LLM4Fuzz: Guided Fuzzing of Smart Contracts with Large Language Models
Chaofan Shou, Jing Liu, Doudou Lu, Koushik Sen
TL;DR
LLM4Fuzz frameworks integrates large language models to guide fuzzing of smart contracts by generating metrics such as code complexity, vulnerability likelihood, invariant dependencies, and interesting input sequences. The system parses contracts into ASTs and CFGs, prompts LLMs to score code regions per function, and feeds these signals into a power-scheduling fuzzing engine to prioritize exploration. Across real-world DeFi contracts, LLM4Fuzz delivers higher coverage and faster vulnerability discovery, identifying five critical vulnerabilities totaling over $247k that were missed by prior tooling. The work demonstrates the practical viability of combining semantic reasoning from LLMs with fuzzing and suggests potential extensions to traditional software testing pipelines.
Abstract
As blockchain platforms grow exponentially, millions of lines of smart contract code are being deployed to manage extensive digital assets. However, vulnerabilities in this mission-critical code have led to significant exploitations and asset losses. Thorough automated security analysis of smart contracts is thus imperative. This paper introduces LLM4Fuzz to optimize automated smart contract security analysis by leveraging large language models (LLMs) to intelligently guide and prioritize fuzzing campaigns. While traditional fuzzing suffers from low efficiency in exploring the vast state space, LLM4Fuzz employs LLMs to direct fuzzers towards high-value code regions and input sequences more likely to trigger vulnerabilities. Additionally, LLM4Fuzz can leverage LLMs to guide fuzzers based on user-defined invariants, reducing blind exploration overhead. Evaluations of LLM4Fuzz on real-world DeFi projects show substantial gains in efficiency, coverage, and vulnerability detection compared to baseline fuzzing. LLM4Fuzz also uncovered five critical vulnerabilities that can lead to a loss of more than $247k.