Retrieval Augmented Generation Integrated Large Language Models in Smart Contract Vulnerability Detection

TL;DR

This paper presents a novel approach combining Retrieval-Augmented Generation with GPT-4 to detect vulnerabilities in smart contracts, achieving over 60% success in automated security auditing, thus enhancing accessibility and efficiency.

Contribution

It introduces an integrated RAG-LLM framework for smart contract vulnerability detection, demonstrating promising results and paving the way for more accessible security auditing tools.

Findings

62.7% success rate with vulnerability type guidance

60.71% success rate in blind vulnerability detection

Proof of concept for cost-effective smart contract auditing

Abstract

The rapid growth of Decentralized Finance (DeFi) has been accompanied by substantial financial losses due to smart contract vulnerabilities, underscoring the critical need for effective security auditing. With attacks becoming more frequent, the necessity and demand for auditing services has escalated. This especially creates a financial burden for independent developers and small businesses, who often have limited available funding for these services. Our study builds upon existing frameworks by integrating Retrieval-Augmented Generation (RAG) with large language models (LLMs), specifically employing GPT-4-1106 for its 128k token context window. We construct a vector store of 830 known vulnerable contracts, leveraging Pinecone for vector storage, OpenAI's text-embedding-ada-002 for embeddings, and LangChain to construct the RAG-LLM pipeline. Prompts were designed to provide a binary answer for vulnerability detection. We first test 52 smart contracts 40 times each against a provided vulnerability type, verifying the replicability and consistency of the RAG-LLM. Encouraging results were observed, with a 62.7% success rate in guided detection of vulnerabilities. Second, we challenge the model under a "blind" audit setup, without the vulnerability type provided in the prompt, wherein 219 contracts undergo 40 tests each. This setup evaluates the general vulnerability detection capabilities without hinted context assistance. Under these conditions, a 60.71% success rate was observed. While the results are promising, we still emphasize the need for human auditing at this time. We provide this study as a proof of concept for a cost-effective smart contract auditing process, moving towards democratic access to security.