No More Hidden Pitfalls? Exposing Smart Contract Bad Practices with LLM-Powered Hybrid Analysis

TL;DR

This paper presents SCALM, a novel LLM-powered hybrid framework for systematically identifying bad practices in smart contracts, enhancing security and reliability in Ethereum applications.

Contribution

It introduces a hybrid analysis architecture combining semantic reasoning and pattern matching, along with a multi-layer verification system for detecting smart contract bad practices.

Findings

SCALM outperforms existing tools in detecting bad practices

The framework effectively links low-level code patterns with high-level security principles

Extensive experiments validate the effectiveness of SCALM across multiple datasets

Abstract

As the Ethereum platform continues to mature and gain widespread usage, it is crucial to maintain high standards of smart contract writing practices. While bad practices in smart contracts may not directly lead to security issues, they elevate the risk of encountering problems. Therefore, to understand and avoid these bad practices, this paper introduces the first systematic study of bad practices in smart contracts, delving into over 47 specific issues. Specifically, we propose SCALM, an LLM-powered framework featuring two methodological innovations: (1) A hybrid architecture that combines context-aware function-level slicing with knowledge-enhanced semantic reasoning via extensible vectorized pattern matching. (2) A multi-layer reasoning verification system connects low-level code patterns with high-level security principles through syntax, design patterns, and architecture analysis. Our extensive experiments using multiple LLMs and datasets have shown that SCALM outperforms existing tools in detecting bad practices in smart contracts.