IEEE SYSTEMS, MAN AND CYBERNETICS SOCIETY SECTION

Received 8 January 2024, accepted 30 January 2024, date of publication 8 February 2024, date of current version 16 February 2024.
Digital Object Identifier 10.1109/ACCESS.2024.3364351

An Integrated Smart Contract Vulnerability

Detection Tool Using Multi-Layer
Perceptron on Real-Time
Solidity Smart Contracts
LEE SONG HAW COLIN1 , (Member, IEEE), PURNIMA MURALI MOHAN 1 , (Member, IEEE),
JONATHAN PAN2 , (Member, IEEE), AND PETER LOH KOK KEONG 1 , (Senior Member, IEEE)
1 Infocomm Technology Cluster, Singapore Institute of Technology, Singapore 138683
2 Disruptive Technologies Office, Home Team Science and Technology Agency, Singapore 138507
Corresponding author: Purnima Murali Mohan ([email protected])
This work was supported by the Singapore Ministry of Education (MoE) Grant, Singapore Institute of Technology (SIT).

ABSTRACT Smart contract vulnerabilities have led to substantial disruptions, ranging from the DAO attack
to the recent Poolz Finance. While initially, the smart contract vulnerability definition lacked standardization,
even with the advancements in Solidity, the potential for deploying malicious contracts to exploit legitimate
ones persists. The Abstract syntax tree (AST), opcodes, and control flow graph (CFG) are the intermediate
representations for Solidity contracts. In this paper, we propose an integrated and efficient smart contract
vulnerability detection algorithm based on Multi-layer perceptron (MLP). We use feature vectors from the
Opcodes and CFG for the machine learning (ML) model training. The existing ML-based approaches for
analyzing the smart contract code are constrained by the vulnerability detection space, significantly varying
Solidity versions, and no unified approach to verify against the ground truth. The primary contributions
in this paper are 1) a standardized pre-processing method for smart contract training data, 2) introducing
bugs to create a balanced dataset of flawed files across Solidity versions using AST, and 3) standardizing
vulnerability identification using the Smart Contract Weakness Classification (SWC) registry. The ML
models employed for benchmarking the proposed MLP, and a multi-input model combining MLP and Long
short-term memory (LSTM) in our study are Random forest (RF), XGBoost (XGB), Support vector machine
(SVM). The performance evaluation on real-time smart contracts deployed on the Ethereum Blockchain
show an accuracy of up to 91% using MLP with the lowest average False Positive Rate (FPR) among all
tools and models, measuring at 0.0125.

INDEX TERMS Blockchain, ethereum, machine learning, multi-layer perceptron, real-time smart contracts,
solidity smart contracts, vulnerability analysis and detection, code analysis, software testing.

I. INTRODUCTION as Decentralised applications (Dapps) today. Dapps are

In 2022 the amount of funds controlled by smart contracts applications that have their logic written in smart contracts
was worth around USD 1750 million and it is set to reach and deployed to the blockchain. Dapps covers a wide range of
USD 9850 million by 2030 [1]. The gaining popularity of use cases from logistics to finance which enables day to day
smart contracts is due to its autonomy, trust, and secure and monitoring of usage. The transparency and traceability
environment and this has given birth to what we know characteristics of a blockchain attract not only private
companies but also keen government agencies. For example,
The associate editor coordinating the review of this manuscript and a permissioned or private blockchain can be used to manage
approving it for publication was Huiyan Zhang . the flow of currency [2]. Blockchain also finds application

