Smart contracts are prone to various vulnerabilities, leading to substantial financial losses over time. Current analysis tools mainly target vulnerabilities with fixed control or data-flow patterns, such as re-entrancy and integer overflow. However, a recent study on Web3 security bugs revealed that about 80% of these bugs cannot be audited by existing tools due to the lack of domain-specific property description and checking. Given recent advances in Large Language Models (LLMs), it is worth exploring how Generative Pre-training Transformer (GPT) could aid in detecting logicc vulnerabilities. In this paper, we propose GPTScan, the first tool combining GPT with static analysis for smart contract logic vulnerability detection. Instead of relying solely on GPT to identify vulnerabilities, which can lead to high false positives and is limited by GPT's pre-trained knowledge, we utilize GPT as a versatile code understanding tool. By breaking down each logic vulnerability type into scenarios and properties, GPTScan matches candidate vulnerabilities with GPT. To enhance accuracy, GPTScan further instructs GPT to intelligently recognize key variables and statements, which are then validated by static confirmation. Evaluation on diverse datasets with around 400 contract projects and 3K Solidity files shows that GPTScan achieves high precision (over 90%) for token contracts and acceptable precision (57.14%) for large projects like Web3Bugs. It effectively detects ground-truth logic vulnerabilities with a recall of over 70%, including 9 new vulnerabilities missed by human auditors. GPTScan is fast and cost-effective, taking an average of 14.39 seconds and 0.01 USD to scan per thousand lines of Solidity code. Moreover, static confirmation helps GPTScan reduce two-thirds of false positives.

翻译：智能合约易受多种漏洞影响，长期以来已导致巨额财务损失。当前分析工具主要针对具有固定控制或数据流模式的漏洞（如重入攻击、整数溢出）进行检测。然而，近期对Web3安全漏洞的研究表明，约80%的漏洞因缺乏领域特定的属性描述与检查机制而无法被现有工具审计。鉴于大语言模型的近期进展，探索生成式预训练Transformer如何辅助逻辑漏洞检测具有重要价值。本文提出GPTScan，这是首个结合GPT与静态分析的智能合约逻辑漏洞检测工具。不同于完全依赖GPT识别漏洞（该方法会产生高误报率且受限于GPT预训练知识），我们利用GPT作为通用代码理解工具。通过将每种逻辑漏洞类型分解为场景与属性，GPTScan使GPT能够匹配候选漏洞。为提升准确性，GPTScan进一步指导GPT智能识别关键变量与语句，并通过静态确认进行验证。在包含约400个合约项目与3000个Solidity文件的多样化数据集上的评估表明，GPTScan在代币合约上实现了超过90%的高精度，在Web3Bugs等大型项目中达到57.14%的可接受精度。该工具能有效检测真实逻辑漏洞（召回率超过70%），包括9个人类审计员遗漏的新漏洞。GPTScan具有快速与低成本特性，扫描每千行Solidity代码平均耗时14.39秒、成本0.01美元。此外，静态确认使GPTScan将误报率降低三分之二。