SVScanner: Detecting smart contract vulnerabilities via deep semantic extraction

Blockchain is a significant advancement in technology recently, transforming the traditional centralized system into a decentralized one. Smart contracts, as one of the best applications of blockchain, show great potential in various fields, such as finance, supply chain, and the Internet of Things (IoT). As the world's first blockchain platform to support turing complete smart contracts, Ethereum has become the most critical infrastructure for the digital world. However, with the vigorous development of smart contracts, malicious attacks against smart contracts have frequently occurred in recent years. The issue of smart contract security has attracted widespread attention due to the huge financial losses caused by smart contract vulnerabilities. Although researchers have made some progress in detecting smart contract vulnerabilities through symbolic execution and fuzzing-based methods, existing methods mainly rely on expert knowledge and hand-crafted features, leading to many detection errors. Even worse, existing methods take tens of seconds or even minutes to detect each smart contract on average, which is extremely time-consuming. In this work, we present SVScanner, the new method combining two features of heterogeneous patterns to detect smart contract vulnerabilities in the blockchain. Specifically, we first extract global semantic features from the sequence of contract code tokens. Then we further use the attention mechanism to capture deep structural semantics from the Abstract Syntax Tree (AST) of smart contracts. Finally, we combine these two features from different patterns and use a text convolutional neural network (TextCNN) to detect contract bugs. Experimental results show that SVScanner has the ability to detect vulnerabilities effectively in real-world smart contract datasets. SVScanner achieves a 7.33% improvement in accuracy compared with other traditional methods. Moreover, our method requires significantly less detection time.