2024 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
VOLUME 12, 2024 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 23549
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
in sharing data between heterogeneous devices using smart
contracts. A framework by [3] suggests using smart contracts
for recording data in the cloud, for data security, and
accountability of Internet of Things (IoT) devices. Another
use case for IoT smart contracts is unmanned aerial vehicles
(UAVs) [4] that transform a centralized trusted authority into
a secure decentralized network. However, these works use
smart contracts as authentication mechanisms for IoT and
assume the inherent security of smart contracts.
Smart contracts have not been immune to hacks, since early
2016 when major hacks started to surface and gain media
attention. These hacks are not only harmful to the industry
but also cast a large shadow over the longevity of blockchain
applications. In 2022, approximately 1.9 billion USD have
been lost to various hacks by exploiting vulnerabilities in
smart contract logic and manipulation of human errors in
smart contracts [5]. To add on, specifically, Poolz Finance
suffered a major arithmetic overflow hack, where one of its
methods for pool creation contains a manual summing of
token count which resulted in losing USD 6, 650, 000 [6], [7].
There have been attempts to prevent such hacks by
creating contract standards and defining vulnerabilities.
OpenZeppelin [8], Consensys [9] and a trail of bits [10] are
some of the front runners on the quest to support developers
and overcome potential security vulnerabilities.
In terms of standardization, smart contract vulnerabilities
have been loosely defined since its emergence. There
have been different flavors namely — the Smart Contract
Weakness Classification (SWC) registry [11], DASP [12]
and Crytic’s static analyzer, i.e., the Slither’s detector
documentation [13]. These definitions cover most of the
notable vulnerabilities, however, there is an existing gap in
terms of compliance with any security standards and coverage
of the entire smart contract vulnerability space constrained
by the varying solidity versions and ever-emerging smart
contract logic bugs. These vulnerabilities, often resulting
from human errors and version changes, underscore the need
for more robust and reliable security measures in smart
contracts. While such vulnerabilities can be detected by
software verification and validation tools using static [13],
[14], dynamic [15], and formal verification [14], [16], each
method has its own limitations. In the work done by [17],
the authors have conducted an extensive test on software
verification and validation tools and concluded that there
is no single analysis tool that can detect all smart contract
vulnerabilities. Not only that new vulnerabilities cannot be
detected if it was not predefined within the tool, but also
existing vulnerability detection had significant false positive
rates. These findings therefore advocate the use of a Machine
Learning (ML) approach that can be dynamically trained
to newer smart contract bugs and solidity versions while
reducing the false positive rate.
For any ML model the key factors that decide its reliability
of that model are, (i) the origin of the dataset used for
training that model, (ii) the quality and correctness of the
23550
training dataset, (iii) scalability and run-time of the model,
and (iv) standardized verification and validation of the
model. Recent works that have claimed to have sourced
data from reliable sources [18], [19], [20], are still based
on the validation of software verification and validation
tools such as Mythril [14], Slither [13], and Oyente [16]
to determine the ground truth information about the smart
contracts used for training. Firstly, the main concern with
such reliance on third-party software verification tools for
the training dataset is that it is prone to inaccuracies that
are inherent to these software verification tools. Secondly,
to introduce vulnerabilities into the training dataset, a syn-
thetic data generation method using the Synthetic Minority
Oversampling Technique (SMOTE) is being used [19], [20].
However, synthetic data can never be a true representation
of a truly vulnerable dataset. Not only does it not keep
updated with the significantly varying Solidity versions,
but also leads to an imbalance in the training dataset
due to the way it is implemented. Thirdly, some existing
works simply skip the pre-processing steps (that ensures the
quality and correctness of the training dataset) [18] which
makes the solution practically not useful — especially when
the training data set that comes across different solidity
versions, contains commented codes with code-like syntax.
This becomes a prime concern since the solc compiler cannot
