1. Introduction

Financial losses from exploited smart contract vulnerabilities such as reentrancy have run into hundreds of millions of dollars, and rule-based static analysers, while fast, frequently miss novel or obfuscated variants of known vulnerability patterns that a learned graph representation may generalise to better.

2. Methodology

Solidity contract bytecode was converted to a control-flow graph representation with nodes encoding opcode-level features, and a three-layer graph convolutional network was trained on 9,300 contracts labelled by expert auditors for the presence of reentrancy, integer overflow, unchecked external calls and timestamp dependence vulnerabilities, benchmarked against the Slither static analyser on an identical held-out test split.

3. Results

The GCN model achieved an F1-score of 0.91 for reentrancy detection and 0.87 averaged across all four vulnerability classes, exceeding Slither F1-scores of 0.79 and 0.74 respectively on the same test contracts, with the largest relative improvement observed for vulnerability patterns involving multi-function call chains that rule-based analysis under-detected.

4. Conclusion

Graph-based deep learning on contract control-flow representations detects a meaningfully broader range of vulnerability instances than rule-based static analysis alone, suggesting value as a complementary audit tool rather than a replacement. Future work will explore combining both approaches in an ensemble audit pipeline.

References

[1] Feist J. et al., Slither: A static analysis framework for smart contracts, WETSEB, 2019. [2] Kipf T. N. and Welling M., Semi-supervised classification with graph convolutional networks, ICLR, 2017.