Multi-Agent Collaborative Fuzzing with Continuous Reflection for Smart Contracts Vulnerability Detection

TL;DR

SmartFuzz tackles the challenge of discovering complex, stateful vulnerabilities in smart contracts by moving beyond code-coverage driven fuzzing. It introduces a Continuous Reflection Process ($CRP$) that allows an LLM-driven, multi-agent team to iteratively refine complete transaction sequences using real-time environment feedback, and a Reactive Collaborative Chain ($RCC$) that organizes sub-tasks and dependency-aware refinements. The system leverages a specialized multi-agent team and a collaboration policy ($\pi^{cr}$) to generate and adjust vulnerable sequences, with vulnerability detection driven by eight test oracles and runtime signals from the EVM. Experimental results on real contracts and DApps show SmartFuzz detects up to 74.7% more true vulnerabilities within 30 minutes and reduces false negatives by up to 80% compared to baselines, demonstrating practical impact for security auditing and deployment readiness. The work provides a scalable, feedback-driven framework for vulnerability-focused fuzzing in stateful blockchain contracts with explicit handling of cross-contract interactions.

Abstract

Fuzzing is a widely used technique for detecting vulnerabilities in smart contracts, which generates transaction sequences to explore the execution paths of smart contracts. However, existing fuzzers are falling short in detecting sophisticated vulnerabilities that require specific attack transaction sequences with proper inputs to trigger, as they (i) prioritize code coverage over vulnerability discovery, wasting considerable effort on non-vulnerable code regions, and (ii) lack semantic understanding of stateful contracts, generating numerous invalid transaction sequences that cannot pass runtime execution. In this paper, we propose SmartFuzz, a novel collaborative reflective fuzzer for smart contract vulnerability detection. It employs large language model-driven agents as the fuzzing engine and continuously improves itself by learning and reflecting through interactions with the environment. Specifically, we first propose a new Continuous Reflection Process (CRP) for fuzzing smart contracts, which reforms the transaction sequence generation as a self-evolving process through continuous reflection on feedback from the runtime environment. Then, we present the Reactive Collaborative Chain (RCC) to orchestrate the fuzzing process into multiple sub-tasks based on the dependencies of transaction sequences. Furthermore, we design a multi-agent collaborative team, where each expert agent is guided by the RCC to jointly generate and refine transaction sequences from both global and local perspectives. We conduct extensive experiments to evaluate SmartFuzz's performance on real-world contracts and DApp projects. The results demonstrate that SmartFuzz outperforms existing state-of-the-art tools: (i) it detects 5.8\%-74.7\% more vulnerabilities within 30 minutes, and (ii) it reduces false negatives by up to 80\%.

Figures (6)

• Figure 1: An Overview of SmartFuzz, which generates vulnerable (attack) transaction sequences that trigger the vulnerabilities. It continuously reflects and revises the generated sequences with external feedback during fuzzing process.
• Figure 2: A Crowdsale contract (simplified version) containing vulnerability that allows attacker to steal funds.
• Figure 3: An workflow of SmartFuzz. It decomposes smart contract fuzzing into four phases, each further divided into specific subtasks via a collaborative chain. The designed multi-agent team operates under a collaborative reflective policy (instantiated by CRP) to generate transaction sequences that trigger underlying vulnerabilities.
• Figure 4: True vulnerabilities being found versus time (second) by different tools in D1.
• Figure 5: Ablation results on the importance of the continuous reflection process. To remove this process, we set the $max\_reflection\_round$ to 0. For the rest of the reflection rounds, we set the $max\_reflection\_round$ to 10.