differentiate code-like commented syntax — which is crucial
for bug-insertion algorithm. Also, the existing bug-injection
tools [21] suffer from practical issues such as solidity
version, syntax based on solidity version, no exception,
and no control over bug injection logic (i.e., the existing
tools dump all bugs in a single smart contract). Motivated
by these practical concerns, our proposed solution injects
known vulnerability patterns into clean contracts by ensuring
a clear indication of a vulnerability bug type in each
contract while developing a standardized pre-processing
method to generate a balanced and good quality train-
ing dataset and validate against well-defined vulnerability
standards.
In this paper, we will be introducing an ML approach
that uses a runtime opcode extraction algorithm for feature
extraction and a trigram-based method for vectorization.
We reference the SWC [11] registry for smart contract
vulnerability categorization as it has been one of the most
well-defined mappings while loosely coupled with the
Common Weakness Enumeration (CWE) [22]. To test the
efficacy of our solutions and perform benchmarking, we will
employ Mythril, Slither, and an integrated tool known as
MythSlith. We have developed MythSlith — which is a tool
that integrates Mythril and Slither to increase the coverage
of smart contract vulnerability detection space. These tools
will be used to compare against the ML model trained with
the bug-injected dataset. Our contributions in this paper are
summarized as follows:
• We developed a standardized pre-processing algorithm
for cleaning smart contract training data to address
VOLUME 12, 2024
L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
the limitation of the solc compiler not being able to
differentiate code from commented code-like syntax.
• We developed a practical bug injection algorithm to
create a balanced dataset across Solidity versions using
the Abstract syntax tree on verified smart contracts
that were cleaned using the proposed pre-processing
algorithm.
• We model an MLP framework and a multi-input
model based on MLP and LSTM for smart contract
vulnerability detection. The proposed framework scales
up the smart contract vulnerability space by utilizing
opcodes and Control Flow Graph (CFG) extracted
during model training. Before vectorization, a simpli-
fication method is applied to the opcodes to decrease
dimensionality (reduce the running time) and eliminate
contract-specific hexadecimal values.
• We thoroughly analyze the time complexity of the
proposed algorithms and the running time for bug
detection.
• For MLP framework performance benchmarking,
we integrate the well-known software verification tools,
Mythril and Slither, to develop an experimental tool
known as MythSlith which has an increased smart
contract vulnerability detection space than the individual
tools. The machine learning models show a superior
performance in vulnerability detection than existing
Software verification tools with the lowest false positive
rate of up to 0.0015.
• We verify the results against the standardized vul-
nerability identification — Smart Contract Weakness
Classification (SWC) registry as a common analysis
platform.
The rest of the paper is organized as follows: Section II
provides a background of smart contract intermediate
representation, smart contract vulnerabilities, and types of
software validation techniques used. Section III presents
a literature review of the recent works on smart contract
vulnerability detection space. In Section IV, we illustrate the
proposed methodology and framework for feature extraction
to model training algorithms. Section V reports the exper-
imental findings and inferences made on the efficiency of
the proposed methods. Section VI will discuss the findings,
some possible alternatives, and future development before we
conclude our work in Section VII.
II. BACKGROUND
In this section, we provide an overview of the vulnerabilities
and tools that will be used in the proposed algorithm for smart
contract vulnerability detection.
A. SMART CONTRACTS
Smart contracts are programs written to be executed on the
blockchain. Designed to be autonomous, self-sufficient and
expected to do their written or agreed-upon task in code
without interference. They are considered to be the key to a
VOLUME 12, 2024
FIGURE 1. Reentrancy snippet.
FIGURE 2. Arithmetic snippet.
decentralized system. However, being in the eye of the public
blockchain any vulnerabilities could lead to a huge amount
of financial loss.
Smart contracts can also be represented in different forms
with the help of the Solidity compiler. Some forms are
opcodes, abstract syntax tree (AST), and Control Flow Graph
(CFG).
Opcodes also known as operation code, are instructions
for the Ethereum virtual machine (EVM) to execute any
