SmartInv: Multimodal Learning for Smart Contract Invariant Inference

TL;DR

SmartInv is a multimodal learning framework that infers invariants in smart contracts to automatically detect vulnerabilities, outperforming existing tools in bug detection speed and accuracy, and uncovering critical zero-day bugs.

Contribution

It introduces a novel multimodal invariant inference approach using foundation models with a Tier of Thought prompting strategy for smart contracts.

Findings

Generates 3.5 times more bug-critical invariants

Detects 4 times more critical bugs

Uncovers 119 zero-day vulnerabilities, including five high-severity bugs

Abstract

Smart contracts are software programs that enable diverse business activities on the blockchain. Recent research has identified new classes of "machine un-auditable" bugs that arise from both transactional contexts and source code. Existing detection methods require human understanding of underlying transaction logic and manual reasoning across different sources of context (i.e. modalities), such as code, dynamic transaction executions, and natural language specifying the expected transaction behavior. To automate the detection of ``machine un-auditable'' bugs, we present SmartInv, an accurate and fast smart contract invariant inference framework. Our key insight is that the expected behavior of smart contracts, as specified by invariants, relies on understanding and reasoning across multimodal information, such as source code and natural language. We propose a new prompting strategy to foundation models, Tier of Thought (ToT), to reason across multiple modalities of smart contracts and ultimately to generate invariants. By checking the violation of these generated invariants, SmartInv can identify potential vulnerabilities. We evaluate SmartInv on real-world contracts and re-discover bugs that resulted in multi-million dollar losses over the past 2.5 years (from January 1, 2021 to May 31, 2023). Our extensive evaluation shows that SmartInv generates (3.5X) more bug-critical invariants and detects (4$\times$) more critical bugs compared to the state-of-the-art tools in significantly (150X) less time. \sys uncovers 119 zero-day vulnerabilities from the 89,621 real-world contracts. Among them, five are critical zero-day bugs confirmed by developers as ``high severity.''