DcRD：聚合图信息流的双通道重入漏洞检测

doi:10.3778/j.issn.1002-8331.2405-0424

摘要/Abstract

摘要： 随着区块链技术的成熟和智能合约的广泛应用，保证其安全性已经成为重要的研究方向。在合约部署前有效检测漏洞可以防止用户资产受损。目前，基于深度学习的研究取得了初步成功，但由于未能充分考虑代码的不同表示的信息对漏洞检测的贡献，其准确率仍然有提升空间。提出了一种聚合图信息流的双通道重入漏洞检测方法（dual-channel reentrancy vulnerability detection with aggregated graph information flow，DcRD）。其中上侧通道基于专家知识利用模式匹配获取模式特征。下侧通道针对合约代码的非欧图表示，使用关系图神经网络（relational graph neural network，R-GNN）加权聚合图中不同信息流，获取更先进的图特征。结合注意力机制对双通道特征赋权融合用于漏洞检测。同时关注了通道内和通道层的不同特征对检测结果的差异性影响，以提高检测准确率。通过与多个基线模型进行比较实验以及搭建多个DcRD的变体模型进行消融实验，证明了DcRD模型在多个检测指标上均优于基线模型，平均准确率达到了98.50%，平均精确率为99.09%，平均召回率为96.46%，平均F1分数为97.76%。

关键词: 重入漏洞检测, 关系图神经网络（R-GNN）, 图信息流, 双通道特征, 注意力机制

Abstract: With the maturation of blockchain technology and the widespread application of smart contracts, ensuring their security has become a crucial research direction. Effectively detecting vulnerabilities before contract deployment can prevent user asset loss. Currently, research based on deep learning has achieved preliminary success, but there is still room for improvement in accuracy due to insufficient consideration of the contribution of different information in code representations to vulnerability detection. A dual-feature reentrancy vulnerability detection with aggregated graph information flow (DcRD) is proposed, whose core idea is to pay different attention to different representation features of the contract to improve the detection accuracy. Among them, the upper side channel obtains pattern features based on expert knowledge using pattern matching. The lower channel uses relational graph neural network (R-GNN) to weight and aggregate different information flows in the graph for the non-Euclidean graph representation of the contract code to obtain more advanced graph features. The dual-channel features are empowered and fused through attention mechanism and then are fed into the model for vulnerability detection. Attention is paid to the differential impact of different features within the channel and at the channel layer on the detection results to improve the detection accuracy. Through comparison experiments with multiple baseline models and ablation experiments by building DcRD variant models, it is proved that the DcRD model outperforms the baseline model in all detection metrics. The average accuracy is 98.50%, the average precision is 99.09%, the average recall is 96.46%, and the average F1 score is 97.76%.

Key words: reentrancy vulnerability detection, relational graph neural network (R-GNN), graph information flow, dual-channel features, attention mechanism

苗春雨, 林浩, 王春东, 牛德合, 方顺尧. DcRD：聚合图信息流的双通道重入漏洞检测[J]. 计算机工程与应用, 2025, 61(16): 283-291.

MIAO Chunyu, LIN Hao, WANG Chundong, NIU Dehe, FANG Shunyao. Dual-Channel Reentrancy Vulnerability Detection with Aggregated Graph Information Flow[J]. Computer Engineering and Applications, 2025, 61(16): 283-291.