sequential and conditional actions. The complete list of
opcodes with descriptions can be found in Ethereum’s yellow
paper [23].
Abstract Syntax Tree is a hierarchical tree representation
of the synthetic structure of the source code. Each section
is represented as nodes, which construct the details of
the real syntax. Such representation is commonly used for
syntax checking, semantic analysis, code generation, and
code optimization.
Control Flow Graph is the representation of program
flow from the context of the stack. This is derived from the
opcodes, where a bunch of opcodes is broken down into basic
blocks by flow conditions such as JUMP, JUMPI, REVERT,
etc.
B. TYPES OF BUGS
Smart contract vulnerabilities are often caused by oversights
during the programming stage, these bugs may seem harmless
when written but can potentially cause huge financial
loss. The 7 vulnerabilities below are chosen as they are
commonly found in other studies and they have become
the foundation for vulnerabilities in both empirical and
ML-based approaches [19], [21], [24], [25]. The availability
of predefined bug snippets in [21] also helps cut down the
amount of development time.
Reentrancy was first uncovered in 2016 when a large sum
of money was stolen in the DAO contract (Fig 1). This was
primarily caused by the action of sending cryptocurrency to
an external account and updating it only after it was sent.
23551
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
FIGURE 3. Unauthorized send snippet.
FIGURE 4. Tx origin snippet.
FIGURE 5. Timestamp dependency snippet.
FIGURE 6. Transaction order dependency.
This sequence of events might seem normal for traditional
software code, however, in the case of Solidity, a fallback
function of the external account can re-trigger the same
sending function again before an update can happen within
the original contract. This could result in an indirect recursive
function call.
Arithmetic vulnerabilities, more commonly known as
Overflow-Underflow (Fig 2). Overflow occurs when an
operation tries to add to a variable that is already at its
maximum possible value. Without any sort of guard, this
variable will overflow and back to 0 or the minimum possible
value. As opposed to Overflow, Underflow happens when
an operation tries to subtract a variable when it is at the
minimum possible value, resulting in the value jumping to
the maximum possible value. This vulnerability can lead to
severe security issues as hackers can use this behavior to alter
account balance or change ownership of contract.
Unauthorized send arises when there is no access control
for a function that requires an access check (Fig 3). Such
a function may contain withdrawal or reward disbursement
functionality.
Transaction origin also known as tx.origin, arises
from the misuse of the global variable ‘tx.origin’ of Solidity
(Fig 4). In all transactions there is an origin and a sender.
Origin is the address that started the chain of calls while
23552
FIGURE 7. Unhandled exceptions.
the sender is the address that initiated the current call.
Tx origin vulnerability occurs when a contract uses ‘tx.origin’
to authenticate a user rather than ‘msg.sender’, which refers
to the current immediate caller. This is particularly dangerous
when a tranferOwnership function uses ‘tx.origin’ for
authentication.
Timestamp dependency arises when a contract uses
block variables such as block hash, timestamp, number,
difficulty, gaslimit and coinbase to perform critical operations
(Fig 5). These operations are generation of random numbers
and time critical applications such as auction. This is in
particular dangerous because miners gets to choose the
block’s timestamp.
Transaction Order Dependency is a type of vulnerability
where the sequence of calling transactions can impact the
final outcome of the application (Fig 6). This arises when a
state is altered based on the order of incoming transactions,
which can lead to unintended exploitation.
Unhandled Exceptions occurs when checks on send,
transfer, or call are not done (Fig 7). This is important because
calls can fail and intended changes will be reverted. Some
of the reasons for failure can be, out-of-gas exceptions and
wrong arithmetic operations such as zero division errors.
III. LITERATURE REVIEW
In this section, we will discuss currently available software
verification and validation tools for smart contract detection,
as well as works that use a machine learning approach.
Our review will cover the data sampling techniques, fea-
ture extraction methods, and smart contract vulnerability
standards. An overview of the comparison can be found in
Table 1.
A. SOFTWARE VERIFICATION AND VALIDATION TOOLS
In recent years, a number of analysis tools have been
introduced and they can be categorized into 3 different types,
