TY - JOUR
T1 - Rethinking Online Smart Contract Diagnosis in Blockchains
T2 - A Diffusion Perspective
AU - Hu, Qinnan
AU - Wang, Yuntao
AU - Su, Zhou
AU - Luan, Tom H.
AU - Li, Ruidong
AU - Jiang, Zhenyu
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2026
Y1 - 2026
N2 - Due to the immutable nature of smart contracts, online contract diagnosis is the only viable approach for revealing vulnerabilities in deployed contracts. Existing online approaches face significant challenges in terms of efficiency, adaptability, and reliance on vulnerability labels. This paper proposes ConWatcher+, a new adaptive and label-efficient online contract diagnosis framework from the diffusion perspective, which is capable to detect yet unknown attacks under evolving tactics without reliance on vulnerability labels. ConWatcher+ simulates the Advanced Persistent Threat (APT) tactics commonly used in yet unknown attacks by continuously applying minor perturbations to legitimate interaction behaviors. It then reversely learns the denoising process, guided by potential logic vulnerabilities (i.e., functionality dependencies), to adaptively identify stealthy anomalies and detect yet unknown attacks without needing vulnerability labels. ConWatcher+ proceeds in five steps. First, real-time data extraction. We design a cost-effective contract runtime information collector, incorporating on-demand data retrieval and event-driven data update mechanisms to reduce communication overhead in online contract diagnosis. Second, interaction behavior modeling. Via bytecode-level, account-level, revenue-level modeling, and side-channel level behavior modeling, we propose behavior-aware multivariate time series model to accurately represent long-term contract interactions with multi-faceted behaviors. Third, APT-like noise adding. We leverage the forward diffusion model to produce minor and stochastic APT-like noises with efficiency. Fourth, reverse denoising learning. To effectively guide reverse denoising using functionality dependencies, we devise an adaptive contract-level analysis engine equipped with heterogeneous control flow graph modeling and heterogeneous message passing mechanisms to extract function-level and bytecode-level functionality dependencies. Last, contract anomaly detection. We establish a label-efficient attack detector based on reconstruction error for contract anomaly detection. It combines complex dependency analysis and deterministic inference to ensure high-quality data reconstruction and low detection latency. Extensive empirical validations on a manually constructed dataset, covering both mainstream and novel vulnerabilities, demonstrate ConWatcher+’s effectiveness, adaptability, and label efficiency, with an average F1-score of 0.92 across all types of attacks without prior knowledge of corresponding vulnerabilities.
AB - Due to the immutable nature of smart contracts, online contract diagnosis is the only viable approach for revealing vulnerabilities in deployed contracts. Existing online approaches face significant challenges in terms of efficiency, adaptability, and reliance on vulnerability labels. This paper proposes ConWatcher+, a new adaptive and label-efficient online contract diagnosis framework from the diffusion perspective, which is capable to detect yet unknown attacks under evolving tactics without reliance on vulnerability labels. ConWatcher+ simulates the Advanced Persistent Threat (APT) tactics commonly used in yet unknown attacks by continuously applying minor perturbations to legitimate interaction behaviors. It then reversely learns the denoising process, guided by potential logic vulnerabilities (i.e., functionality dependencies), to adaptively identify stealthy anomalies and detect yet unknown attacks without needing vulnerability labels. ConWatcher+ proceeds in five steps. First, real-time data extraction. We design a cost-effective contract runtime information collector, incorporating on-demand data retrieval and event-driven data update mechanisms to reduce communication overhead in online contract diagnosis. Second, interaction behavior modeling. Via bytecode-level, account-level, revenue-level modeling, and side-channel level behavior modeling, we propose behavior-aware multivariate time series model to accurately represent long-term contract interactions with multi-faceted behaviors. Third, APT-like noise adding. We leverage the forward diffusion model to produce minor and stochastic APT-like noises with efficiency. Fourth, reverse denoising learning. To effectively guide reverse denoising using functionality dependencies, we devise an adaptive contract-level analysis engine equipped with heterogeneous control flow graph modeling and heterogeneous message passing mechanisms to extract function-level and bytecode-level functionality dependencies. Last, contract anomaly detection. We establish a label-efficient attack detector based on reconstruction error for contract anomaly detection. It combines complex dependency analysis and deterministic inference to ensure high-quality data reconstruction and low detection latency. Extensive empirical validations on a manually constructed dataset, covering both mainstream and novel vulnerabilities, demonstrate ConWatcher+’s effectiveness, adaptability, and label efficiency, with an average F1-score of 0.92 across all types of attacks without prior knowledge of corresponding vulnerabilities.
KW - Blockchain
KW - label-efficient detection
KW - online contract diagnosis
KW - smart contract
KW - stealthy contract anomalies
UR - https://www.scopus.com/pages/publications/105015517507
U2 - 10.1109/TON.2025.3597004
DO - 10.1109/TON.2025.3597004
M3 - 文章
AN - SCOPUS:105015517507
SN - 2998-4157
VL - 34
SP - 230
EP - 245
JO - IEEE Transactions on Networking
JF - IEEE Transactions on Networking
ER -