In the case of upgrading smart contracts on blockchain systems, it is essential to consider the continuity of upgrades and subsequent maintenance. In practice, upgrade operations often introduce new vulnerabilities. Existing static analysis tools usually only scan a single version and are unable to capture the correlation between code changes and emerging risks. To address this, we propose an Upgradeable Smart Contract Security Analyzer, USCSA, which uses Abstract Syntax Tree (AST) difference analysis to assess risks associated with the upgrade process and utilizes large language models (LLMs) for assisted reasoning to achieve high-confidence vulnerability attribution. We collected and analyzed 3,546 cases of vulnerabilities in upgradeable contracts, covering common vulnerability categories such as reentrancy, access control flaws, and integer overflow. Experimental results show that USCSA achieves a precision of 92.26%, a recall of 89.67%, and an F1-score of 90.95% in detecting upgrade-induced vulnerabilities. As a result, USCSA provides a significant advantage to improve the security and integrity of upgradeable smart contracts, offering a novel and efficient solution for security auditing on blockchain applications.

翻译：在区块链系统中升级智能合约时，必须考虑升级的连续性及后续维护。实践中，升级操作常会引入新的安全漏洞。现有静态分析工具通常仅扫描单一版本，无法捕捉代码变更与新增风险之间的关联。为此，我们提出一种可升级智能合约安全分析器USCSA，该方法利用抽象语法树差异分析评估升级过程相关风险，并采用大语言模型进行辅助推理，以实现高置信度的漏洞归因。我们收集并分析了3,546个可升级合约漏洞案例，涵盖重入、访问控制缺陷和整数溢出等常见漏洞类型。实验结果表明，USCSA在检测升级诱发漏洞方面的精确率达到92.26%，召回率为89.67%，F1分数为90.95%。因此，USCSA为提升可升级智能合约的安全性与完整性提供了显著优势，为区块链应用安全审计提供了一种新颖高效的解决方案。