Static, Dynamic, and Formal verification. Static tools rely
on the static information of the code to derive a prediction
without executing the program [27]. Some of those features
extracted are the abstract-syntax tree (AST), compiled
bytecode, and opcodes. Dynamic tools analyze a running
program, one such example is the Fuzzer [28]. Formal
Verification tools rely on the mathematical definition and use
a solver such as Z3 to resolve the derived formula [29].
Among the software verification and validation tools
for smart contracts are Slither [13], Mythril [14], and
DefectChecker [30] for static verification; Manticore [15]
for dynamic analysis; and Oyente [16], Mythril, and
DefectChecker for formal verification. Although these tools
VOLUME 12, 2024
L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
TABLE 1. Comparison with existing works.
have been instrumental in numerous audits, they are con-
strained by the predefined patterns of each bug. Should new
bugs emerge, an expert update would be necessary.
B. MACHINE LEARNING BASED VULNERABILITY
DETECTION
As the name suggests, ML method is used to construct a
set of decisions from the features of the data to make a
logical conclusion of a trend or classification. Such a set
of decisions is known as a model and it can be done with
supervised or unsupervised learning. Supervised learning is
an algorithm that learns with labeled data while unsupervised
will suggest clusters of possible outcomes and then deriving
of the outcome will depend largely on the feature set.
1) DATA SAMPLING
As discussed in Section I, data integrity is an integral part
of ML model training but existing works from [18], [19],
and [20] did not have a cleaning or pre-processing step to
ensure contracts are clean. While [26] has done checks using
three software validation tools namely, Slither, Oyente, and
DefectChecker to ensure contracts are properly labelled and
also removed if any error were present in the tool’s output,
in addition, smart contracts without version numbers were
also removed. However, the labeling of data relies on software
validation tools, which face the same issue as previous works,
i.e., the training dataset is prone to inaccuracies inherent to
these tools.
Whereas in our approach, bug injection ensures identified
bugs to be injected. However, bug injection from Solidifi [21]
lacks post-injection error checking, leading to the creation
of an erroneous dataset. Moreover, the code from [21] did
not anticipate a situation where the bug count is less than the
available injection location. To accommodate such scenarios,
a recursive function was incorporated to check on the bug
count and the number of available locations. In addition,
we have also incorporated a validation and error-handling
mechanism into the proposed bug injection algorithm.
2) FEATURE EXTRACTION
Using opcodes for feature extraction is one of the more
popular methods as it is agnostic to the expert pattern and
presents a clear path to identify any malicious act. Abstract
Syntax Tree (AST) is also one of the common methods as
VOLUME 12, 2024
it contains useful semantic information. Reference [19] uses
a simplified opcode followed by Bigram for vectorization,
while [18] uses features from AST, [20] and [26] uses a
mixture of AST and simplified Opcode with Bigram.
While traditional models typically process data in a single
common format, this does not preclude the combination of
vectorized data from various features. Works of [20] and [26]
have both mixed their feature embeddings and can produce a
good amount of variance for classification. However, in our
proposed work aside from the classical models, we will
implement a multi-model approach that allows features of
different shapes to collaborate effectively.
C. VULNERABILITY STANDARDS
Vulnerability standards in the smart contract field are not
yet prevalent, resulting in a spew of different definitions
by different organizations [11], [12]. This is not healthy
for the industry and will hinder further development. It is
also clear from existing works [18], [19], [20], [26], that no
vulnerability standards were taken up. Consequently, in our
proposed work, we have selected the SWC Registry [11] as
the vulnerability standard to provide a clear definition.
In the proposed solution, opcodes will be used alongside
CFG features. Trigram is used instead as it captures more
context than Bigram or unigram. Rather than using AST, CFG
is chosen because it contains flow information which AST
does not. Simplification of opcodes is done but different from
previous works, rather than replacing the entire set of PUSH,
DUP, and SWAP opcodes with a constant, we will leave the
first five numbers untouched, allowing more variance to be
captured. In addition, we have also removed all hexadecimal
values to prevent any contract-specific values which could be
