GPTScan

GPTScan is a groundbreaking solution that combines the power of GPT (Generative Pre-trained Transformer) with static analysis to detect logic vulnerabilities in smart contracts. Unlike traditional approaches that solely rely on GPT for vulnerability identification, GPTScan leverages GPT as a versatile code understanding tool. By breaking down each logic vulnerability type into scenarios and properties, GPTScan intelligently matches candidate vulnerabilities with GPT. To ensure precision, GPTScan provides explicit instructions to GPT for recognizing key variables and statements, validating them through static confirmation.

Through extensive evaluation on diverse datasets comprising approximately 400 contract projects and 3,000 Solidity files, GPTScan has demonstrated remarkable performance. It achieves a high precision rate of over 90% for token contracts and an acceptable precision of 57.14% for larger projects such as Web3Bugs. With an impressive recall rate of over 80%, GPTScan effectively detects groundtruth logic vulnerabilities, including 9 new vulnerabilities that went unnoticed by human auditors.

Apart from its accuracy, GPTScan is fast and cost-effective, requiring an average of only 14.39 seconds and 0.01 USD to scan per thousand lines of Solidity code. The integration of static confirmation significantly reduces false positives by two-thirds, enhancing the overall efficiency of vulnerability detection.

GPTScan marks a significant advancement in smart contract security, providing developers and auditors with a comprehensive and reliable tool for identifying logic vulnerabilities. With its unique combination of GPT and static analysis, GPTScan sets a new standard in the field of smart contract security assessment.

Detailed paper about GPTScan: