LogicScan: An LLM-driven Framework for Detecting Business Logic Vulnerabilities in Smart Contracts

TL;DR

LogicScan is an automated framework that leverages large language models and on-chain protocol invariants to effectively detect business logic vulnerabilities in smart contracts, outperforming existing static analysis tools.

Contribution

It introduces a novel invariant mining and contrastive auditing approach using a Business Specification Language to improve detection accuracy of logic vulnerabilities.

Findings

Achieves an F1 score of 85.2% on real-world datasets.

Outperforms state-of-the-art tools in detecting logic vulnerabilities.

Maintains low false-positive rates and consistent performance across LLMs.

Abstract

Business logic vulnerabilities have become one of the most damaging yet least understood classes of smart contract vulnerabilities. Unlike traditional bugs such as reentrancy or arithmetic errors, these vulnerabilities arise from missing or incorrectly enforced business invariants and are tightly coupled with protocol semantics. Existing static analysis techniques struggle to capture such high-level logic, while recent large language model based approaches often suffer from unstable outputs and low accuracy due to hallucination and limited verification. In this paper, we propose LogicScan, an automated contrastive auditing framework for detecting business logic vulnerabilities in smart contracts. The key insight behind LogicScan is that mature, widely deployed on-chain protocols implicitly encode well-tested and consensus-driven business invariants. LogicScan systematically mines these invariants from large-scale on-chain contracts and reuses them as reference constraints to audit target contracts. To achieve this, LogicScan introduces a Business Specification Language (BSL) to normalize diverse implementation patterns into structured, verifiable logic representations. It further combines noise-aware logic aggregation with contrastive auditing to identify missing or weakly enforced invariants while mitigating LLM-induced false positives. We evaluate LogicScan on three real-world datasets, including DeFiHacks, Web3Bugs, and a set of top-200 audited contracts. The results show that LogicScan achieves an F1 score of 85.2%, significantly outperforming state-of-the-art tools while maintaining a low false-positive rate on production-grade contracts. Additional experiments demonstrate that LogicScan maintains consistent performance across different LLMs and is cost-effective, and that its false-positive suppression mechanisms substantially improve robustness.