learned by the models.
This review has highlighted the need for expert knowledge
to define new bugs for current software verification and
validation tools, significant variations in data sampling and
feature extraction methods, and the absence of vulnerability
standards. While each work does give clear definitions of
their selected vulnerabilities, there is no compliance. Data
sampling from [26] have implemented a robust method using
validation tools for labeling, others have not, raising concerns
about data integrity. Opcode is a popular representation for
feature extraction and mixing of features is a popular method
as seen in works of [20] and [26] but a multi-model approach
23553
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
FIGURE 8. Pre-processing Flow Diagram for the ML model training.
has yet to be attempted. The disarray in vulnerability
standards indicates the need for a single, universally adopted
standard to streamline the development process. The insights
gained from this review provide a good foundation for
developing a robust and reliable smart contract vulnerability
detection method.
The research gap is summarized in Table 1 highlighting the
novelty of the paper. In this paper, we perform standardized
pre-processing steps, by introducing both erroneous solidity
version exclusion and code-like comments removal which
could generate an incorrect AST. For data source labeling
we use bug injection in our work as it provides a reliable
ground truth. This was not done in the referenced existing
works in Table 1. While the work in [21] uses bug injection,
it does not validate the bug injection nor include any
pre-processing steps. The most recent work that performs
pre-processing by removing code-like comments is found
in [26]. However, it does not verify incorrect solidity versions
(during pre-processing) while relying on third-party tools
(such as Mythril, Slither, Oyente, DefectChecker, etc.) to
label their datasets.
IV. METHODOLOGY
The approach to this research will be detailed in this section
in the following sequence: IV-A Preparation of dataset,
IV-B Feature extraction, IV-D Machine Learning Models for
Classification, IV-E Multi-Model Approach, IV-F Design of
MythSlith, IV-G Challenges. A flow diagram of the end-to-
end pre-processing steps that lead to the ML model training
is illustrated in Figure 8.
A. PREPARE DATASET FOR ML TRAINING
1) DATASET
For any ML model to be efficient and usable, generating
an error-free and practical dataset is important to achieve
good accuracy and false positive rate. As a first step,
the clean dataset was initially sourced from the smart
contract sanctuary [31] — an open-sourced repository and
we validated the ground truth by compiling each Solidity file
using the Solidity compiler (solc) to ensure no errors were
present before any bug injection was performed. The version
of the compiler used for each file is determined with a JSON
file provided by [31], which consists of the specific version
used when the smart contract was actually deployed to the
mainnet.
The second step is to use the validated clean dataset
and inject with bugs defined by Solidifi [21] — which is
23554
TABLE 2. Variables used in the bug injection framework.
an automated bug injection tool that checks for potential
locations using AST tree to inject a set of predefined bugs.
However, Solidifi cannot be directly used to inject bugs since
it suffers drawbacks such as there is (i) no solidity version
check, (ii) no syntax check, (ii) no exception for bugs, and
more importantly, (iv) it injects all the predefined bugs to a
single solidity smart contract which is not a practical scenario
to train the ML model. We hence propose two pre-processing
algorithms and a bug injection algorithm below to mitigate
the drawbacks of Solidifi.
2) BUG INJECTION
The goal of employing the bug injection technique is to
imitate the introduction of bugs by developers [21] in
the smart contract logic. The number of bug snippets is
determined by a predefined bug density. The bug density is
defined as the number of vulnerable lines of code per clean
smart contract. Refer to Table 2 for the variables used in the
Bug injection algorithm. For example, for every 100 line of
code, when we insert 1 line of bug, then the bug density for
that smart contract will be 1%. By setting the bug density,
we are able to have an even spread of bugs within the entire
dataset used for training the ML model. To be uniform across
the smart contract vulnerability space, we represent each bug
snippet as a function.
The process of injecting bugs has the following steps:
Step1: Pre-process the source file using Algorithm (1)
Step2: Obtain source attribute information by generating
the abstract syntax tree (AST)
VOLUME 12, 2024
L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

