LogicScan: An LLM-driven Framework for Detecting Business Logic Vulnerabilities in Smart Contracts
Jiaqi Gao, Zijian Zhang, Yuqiang Sun, Ye Liu, Chengwei Liu, Han Liu, Yi Li, Yang Liu
TL;DR
LogicScan tackles business logic vulnerabilities in smart contracts by mining consensus-based invariants from a large corpus of on-chain contracts and auditing targets using contrastive reasoning. The framework introduces a Business Specification Language to normalize invariants and two modules: Logic Miner for invariant extraction and Logic Checker for retrieval and contrastive auditing, with noise-aware aggregation to suppress LLM hallucinations. Evaluations on DeFiHacks, Web3Bugs, and Top-200 contracts show an F1 of 85.2% and low false-positive rates, outperforming state-of-the-art tools across several datasets and LLM backends. The results demonstrate a scalable, model-agnostic approach that improves real-world smart contract auditing by leveraging cross-protocol semantic invariants.
Abstract
Business logic vulnerabilities have become one of the most damaging yet least understood classes of smart contract vulnerabilities. Unlike traditional bugs such as reentrancy or arithmetic errors, these vulnerabilities arise from missing or incorrectly enforced business invariants and are tightly coupled with protocol semantics. Existing static analysis techniques struggle to capture such high-level logic, while recent large language model based approaches often suffer from unstable outputs and low accuracy due to hallucination and limited verification. In this paper, we propose LogicScan, an automated contrastive auditing framework for detecting business logic vulnerabilities in smart contracts. The key insight behind LogicScan is that mature, widely deployed on-chain protocols implicitly encode well-tested and consensus-driven business invariants. LogicScan systematically mines these invariants from large-scale on-chain contracts and reuses them as reference constraints to audit target contracts. To achieve this, LogicScan introduces a Business Specification Language (BSL) to normalize diverse implementation patterns into structured, verifiable logic representations. It further combines noise-aware logic aggregation with contrastive auditing to identify missing or weakly enforced invariants while mitigating LLM-induced false positives. We evaluate LogicScan on three real-world datasets, including DeFiHacks, Web3Bugs, and a set of top-200 audited contracts. The results show that LogicScan achieves an F1 score of 85.2%, significantly outperforming state-of-the-art tools while maintaining a low false-positive rate on production-grade contracts. Additional experiments demonstrate that LogicScan maintains consistent performance across different LLMs and is cost-effective, and that its false-positive suppression mechanisms substantially improve robustness.
