MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings

Author

Huu Hoang NGUYEN, Singapore Management UniversityFollow
Nhat Minh NGUYEN, Singapore Management UniversityFollow
Hong-Phuc DOAN
Zahrai AHMADI
Thanh Nam DOAN, Singapore Management UniversityFollow
Lingxiao JIANG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

11-2022

Abstract

Smart contracts are increasingly used with blockchain systems for high-value applications. It is highly desired to ensure the quality of smart contract source code before they are deployed. This paper proposes a new deep learning-based tool, MANDO-GURU, that aims to accurately detect vulnerabilities in smart contracts at both coarse-grained contract-level and fine-grained line-level. Using a combination of control-flow graphs and call graphs of Solidity code, we design new heterogeneous graph attention neural networks to encode more structural and potentially semantic relations among different types of nodes and edges of such graphs and use the encoded embeddings of the graphs and nodes to detect vulnerabilities. Our validation of real-world smart contract datasets shows that MANDO-GURU can significantly improve many other vulnerability detection techniques by up to 24% in terms of the F1-score at the contract level, depending on vulnerability types. It is the first learningbased tool for Ethereum smart contracts that identify vulnerabilities at the line level and significantly improves the traditional code analysis-based techniques by up to 63.4%. Our tool is publicly available at https://github.com/MANDO-Project/ge-sc-machine. A test version is currently deployed at http://mandoguru.com, and a demo video of our tool is available at http://mandoguru.com/demo-video.

Keywords

Heterogeneous graphs, Graph neural networks, Vulnerability detection, Smart contracts, Ethereum blockchain

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Singapore, 2022 November 14-18

First Page

1736

Last Page

1740

ISBN

9781450394130

Identifier

10.1145/3540250.3558927

Publisher

Association for Computing Machinery

City or Country

New York

Citation

NGUYEN, Huu Hoang; NGUYEN, Nhat Minh; DOAN, Hong-Phuc; AHMADI, Zahrai; DOAN, Thanh Nam; and JIANG, Lingxiao. MANDO-GURU: vulnerability detection for smart contract source code by heterogeneous graph embeddings. (2022). Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Singapore, 2022 November 14-18. 1736-1740.
Available at: https://ink.library.smu.edu.sg/sis_research/7644

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3540250.3558927