Algorithm 1 Pre-Processing Procedure Algorithm 2 Filtering Function Definition From AST

1: procedure PreProcess(file_path, output_directory) 1: procedure F(AST)
2: lines ← ReadLines(file_path) 2: Initialize LfDef ← ∅
3: new_lines ← [] 3: for n ∈ N do
4: inside_comment_block ← False 4: t ← τ (n)
5: is_tgt_with_start_end_block ← False 5: if t = ‘‘FunctionDefinition" then
6: is_inside_unique_comment_block ← False 6: LfDef ← LfDef ∪ {n}
7: for line ∈ lines do 7: end if
8: if "/*/" in line then 8: end for
9: Toggle is_inside_unique_comment_block 9: return LfDef
10: Continue 10: end procedure
11: end if
12: if is_inside_unique_comment_block then
13: Continue from the list of smart contract bugs to insert the
14: end if bug to the identified random location using the
15: if "/*" and "*/" in line and "/*/" not in line then Algorithm 3
16: Remove inline comment in line
17: end if a: PRE-PROCESSING SOLIDITY FILES
18: if "/*" in line and "//***" not in line then Cleaning Solidity files is a crucial pre-processing step, as the
19: inside_comment_block ← True solc compiler cannot distinguish between commented code
20: Remove text after "/*" in line and code-like syntax. This distinction is especially vital
21: end if in our implementation, as it impacts the injection process
22: if "*/" in line then and, consequently, influences the false positive rates in the
23: inside_comment_block ← False bug classification process. The details of the pre-processing
24: Remove text before "*/" in line algorithm are outlined in Algorithm (1).
25: end if Similar to the approach used in [21] bug locations are
26: if inside_comment_block then derived from AST nodes of the given Solidity files. The
27: if is_tgt_with_start_end_block then injection process is shown in detail in Algorithm (2) wherein
28: is_tgt_with_start_end_block ← False the fuction is filtered from the AST tree and in Algorithm (3)
29: Append line to new_lines where it takes in the file contents, number of bugs, the list of
30: end if all bugs to uniquely insert as inputs to recursively insert the
31: Continue bugs in randomly selected function location until one of the
32: end if below conditions are met.
33: if ‘‘http://’’ or ‘‘https://’’ in line then
• the function locations are exhausted
34: Append line to new_lines
• the bug density condition is satisfied
35: Continue
• all available bug snippets are exhausted
36: end if
37: if "//" in line then The above condition checks will only be done after a
38: Remove text after "//" in line compilation check using solc after every bug injection. This
39: end if ensures that the new file is free of errors, i.e., an error-free
40: Append line to new_lines dataset for training the ML model.
41: end for
42: file ← Join(new_lines) b: AST INSTANCE
43: Write file to output_directory When defining the AST instance in this section, we will
44: return file only take the attribute of interest into consideration. Let T
45: end procedure be the set of node types, including ‘FunctionDefinition’,
‘PragmaDirective’, ‘ContractDefinition’, ‘VariableDeclara-
tion’, etc. Let N be the set of nodes, where node n ∈ N
and n has a type from T . Let S be the set of all possible ‘src’
Step3: Filter the function definition within the smart attributes, representing the location of a particular node in the
contract definition that is generated by the AST code. We define the below functions to define the AST tree
using Algorithm 2 instance per solidity file.
Step4: Generate the number of bugs to be injected per • τ : N → T : Maps each node to its type (corresponding
Solidity file based on a pre-defined bug density to the ‘nodeType’ attribute).
Step5: Randomly select a function location (LfDef ) from • C : N → 2N : Maps each node to its child nodes,
the AST node and randomly choose a bug (bselected ) capturing the hierarchical structure of the code.

