MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Autoren

  • Hoang H. Nguyen
  • Nhat Minh Nguyen
  • Hong Phuc Doan
  • Zahra Ahmadi
  • Thanh Nam Doan
  • Lingxiao Jiang

Organisationseinheiten

Externe Organisationen

  • Singapore Management University
  • Hanoi University of Technology
Forschungs-netzwerk anzeigen

Details

OriginalspracheEnglisch
Titel des SammelwerksESEC/FSE 2022
UntertitelProceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering
Herausgeber/-innenAbhik Roychoudhury, Cristian Cadar, Miryung Kim
Seiten1736-1740
Seitenumfang5
ISBN (elektronisch)9781450394130
PublikationsstatusVeröffentlicht - 9 Nov. 2022
Veranstaltung30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022 - Singapore, Singapur
Dauer: 14 Nov. 202218 Nov. 2022

Abstract

Smart contracts are increasingly used with blockchain systems for high-value applications. It is highly desired to ensure the quality of smart contract source code before they are deployed. This paper proposes a new deep learning-based tool, MANDO-GURU, that aims to accurately detect vulnerabilities in smart contracts at both coarse-grained contract-level and fine-grained line-level. Using a combination of control-flow graphs and call graphs of Solidity code, we design new heterogeneous graph attention neural networks to encode more structural and potentially semantic relations among different types of nodes and edges of such graphs and use the encoded embeddings of the graphs and nodes to detect vulnerabilities. Our validation of real-world smart contract datasets shows that MANDO-GURU can significantly improve many other vulnerability detection techniques by up to 24% in terms of the F1-score at the contract level, depending on vulnerability types. It is the first learning-based tool for Ethereum smart contracts that identify vulnerabilities at the line level and significantly improves the traditional code analysis-based techniques by up to 63.4%. Our tool is publicly available at https://github.com/MANDO-Project/ge-sc-machine. A test version is currently deployed at http://mandoguru.com, and a demo video of our tool is available at http://mandoguru.com/demo-video.

ASJC Scopus Sachgebiete

Zitieren

MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings. / Nguyen, Hoang H.; Nguyen, Nhat Minh; Doan, Hong Phuc et al.
ESEC/FSE 2022 : Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Hrsg. / Abhik Roychoudhury; Cristian Cadar; Miryung Kim. 2022. S. 1736-1740.

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Nguyen, HH, Nguyen, NM, Doan, HP, Ahmadi, Z, Doan, TN & Jiang, L 2022, MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings. in A Roychoudhury, C Cadar & M Kim (Hrsg.), ESEC/FSE 2022 : Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. S. 1736-1740, 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022, Singapore, Singapur, 14 Nov. 2022. https://doi.org/10.1145/3540250.3558927
Nguyen, H. H., Nguyen, N. M., Doan, H. P., Ahmadi, Z., Doan, T. N., & Jiang, L. (2022). MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings. In A. Roychoudhury, C. Cadar, & M. Kim (Hrsg.), ESEC/FSE 2022 : Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering (S. 1736-1740) https://doi.org/10.1145/3540250.3558927
Nguyen HH, Nguyen NM, Doan HP, Ahmadi Z, Doan TN, Jiang L. MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings. in Roychoudhury A, Cadar C, Kim M, Hrsg., ESEC/FSE 2022 : Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2022. S. 1736-1740 doi: 10.1145/3540250.3558927
Nguyen, Hoang H. ; Nguyen, Nhat Minh ; Doan, Hong Phuc et al. / MANDO-GURU : vulnerability detection for smart contract source code by heterogeneous graph embeddings. ESEC/FSE 2022 : Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Hrsg. / Abhik Roychoudhury ; Cristian Cadar ; Miryung Kim. 2022. S. 1736-1740
Download
@inproceedings{26edb6efa34749f287f1139612c8e8c7,
title = "MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings",
abstract = "Smart contracts are increasingly used with blockchain systems for high-value applications. It is highly desired to ensure the quality of smart contract source code before they are deployed. This paper proposes a new deep learning-based tool, MANDO-GURU, that aims to accurately detect vulnerabilities in smart contracts at both coarse-grained contract-level and fine-grained line-level. Using a combination of control-flow graphs and call graphs of Solidity code, we design new heterogeneous graph attention neural networks to encode more structural and potentially semantic relations among different types of nodes and edges of such graphs and use the encoded embeddings of the graphs and nodes to detect vulnerabilities. Our validation of real-world smart contract datasets shows that MANDO-GURU can significantly improve many other vulnerability detection techniques by up to 24% in terms of the F1-score at the contract level, depending on vulnerability types. It is the first learning-based tool for Ethereum smart contracts that identify vulnerabilities at the line level and significantly improves the traditional code analysis-based techniques by up to 63.4%. Our tool is publicly available at https://github.com/MANDO-Project/ge-sc-machine. A test version is currently deployed at http://mandoguru.com, and a demo video of our tool is available at http://mandoguru.com/demo-video.",
keywords = "Ethereum blockchain, graph neural networks, heterogeneous graphs, smart contracts, vulnerability detection",
author = "Nguyen, {Hoang H.} and Nguyen, {Nhat Minh} and Doan, {Hong Phuc} and Zahra Ahmadi and Doan, {Thanh Nam} and Lingxiao Jiang",
note = "Funding Information: Acknowledgments. This work was supported by the European Union{\textquoteright}s Horizon 2020 research and innovation program under grant agreement No. 833635 (project ROXANNE: Real-time network, text, and speaker analytics for combating organized crime, 2019-2022) and by the Singapore Ministry of Education (MOE) Academic Research Fund (AcRF) Tier 1 grant.; 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022 ; Conference date: 14-11-2022 Through 18-11-2022",
year = "2022",
month = nov,
day = "9",
doi = "10.1145/3540250.3558927",
language = "English",
pages = "1736--1740",
editor = "Abhik Roychoudhury and Cristian Cadar and Miryung Kim",
booktitle = "ESEC/FSE 2022",

