnerability detection.For denial of service,integer overflow,timestamp dependency,and unchecked function return value vulnerabilities,the F1 scores of the proposed method are improved by 17.75,5.94,28.94,and 27.85 percentage points,respectively.

Key words: Smart contract, Smart contract security, Graph neural network, Smart contract bytecode

中图分类号: 

  • TP311
[1]Wikipedia.The DAO[EB/OL].(2024-08-16)[2024-12-03].https://en.wikipedia.org/wiki/The_DAO.
[2]Slowmist.2024 Mid-year Blockchain Security and AML Report.[EB/OL].(2024-07-01)[2024-11-15].https://www.slowmist.com/report/first-half-of-the-2024-report(CN).pdf.
[3]FEIST J,GRIECO G,GROCE A.Slither:a static analysisframework for smart contracts[C]//2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain(WETSEB).IEEE,2019:8-15.
[4]ZHENG Z,SU J,CHEN J,et al.Dappscan:building large-scale datasets for smart contract weaknesses in dapp projects[J].IEEE Transactions on Software Engineering,2024,50(6):1360-1373.
[5]ZHUANG Y,LIU Z,QIAN P,et al.Smart contract vulnerability detection using graph neural networks[C]//Proceedings of the Twenty-Ninth International Conference on International Joint Conferences on Artificial Intelligence.2021:3283-3290.
[6]LIU Z,QIAN P,WANG X,et al.Smart contract vulnerability detection:from pure neural network to interpretable graph feature and expert pattern fusion[J].arXiv:2106.09282,2021.
[7]NGUYEN H H,NGUYEN N M,XIE C,et al.Mando:Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities[C]//2022 IEEE 9th International Conference on Data Science and Advanced Analytics(DSAA).IEEE,2020:1-10.
[8]LUO F,LUO R,CHEN T,et al.Scvhunter:Smart contract vulnerability detection based on heterogeneous graph attention network[C]//Proceedings of the IEEE/ACM 46th International Conference on Software Engineering.2024:1-13.
[9]Consensys.Mythril:Security analysis tool for EVM bytecode[DB/OL].(2024-08-13)[2024-11-12].https://github.com/Consensys/mythril.
[10]CHEN J,XIA X,LO D,et al.Defectchecker:Automated smart contract defect detection by analyzing evm bytecode[J].IEEE Transactions on Software Engineering,2021,48(7):2189-207.
[11]LUU L,CHU D H,OLICKEL H,et al.Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.2016:254-269.
[12]TSANKOV P,DAN A,DRACHSLER-COHEN D,et al.Securify:Practical security analysis of smart contracts[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82.
[13]MOSSBERG M,MANZANO F,HENNENFENT E,et al.Manticore:A user-friendly symbolic execution framework for binaries and smart contracts[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2019:1186-1189.
[14]TORRES C F,IANNILLO A K,GERVAIS A,et al.Confuzzius:A data dependency-aware hybrid fuzzer for smart contracts[C]//2021 IEEE European Symposium on Security and Privacy(EuroS&P).IEEE,2021:103-119.
[15]CHOI J,KIM D,KIM S,et al.Smartian:Enhancing smart contract fuzzing with static and dynamic data-flow analyses[C]//2021 36th IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2021:227-239.
[16]ZENG Q,HE J,ZHAO G,et al.EtherGIS:a vulnerability detection framework for ethereum smart contracts based on graph learning features[C]//2022 IEEE 46th Annual Computers,Software,and Applications Conference(COMPSAC).IEEE,2022:1742-1749.
[17]CONTRO F,CROSARA M,CECCATO M,et al.Ethersolve:Computing an accurate control-flow graph from ethereum bytecode[C]//2021 IEEE/ACM 29th International Conference on Program Comprehension(ICPC).IEEE,2021:127-137.
[18]HUANG J,HAN S,YOU W,et al.Hunting vulnerable smart contracts via graph embedding based bytecode matching[J].IEEE Transactions on Information Forensics and Security,2021,16:2144-2156.
[19]LI Z,LU S,ZHANG R,et al.VulHunter:Hunting Vulnerable Smart Contracts at EVM bytecode-level via Multiple Instance Learning[J].IEEE Transactions on Software Engineering,2023,49(11):4886-4916.
[20]Smart Contract Weakness Classification(SWC)[EB/OL].(2024-07-16)[2024-12-01].https://swcregistry.io/.
[21]GRECH N,BRENT L,SCHOLZ B,et al.Gigahorse:thorough,declarative decompilation of smart contracts[C]//2019 IEEE/ACM 41st International Conference on Software Engineering(ICSE).IEEE,2019:1176-1186.
[22]TRUFFLE SUITE[EB/OL].(2024-10-07)[2024-12-01].ht-tps://archive.trufflesuite.com/docs/truffle/how-to/debug-test/use-truffle-develop-and-the-console/.
[23]YE M,NAN Y,ZHENG Z,et al.Detecting State Inconsistency Bugs in DApps via On-Chain Transaction Replay and Fuzzing[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.2023:298-309.
[24]WANG X,JI H,SHI C,et al.Heterogeneous graph attentionnetwork[C]//The World Wide Web Conference.2019:2022-2032.
[25]KINGMA D P.Adam:A method for stochastic optimization[J].arXiv:1412.6980,2014.
[26]DURIEUX T,FERREIRA J F,ABREU R,et al.Empirical review of automated analysis tools on 47,587 ethereum smart contracts[C]//Proceedings of the 2020 ACM/IEEE 42nd International Conference on Software Engineering.2020:530-541.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市两江新区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发