LLM-BSCVM: An LLM-Based Blockchain Smart Contract Vulnerability Management Framework
Yanli Jin, Chunpei Li, Peng Fan, Peng Liu, Xianxian Li, Chen Liu, Wangjie Qiu
TL;DR
The paper introduces LLM-BSCVM, an end-to-end framework for smart contract vulnerability management built on a Decompose-Retrieve-Generate paradigm and multi-agent collaboration. It enables vulnerability detection, root-cause analysis, repair suggestion, risk assessment, patch verification, and audit reporting by leveraging retrieval-augmented generation with dual knowledge bases. Empirical results show detection accuracy and F1 scores above 91% with a reduced false positive rate (5.1%), alongside ablations confirming the value of static analysis and RAG. The work advances Web 3.0 security governance by delivering an automated, explainable vulnerability management pipeline and provides open-source tooling for future research and practice.
Abstract
Smart contracts are a key component of the Web 3.0 ecosystem, widely applied in blockchain services and decentralized applications. However, the automated execution feature of smart contracts makes them vulnerable to potential attacks due to inherent flaws, which can lead to severe security risks and financial losses, even threatening the integrity of the entire decentralized finance system. Currently, research on smart contract vulnerabilities has evolved from traditional program analysis methods to deep learning techniques, with the gradual introduction of Large Language Models. However, existing studies mainly focus on vulnerability detection, lacking systematic cause analysis and Vulnerability Repair. To address this gap, we propose LLM-BSCVM, a Large Language Model-based smart contract vulnerability management framework, designed to provide end-to-end vulnerability detection, analysis, repair, and evaluation capabilities for Web 3.0 ecosystem. LLM-BSCVM combines retrieval-augmented generation technology and multi-agent collaboration, introducing a three-stage method of Decompose-Retrieve-Generate. This approach enables smart contract vulnerability management through the collaborative efforts of six intelligent agents, specifically: vulnerability detection, cause analysis, repair suggestion generation, risk assessment, vulnerability repair, and patch evaluation. Experimental results demonstrate that LLM-BSCVM achieves a vulnerability detection accuracy and F1 score exceeding 91\% on benchmark datasets, comparable to the performance of state-of-the-art (SOTA) methods, while reducing the false positive rate from 7.2\% in SOTA methods to 5.1\%, thus enhancing the reliability of vulnerability management. Furthermore, LLM-BSCVM supports continuous security monitoring and governance of smart contracts through a knowledge base hot-swapping dynamic update mechanism.