Concepts de base
AuditGPT leverages large language models to automatically and comprehensively verify Ethereum Request for Comment (ERC) rules against smart contracts, effectively identifying ERC rule violations.
Résumé
This paper presents AuditGPT, a tool that utilizes large language models (LLMs) to automatically audit smart contracts for compliance with Ethereum Request for Comment (ERC) standards.
The key insights from the study are:
- ERC rules primarily involve contract semantics, making it challenging to construct program analysis techniques for identifying violations across diverse contracts.
- Most ERC rules can be checked within a limited scope (e.g., a function, an event declaration site), and there is no need to analyze the entire contract for compliance with these rules.
- Violations of certain ERC rules present a clear attack path for potential financial loss, emphasizing the urgency of detecting and addressing these violations.
- How a rule should be implemented usually correlates with how the rule is specified in the ERC.
AuditGPT is designed based on three principles: divide and conquer, guided by the empirical study, and specialization. It first extracts ERC rules from the standards and stores them in a YAML format. During the working phase, AuditGPT analyzes individual public functions of a contract, applying specialized prompts to the LLM to check for rule violations.
Evaluation on a large dataset of 200 contracts shows that AuditGPT successfully identifies 279 ERC rule violations, including 4 with high-security impact, while reporting only 15 false positives. Compared to an auditing service provided by security experts and an automated program analysis tool, AuditGPT demonstrates superior effectiveness, accuracy, and cost-efficiency.
Stats
The contract in Figure 1 violates an ERC20 rule that mandates the function transferFrom() to verify whether the caller has the privilege to execute the transfer of the specified amount of tokens.
The contract in Figure 2 violates two ERC1155 rules: 1) it fails to check if the caller is approved to manage the tokens being transferred, and 2) it does not verify if the recipient is a contract and if so, whether the contract is capable of handling ERC1155 tokens.
Citations
"Violating the ERC rules could cause serious security issues and financial loss, signifying the importance of verifying smart contracts follow ERCs."
"Today's practices of such verification are to either manually audit each single contract or use expert-developed, limited-scope program-analysis tools, both of which are far from being effective in identifying ERC rule violations."