}

Download

TY - GEN

T1 - MANDO-GURU

T2 - 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022

AU - Nguyen, Hoang H.

AU - Nguyen, Nhat Minh

AU - Doan, Hong Phuc

AU - Ahmadi, Zahra

AU - Doan, Thanh Nam

AU - Jiang, Lingxiao

N1 - Funding Information: Acknowledgments. This work was supported by the European Union’s Horizon 2020 research and innovation program under grant agreement No. 833635 (project ROXANNE: Real-time network, text, and speaker analytics for combating organized crime, 2019-2022) and by the Singapore Ministry of Education (MOE) Academic Research Fund (AcRF) Tier 1 grant.

PY - 2022/11/9

Y1 - 2022/11/9

N2 - Smart contracts are increasingly used with blockchain systems for high-value applications. It is highly desired to ensure the quality of smart contract source code before they are deployed. This paper proposes a new deep learning-based tool, MANDO-GURU, that aims to accurately detect vulnerabilities in smart contracts at both coarse-grained contract-level and fine-grained line-level. Using a combination of control-flow graphs and call graphs of Solidity code, we design new heterogeneous graph attention neural networks to encode more structural and potentially semantic relations among different types of nodes and edges of such graphs and use the encoded embeddings of the graphs and nodes to detect vulnerabilities. Our validation of real-world smart contract datasets shows that MANDO-GURU can significantly improve many other vulnerability detection techniques by up to 24% in terms of the F1-score at the contract level, depending on vulnerability types. It is the first learning-based tool for Ethereum smart contracts that identify vulnerabilities at the line level and significantly improves the traditional code analysis-based techniques by up to 63.4%. Our tool is publicly available at https://github.com/MANDO-Project/ge-sc-machine. A test version is currently deployed at http://mandoguru.com, and a demo video of our tool is available at http://mandoguru.com/demo-video.

AB - Smart contracts are increasingly used with blockchain systems for high-value applications. It is highly desired to ensure the quality of smart contract source code before they are deployed. This paper proposes a new deep learning-based tool, MANDO-GURU, that aims to accurately detect vulnerabilities in smart contracts at both coarse-grained contract-level and fine-grained line-level. Using a combination of control-flow graphs and call graphs of Solidity code, we design new heterogeneous graph attention neural networks to encode more structural and potentially semantic relations among different types of nodes and edges of such graphs and use the encoded embeddings of the graphs and nodes to detect vulnerabilities. Our validation of real-world smart contract datasets shows that MANDO-GURU can significantly improve many other vulnerability detection techniques by up to 24% in terms of the F1-score at the contract level, depending on vulnerability types. It is the first learning-based tool for Ethereum smart contracts that identify vulnerabilities at the line level and significantly improves the traditional code analysis-based techniques by up to 63.4%. Our tool is publicly available at https://github.com/MANDO-Project/ge-sc-machine. A test version is currently deployed at http://mandoguru.com, and a demo video of our tool is available at http://mandoguru.com/demo-video.

KW - Ethereum blockchain

KW - graph neural networks

KW - heterogeneous graphs

KW - smart contracts

KW - vulnerability detection

UR - http://www.scopus.com/inward/record.url?scp=85143053694&partnerID=8YFLogxK

U2 - 10.1145/3540250.3558927

DO - 10.1145/3540250.3558927

M3 - Conference contribution

AN - SCOPUS:85143053694

SP - 1736

EP - 1740

BT - ESEC/FSE 2022

A2 - Roychoudhury, Abhik

A2 - Cadar, Cristian

A2 - Kim, Miryung

Y2 - 14 November 2022 through 18 November 2022

ER -