参考文献

[1] 崔展齐, 杨慧文, 陈翔, 等. 智能合约安全漏洞检测研究进展[J]. 软件学报, 2024, 35(5): 2235-2267.
CUI Z Q, YANG H W, CHEN X, et al. Research progress of security vulnerability detection of smart contracts[J]. Journal of Software, 2024, 35(5): 2235-2267.
[2] 董伟良, 刘哲, 刘逵, 等. 智能合约漏洞检测技术综述[J]. 软件学报, 2024, 35(1): 38-62.
DONG W L, LIU Z, LIU K, et al. Survey on vulnerability detection technology of smart contracts[J]. Journal of Software, 2024, 35(1): 38-62.
[3] LUTZ O, CHEN H L, FEREIDOONI H, et al. ESCORT: Ethereum smart contracts vulnerability detection using deep neural network and transfer learning[J]. arXiv:2103.12607, 2021.
[4] QIAN P, LIU Z G, HE Q M, et al. Towards automated reentrancy detection for smart contracts based on sequential models[J]. IEEE Access, 2020, 8: 19685-19695.
[5] 吴雨芯, 蔡婷, 张大斌. 基于层级注意力机制与双向长短期记忆神经网络的智能合约自动分类模型[J]. 计算机应用, 2020, 40(4): 978-984.
WU Y X, CAI T, ZHANG D B. Automatic smart contract classification model based on hierarchical attention mechanism and bidirectional long short-term memory neural network[J]. Journal of Computer Applications, 2020, 40(4): 978-984.
[6] LUU L, CHU D H, OLICKEL H, et al. Making smart contracts smarter[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 254-269.
[7] KALRA S, GOEL S, DHAWAN M, et al. ZEUS: analyzing safety of smart contracts[C]//Proceedings of the 2018 Network and Distributed System Security Symposium, 2018.
[8] TSANKOV P, DAN A, DRACHSLER-COHEN D, et al. Securify: practical security analysis of smart contracts[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 67-82.
[9] NIKOLIC I, KOLLURI A, SERGEY I, et al. Finding the greedy, prodigal, and suicidal contracts at scale[C]//Proceedings of the 34th Annual Computer Security Applications Conference, 2018: 653-663.
[10] JIANG B, LIU Y, CHAN W K. ContractFuzzer: fuzzing smart contracts for vulnerability detection[C]//Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. New York: ACM, 2018: 259-269.
[11] TORRES C F, IANNILLO A K, GERVAIS A, et al. ConFuzzius: a data dependency-aware hybrid fuzzer for smart contracts[C]//Proceedings of the 2021 IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2021: 103-119.
[12] BHARGAVAN K, DELIGNAT-LAVAUD A, FOURNET C, et al. Formal verification of smart contracts: short paper[C]//Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. New York: ACM, 2016: 91-96.
[13] GRISHCHENKO I, MAFFEI M, SCHNEIDEWIND C. A semantic framework for the security analysis of Ethereum smart contracts[C]//Proceedings of the 7th International Conference on Principles of Security and Trust. Cham: Springer, 2018: 243-269.
[14] HIRAI Y. Defining the Ethereum virtual machine for interactive theorem provers[C]//Proceedings of the 2017 International Workshops on Financial Cryptography and Data Security. Cham: Springer, 2017: 520-535.
[15] TORRES C F, SCHüTTE J, STATE R. Osiris: hunting for integer bugs in Ethereum smart contracts[C]//Proceedings of the 34th Annual Computer Security Applications Conference. New York: ACM, 2018: 664-676.
[16] SUN X B, TU L Q, ZHANG J L, et al. ASSBert: active and semi-supervised bert for smart contract vulnerability detection[J]. Journal of Information Security and Applications, 2023, 73: 103423.
[17] JEON S, LEE G, KIM H, et al. SmartConDetect: highly accurate smart contract code vulnerability detection mechanism using BERT[C]//Proceedings of the 2021 KDD Workshop on Programming Language Processing, 2021.
[18] HAN D J, LI Q Y, ZHANG L, et al. A smart contract vulnerability detection model based on syntactic and semantic fusion learning[J]. Wireless Communications and Mobile Computing, 2023(1): 9212269.
[19] 林彦君, 张龑. 基于语义与结构特征融合的整数溢出漏洞检测[J]. 湖北大学学报 (自然科学版), 2024, 46(4): 531-539.
LIN Y J, ZHANG Y. Integer overflow vulnerability detection based on the fusion of semantics and structural features[J]. Journal of Hubei University (Natural Science), 2024, 46(4): 531-539.
[20] WU H J, ZHANG Z, WANG S W, et al. Peculiar: smart contract vulnerability detection based on crucial data flow graph and pre-training techniques[C]//Proceedings of the 2021 IEEE 32nd International Symposium on Software Reliability Engineering. Piscataway: IEEE, 2021: 378-389.
[21] GUO D Y, REN S, LU S, et al. GraphCodeBERT: pre-training code representations with data flow[J]. arXiv:2009.08366, 2020.
[22] CAI J, LI B, ZHANG J L, et al. Combine sliced joint graph with graph neural networks for smart contract vulnerability detection[J]. Journal of Systems and Software, 2023, 195: 111550.
[23] LIU Z G, QIAN P, WANG X, et al. Smart contract vulnerability detection: from pure neural network to interpretable graph feature and expert pattern fusion[J]. arXiv:2106.09282, 2021.
[24] LIU Z G, QIAN P, WANG X Y, et al. Combining graph neural networks with expert knowledge for smart contract vulnerability detection[J]. IEEE Transactions on Knowledge and Data Engineering, 2023, 35(2): 1296-1310.
[25] HAN K, XIAO A, WU E, et al. Transformer in transformer[C]//Advances in Neural Information Processing Systems 34, 2021: 15908-15919.
[26] RAVI V, ALAZAB M, SELVAGANAPATHY S, et al. A multi-view attention-based deep learning framework for malware detection in smart healthcare systems[J]. Computer Communications, 2022, 195: 73-81.
[27] DAO T V, SATO H, KUBO M. An attention mechanism for combination of CNN and VAE for image-based malware classification[J]. IEEE Access, 2022, 10: 85127-85136.
[28] LUO F, LUO R J, CHEN T, et al. SCVHunter: smart contract vulnerability detection based on heterogeneous graph attention network[C]//Proceedings of the IEEE/ACM 46th International Conference on Software Engineering. New York: ACM, 2024: 954.
[29] REN X J, WU Y T, LI J Q, et al. Smart contract vulnerability detection based on a semantic code structure and a self-designed neural network[J]. Computers and Electrical Engineering, 2023, 109: 108766.
[30] FERREIRA J F, CRUZ P, DURIEUX T, et al. SmartBugs: a framework to analyze solidity smart contracts[C]//Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. New York: ACM, 2020: 1349-1352.
[31] HU J L, CAO L J, LI T H, et al. GAT-LI: a graph attention network based learning and interpreting method for functional brain network classification[J]. BMC Bioinformatics, 2021, 22(1): 379.
[32] ABU E H S, KAPOOR A, PEROZZI B, et al. N-GCN: multi-scale graph convolution for semi-supervised node classification[C]//Proceedings of the 35th Conference on Uncertainty in Artificial Intelligence, 2019: 841-851.
[33] LI Z F, ZHAO Y, ZHANG Y, et al. Multi-relational graph attention networks for knowledge graph completion[J]. Knowledge-Based Systems, 2022, 251: 109262.
[34] GHAFFARIAN S M, SHAHRIARI H R. Neural software vulnerability analysis using rich intermediate graph representations of programs[J]. Information Sciences, 2021, 553: 189-207.
[35] CAI H Y, ZHENG V W, CHANG K C. A comprehensive survey of graph embedding: problems, techniques, and applications[J]. IEEE Transactions on Knowledge and Data Engineering, 2018, 30(9): 1616-1637.
[36] ZHUANG Y, LIU Z G, QIAN P, et al. Smart contract vulnerability detection using graph neural network[C]//Proceedings of the 29th International Joint Conference on Artificial Intelligence, 2020: 3283-3290.