Examining the Effectiveness of Transformer-Based Smart Contract Vulnerability Scan

TL;DR

This paper introduces VASCOT, a transformer-based tool for detecting vulnerabilities in Ethereum smart contracts, demonstrating its effectiveness through extensive dataset evaluation and comparison with existing models.

Contribution

The paper presents VASCOT, a novel transformer-based vulnerability scanner for smart contracts, with a new dataset and a comprehensive evaluation against LSTM models.

Findings

VASCOT outperforms LSTM models on the new dataset.

Transformer-based analysis improves vulnerability detection accuracy.

Insights into model strengths and limitations for smart contract security.

Abstract

Smart contract technology facilitates self-executing agreements on the blockchain, eliminating dependency on an external trusted authority. However, smart contracts may expose vulnerabilities that can lead to financial losses and disruptions in decentralized applications. In this work, we evaluate deep learning-based approaches for vulnerability scanning of Ethereum smart contracts. We propose VASCOT, a Vulnerability Analyzer for Smart COntracts using Transformers, which performs sequential analysis of Ethereum Virtual Machine (EVM) bytecode and incorporates a sliding window mechanism to overcome input length constraints. To assess VASCOT's detection efficacy, we construct a dataset of 16,469 verified Ethereum contracts deployed in 2022, and annotate it using trace analysis with concrete validation to mitigate false positives. VASCOT's performance is then compared against a state-of-the-art LSTM-based vulnerability detection model on both our dataset and an older public dataset. Our findings highlight the strengths and limitations of each model, providing insights into their detection capabilities and generalizability.