Smart contract vulnerabilities, particularly improper Access Control that allows unauthorized execution of restricted functions, have caused billions of dollars in losses. GitHub hosts numerous smart contract repositories containing source code, documentation, and configuration files-these serve as intermediate development artifacts that must be compiled and packaged before deployment. Third-party developers often reference, reuse, or fork code from these repositories during custom development. However, if the referenced code contains vulnerabilities, it can introduce significant security risks. Existing tools for detecting smart contract vulnerabilities are limited in their ability to handle complex repositories, as they typically require the target contract to be compilable to generate an abstract representation for further analysis. This paper presents TRACE, a tool designed to secure non-compilable smart contract repositories against access control vulnerabilities. TRACE employs LLMs to locate sensitive functions involving critical operations (e.g., transfer) within the contract and subsequently completes function snippets into a fully compilable contract. TRACE constructs a function call graph from the abstract syntax tree (AST) of the completed contract. It uses the control flow graph (CFG) of each function as node information. The nodes of the sensitive functions are then analyzed to detect Access Control vulnerabilities. Experimental results demonstrate that TRACE outperforms state-of-the-art tools on an open-sourced CVE dataset, detecting 14 out of 15 CVEs. In addition, it achieves 89.2% precision on 5,000 recent on-chain contracts, far exceeding the best existing tool at 76.9%. On 83 real-world repositories, TRACE achieves 87.0% precision, significantly surpassing DeepSeek-R1's 14.3%.

翻译：智能合约漏洞，尤其是允许未经授权执行受限函数的不当访问控制，已造成数十亿美元损失。GitHub托管着大量包含源代码、文档和配置文件的智能合约仓库——这些是必须经过编译和打包才能部署的中间开发产物。第三方开发者在定制开发过程中经常引用、复用或分叉这些仓库中的代码。然而，若被引用的代码存在漏洞，则会引入重大安全风险。现有的智能合约漏洞检测工具在处理复杂仓库时能力有限，因为它们通常要求目标合约可编译以生成用于进一步分析的抽象表示。本文提出TRACE，一种旨在保护不可编译智能合约仓库免受访问控制漏洞侵害的工具。TRACE利用LLM定位合约中涉及关键操作（如转账）的敏感函数，随后将函数片段补全为完全可编译的合约。TRACE从补全合约的抽象语法树（AST）构建函数调用图，并以每个函数的控制流图（CFG）作为节点信息。随后通过分析敏感函数节点来检测访问控制漏洞。实验结果表明，在开源CVE数据集上，TRACE优于现有最先进工具，检测出15个CVE中的14个。此外，在5000个近期链上合约中达到89.2%的精确率，远超现有最佳工具的76.9%。在83个真实世界仓库中，TRACE达到87.0%的精确率，显著超越DeepSeek-R1的14.3%。