No More Hidden Pitfalls? Exposing Smart Contract Bad Practices with LLM-Powered Hybrid Analysis

TL;DR

This work addresses the prevalence of bad practices in smart contracts by introducing SCALM, an LLM-powered hybrid auditing framework that combines context-aware function-level slicing, vectorized pattern matching, and multi-layer reasoning (syntax, design patterns, architecture) with Retrieval-Augmented Generation. It builds an extensible knowledge base of bad-practice patterns and produces structured audit reports mapping findings to SWC IDs and remediation guidance. Through extensive experiments on multiple datasets and LLMs, SCALM demonstrates superior detection performance over traditional tools and other LLM-based methods, with ablations confirming the value of RAG and multi-layer reasoning. The approach offers a scalable, automated pathway for developers to identify and remediate both security-related and quality-related issues in smart contracts.

Abstract

As the Ethereum platform continues to mature and gain widespread usage, it is crucial to maintain high standards of smart contract writing practices. While bad practices in smart contracts may not directly lead to security issues, they elevate the risk of encountering problems. Therefore, to understand and avoid these bad practices, this paper introduces the first systematic study of bad practices in smart contracts, delving into over 47 specific issues. Specifically, we propose SCALM, an LLM-powered framework featuring two methodological innovations: (1) A hybrid architecture that combines context-aware function-level slicing with knowledge-enhanced semantic reasoning via extensible vectorized pattern matching. (2) A multi-layer reasoning verification system connects low-level code patterns with high-level security principles through syntax, design patterns, and architecture analysis. Our extensive experiments using multiple LLMs and datasets have shown that SCALM outperforms existing tools in detecting bad practices in smart contracts.

Figures (5)

• Figure 1: Illustration of the RAG framework. The system processes user queries through an embedding model, retrieves relevant document chunks from a vector database, and combines the retrieved knowledge with the original query to generate contextually-enhanced responses via LLM.
• Figure 2: SWC-112: Delegatecall to Untrusted Callee vulnerability example. The vulnerable Proxy contract allows arbitrary delegatecall execution, while Proxy_fixed implements access control and trusted callee validation to mitigate the security risk.
• Figure 3: Overall Architecture of SCALM. The framework comprises context-aware function-level slicing, contract vectorization, RAG-based retrieval, multi-layered reasoning verification (syntax, design patterns, and architecture), and automated report generation with structured JSON output.
• Figure 4: Function-Level Context Slicing and Vectorization Pipeline. Illustration of our workflow using the TestToken contract as an example. The process begins by extracting a target function (transfer) and analyzing its dependencies (e.g., its call to _logTransfer). A context-enriched slice is then assembled, incorporating the main function, its dependencies, and relevant contract-level definitions (state variables, events). Finally, this slice is vectorized and stored in a database with structured metadata for retrieval.
• Figure 5: The prompt template used by roles. The system prompt defines a multi-layer reasoning framework with step-back prompting. Each layer (Syntax, Design Pattern, and Architecture) has specialized abstractions to guide LLM analysis from code-level vulnerabilities to system-level architectural risks, ensuring comprehensive security auditing.