BugSweeper: Function-Level Detection of Smart Contract Vulnerabilities Using Graph Neural Networks

TL;DR

BugSweeper is an end-to-end deep learning framework that uses graph neural networks to detect smart contract vulnerabilities directly from source code, eliminating the need for manual rule-based preprocessing.

Contribution

It introduces a novel graph representation called FLAG and a two-stage GNN approach for accurate, automated vulnerability detection in Solidity smart contracts.

Findings

Outperforms all state-of-the-art detection methods on real-world contracts

Eliminates reliance on handcrafted rules, enhancing scalability and robustness

Provides a fully automated, scalable solution for smart contract security

Abstract

The rapid growth of Ethereum has made it more important to quickly and accurately detect smart contract vulnerabilities. While machine-learning-based methods have shown some promise, many still rely on rule-based preprocessing designed by domain experts. Rule-based preprocessing methods often discard crucial context from the source code, potentially causing certain vulnerabilities to be overlooked and limiting adaptability to newly emerging threats. We introduce BugSweeper, an end-to-end deep learning framework that detects vulnerabilities directly from the source code without manual engineering. BugSweeper represents each Solidity function as a Function-Level Abstract Syntax Graph (FLAG), a novel graph that combines its Abstract Syntax Tree (AST) with enriched control-flow and data-flow semantics. Then, our two-stage Graph Neural Network (GNN) analyzes these graphs. The first-stage GNN filters noise from the syntax graphs, while the second-stage GNN conducts high-level reasoning to detect diverse vulnerabilities. Extensive experiments on real-world contracts show that BugSweeper significantly outperforms all state-of-the-art detection methods. By removing the need for handcrafted rules, our approach offers a robust, automated, and scalable solution for securing smart contracts without any dependence on security experts.