Cross-chain bridges, the critical infrastructure of the multi-chain ecosystem, have become a primary target for attackers, resulting in over $2.8 billion in losses due to subtle implementation flaws. Existing defenses, such as bytecode-level static analysis, are ill-equipped to handle the semantic complexity of cross-chain interactions, while LLM-based approaches, which can understand source code, struggle with hallucinatory reasoning over complex, multi-contract dependencies. In this paper, we propose GoAT-X, a framework that shifts automated cross-chain smart contract codebases auditing from heuristic pattern matching toward systematic first-principles verification. GoAT-X structures the audit process as a Graph of Auditing Thoughts, explicitly mirroring how human experts decompose, reason about, and validate security logic. By anchoring LLM reasoning in statically extracted data flows and explicitly linking abstract security properties to concrete code implementations, the framework constrains semantic reasoning within well-defined structural and state boundaries. Within this constrained space, GoAT-X treats missing constraints and adversarial bypass paths in cross-chain logic as first-class vulnerability targets and dynamically explores reasoning paths to identify exploitable semantic gaps. We evaluate GoAT-X on a comprehensive benchmark covering all known cross-chain token transaction attacks. GoAT-X achieves 92% recall on fine-grained audit points and 95% coverage of vulnerable projects, while identifying 117 confirmed risks in the wild with low operational cost, establishing a new standard for scalable, logic-driven cross-chain security.

翻译：跨链桥作为多链生态系统的关键基础设施，因其微妙的实现缺陷已导致超过28亿美元的损失，成为攻击者的主要目标。现有防御手段诸如字节码级静态分析难以应对跨链交互的语义复杂性，而能理解源代码的大语言模型方法则在处理复杂的多合约依赖关系时易产生幻觉推理。本文提出GoAT-X框架，将自动化跨链智能合约代码审计从启发式模式匹配转向系统性的第一性原理验证。GoAT-X将审计过程构建为审计思维图谱，明确模拟人类专家分解、推理与验证安全逻辑的认知过程。通过将大语言模型推理锚定于静态提取的数据流，并将抽象安全属性显式关联具体代码实现，该框架将语义推理约束在清晰定义的结构与状态边界内。在此约束空间中，GoAT-X将跨链逻辑中的缺失约束与对抗性旁路路径作为一级漏洞目标，动态探索推理路径以识别可利用的语义间隙。我们在覆盖所有已知跨链代币交易攻击的综合性基准上评估GoAT-X，其在细粒度审计点上达到92%召回率，对脆弱项目实现95覆盖率%，同时以低运营成本识别出117个真实环境中的已确认风险，为可扩展的、逻辑驱动的跨链安全树立了新标准。