Table of Contents
Fetching ...

Towards Compositional Generalization in LLMs for Smart Contract Security: A Case Study on Reentrancy Vulnerabilities

Ying Zhou, Jiacheng Wei, Yu Qi, Faguo Wu, Xiao Zhang

TL;DR

The paper addresses the challenge of limited compositional generalization for LLMs in smart contract vulnerability detection and introduces a post-training algorithm based on atomic task decomposition into four factors (External call E, State update S, Dependency D, Ordering O) and a compositional fusion framework (ComFuse). It formulates end-to-end differentiable scoring via f(P) = log(sum_{i,j} exp(A_{ij}(P))) with A_{ij}(P) = phi_E(P)[i] phi_S(P)[j] phi_D(P)[i,j] tilde_phi_O(P)[i,j], where tilde_phi_O(P)[i,j] = 1 / (1 + exp(alpha * phi_O(P)[i,j])); gating weights omega_k(P) and fused representation h(P) enable a trainable yet interpretable integration of factor cues, guided by a Jacobian-alignment loss. The authors build three compiler-verified synthetic datasets (~2.5k samples per factor) plus 31 real contracts, using Slither to extract CFG/DFG information and fine-tune LoRA adapters; on reentrancy detection they reach up to 98.2% accuracy and 87.1% recall on real contracts, outperforming traditional static analyzers by about 20%. Overall, the work demonstrates that compositional fusion of atomic-task adapters can robustly generalize under limited data, offering a practical pathway to extend LLM-based reasoning to additional vulnerability types in smart contracts.

Abstract

Large language models (LLMs) demonstrate remarkable capabilities in natural language understanding and generation. Despite being trained on large-scale, high-quality data, LLMs still fail to outperform traditional static analysis tools in specialized domains like smart contract vulnerability detection. To address this issue, this paper proposes a post-training algorithm based on atomic task decomposition and fusion. This algorithm aims to achieve combinatorial generalization under limited data by decomposing complex reasoning tasks. Specifically, we decompose the reentrancy vulnerability detection task into four linearly independent atomic tasks: identifying external calls, identifying state updates, identifying data dependencies between external calls and state updates, and determining their data flow order. These tasks form the core components of our approach. By training on synthetic datasets, we generate three compiler-verified datasets. We then employ the Slither tool to extract structural information from the control flow graph and data flow graph, which is used to fine-tune the LLM's adapter. Experimental results demonstrate that low-rank normalization fusion with the LoRA adapter improves the LLM's reentrancy vulnerability detection accuracy to 98.2%, surpassing state-of-the-art methods. On 31 real-world contracts, the algorithm achieves a 20% higher recall than traditional analysis tools.

Towards Compositional Generalization in LLMs for Smart Contract Security: A Case Study on Reentrancy Vulnerabilities

TL;DR

The paper addresses the challenge of limited compositional generalization for LLMs in smart contract vulnerability detection and introduces a post-training algorithm based on atomic task decomposition into four factors (External call E, State update S, Dependency D, Ordering O) and a compositional fusion framework (ComFuse). It formulates end-to-end differentiable scoring via f(P) = log(sum_{i,j} exp(A_{ij}(P))) with A_{ij}(P) = phi_E(P)[i] phi_S(P)[j] phi_D(P)[i,j] tilde_phi_O(P)[i,j], where tilde_phi_O(P)[i,j] = 1 / (1 + exp(alpha * phi_O(P)[i,j])); gating weights omega_k(P) and fused representation h(P) enable a trainable yet interpretable integration of factor cues, guided by a Jacobian-alignment loss. The authors build three compiler-verified synthetic datasets (~2.5k samples per factor) plus 31 real contracts, using Slither to extract CFG/DFG information and fine-tune LoRA adapters; on reentrancy detection they reach up to 98.2% accuracy and 87.1% recall on real contracts, outperforming traditional static analyzers by about 20%. Overall, the work demonstrates that compositional fusion of atomic-task adapters can robustly generalize under limited data, offering a practical pathway to extend LLM-based reasoning to additional vulnerability types in smart contracts.

Abstract

Large language models (LLMs) demonstrate remarkable capabilities in natural language understanding and generation. Despite being trained on large-scale, high-quality data, LLMs still fail to outperform traditional static analysis tools in specialized domains like smart contract vulnerability detection. To address this issue, this paper proposes a post-training algorithm based on atomic task decomposition and fusion. This algorithm aims to achieve combinatorial generalization under limited data by decomposing complex reasoning tasks. Specifically, we decompose the reentrancy vulnerability detection task into four linearly independent atomic tasks: identifying external calls, identifying state updates, identifying data dependencies between external calls and state updates, and determining their data flow order. These tasks form the core components of our approach. By training on synthetic datasets, we generate three compiler-verified datasets. We then employ the Slither tool to extract structural information from the control flow graph and data flow graph, which is used to fine-tune the LLM's adapter. Experimental results demonstrate that low-rank normalization fusion with the LoRA adapter improves the LLM's reentrancy vulnerability detection accuracy to 98.2%, surpassing state-of-the-art methods. On 31 real-world contracts, the algorithm achieves a 20% higher recall than traditional analysis tools.
Paper Structure (22 sections, 5 theorems, 39 equations, 4 figures, 6 tables, 1 algorithm)

This paper contains 22 sections, 5 theorems, 39 equations, 4 figures, 6 tables, 1 algorithm.

Key Result

theorem 1

Under the modeling design of Eq. soft, the smoothness condition is guaranteed.

Figures (4)

  • Figure 1: Comparison of a typical reentrancy pattern (top) and our dataset-constructed example (bottom).
  • Figure 2: Overall framework of CompFuse.
  • Figure 3: Pipeline of External-Call Synthetic Data Construction. (1) Interfaces are collected from OpenZeppelin and annotated with categories and risks. (2) Statements are generated under validity constraints to ensure correctness, with diversity enhancing structural and parametric coverage. (3) Statements are generated by rule into minimal compilable contracts. (4) Slither performs compilation checks and extracts CFG. (5) Data are assembled as instruction–answer templates for training.
  • Figure 4: Full-Rankness Verification.

Theorems & Definitions (17)

  • Definition 2.1: External-call factor.
  • Definition 2.2: State-update factor.
  • Definition 2.3: Dependency factor.
  • Definition 2.4: Ordering factor.
  • Definition 3.1: Smoothness
  • Definition 3.2: Compositionality
  • Definition 3.3: Full-rankness
  • Definition 3.4: Consistency
  • theorem 1: Smoothness Satisfaction
  • theorem 2: Compositionality by Design
  • ...and 7 more