VOLUME 12, 2024 23555

 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

Algorithm 3 Bug Injection Algorithm e: INJECTION OF SMART CONTRACT BUGS

1: procedure InjectBugRecursively(fc, nb, B, Bused ) With each iteration of bug injection, used bugs will be
2: AST ← SOLC(fc ) tracked, hence no bugs will be repeated which will result in
3: LfDef ← F(AST ) compilation failure. To represent this, we will let B be the set
4: Bunused = B − Bused of all available bug files, and let Bused be the set of bug files
5: fselected ← R(LfDef ) that have already been used. The set of remaining bug files
6: if (fselected = None) or Bunused can be represented as:
7: (|Bused | = nb and |Bunused | = 0) then
8: Return fc Bunused = B − Bused
9: end if Here, B − Bused denotes the set difference, which results in a
10: bselected = R(Bunused ) new set Bunused containing all the elements that are in B but
11: fc∗ = SliceIn(fc , bselected , fselected ) not in Bused .
12: B∗used = Bused ∪ {bselected } A random function definition node, which has the source
13: Comment: Recursive call to continue bug injection location, will be selected for each bug. This is represented by
14: InjectBugRecursively(fc∗ , nb, B, B∗used ) fselected and it is selected from LfDef :
15: end procedure (
R(LfDef ) if LfDef ̸= ∅
fselected =
None otherwise
•σ : N → S: Maps each node to its ‘src’ attribute. Here, R(LfDef ) represents the random selection of a function
The AST is then represented as a 4-tuple containing the definition node from LfDef . If LfDef is empty, fselected will be
nodes, their types, child nodes, and source locations. set to None.
Similar to how a function definition node is selected, bug
AST = (N , τ, C, σ )
is also selected randomly and represented as bselected which is
selected from the set R of remaining unused bugs:
c: FUNCTION EXTRACTION
bselected = R(Bunused )
Next, we define the function that extracts only the‘Function
Definition’ from the AST nodes. Define a function F : We will be slicing the selected bug bselected with the given
AST → L to extract nodes with the ‘nodeType’ of fselected into the fc. The slicing location is determined by the
‘FunctionDefinition’ from the AST. The function extraction values within the source attribute, where the start and length
step operates as follows: values are represented in sequence while delimited by colons.
• It takes the AST as input, where the AST is represented Given that, slicing is done to place in the bug snippet and it is
as AST = (N , τ, C, σ ). represented by the following function: Let fc∗ be the new file
• It iterates through the nodes in N , checking the content that has the bug injected:
‘nodeType’ attribute for each node using the function fc∗ = SliceIn(fc , bselected , fselected )
τ : N → T.
• If the ‘nodeType’ of a node is ‘FunctionDefinition’, Finally, after each successful injection bselected will be
it adds the node to the resulting list. appended into B∗used . The updated set B∗used of used bugs can
• It returns the list of nodes with the ‘nodeType’ of be obtained as:
‘FunctionDefinition’ as the output.
B∗used = Bused ∪ {bselected }
LfDef ← F(AST ) After each injection, B∗used will be saved and kept for
feature extraction use later on.
d: BUG DENSITY With the bug injection process explained, we now transi-
Selection of the number of bugs is done with a bug density tion to discussing our feature extraction methodologies.
value, which is a predefined ratio of 0.01, and each clean
contract will have at least 1 bug inserted: B. FEATURE EXTRACTION
Let S represent the number of lines of code in the file, Models will be built with features extracted from smart
and let δ be the predetermined constant ratio representing bug contracts that have been injected with the predefined bugs
density. The variable nb, which denotes the number of bugs as mentioned in the previous section. However, there is
to be injected, is given by: one key thing to be noted, as each injection location is
nb = max(1, ⌊S × δ⌋) randomly selected we would not have the same set of code
for the 7 categories of smart contract bugs. This will be
Here, max(1, . . .) ensures that the minimum number of bugs further explained in each feature extraction algorithm section.
is at least 1, and ⌊. . .⌋ represents the floor function, rounding The vulnerabilities to be injected are Reentrancy, Arith-
down to the nearest integer. metic, Unauthorized send, Transaction Origin, Timestamp

23556 VOLUME 12, 2024

L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

Algorithm 4 Extract Opcodes From Bugged Files Each element in Gi would map to the corresponding
1: procedure SimplifyOpcode(fc , B∗used ) property in the ABI JSON.
2: Initialize Lopcodes ← ∅ Following this, opcodes will be simplified. Simplification
3: C ← SOLC(fc ) is done because opcodes such as PUSH have 32 variations
4: for (ABI , O) ∈ C do while SWAP, and DUP have 16. Where each variation
5: found_match ← False represents the number of bytes to be pushed on the stack.
6: for bug ∈ B∗used do i.e., PUSH1 - 1 byte, PUSH4 - 4 bytes. The simplification
7: for Gi ∈ ABI do rules enforced are similar to [19] and can be found in
8: if namei = bug.name then Table 3. With this simplification, the number of opcodes
9: found_match ← True remaining will only be 77, thus reducing the dimension of the
10: O∗ ← Simplify(O) feature vector. We then employ the n-gram algorithm [32]
11: Lopcodes ← Lopcodes ∪ {O∗ } for feature extraction. In natural language processing and
12: end if computational linguistics n-gram is widely used as a
13: end for calculation of the frequency distribution of a selected
14: if found_match then n-number of tokens, where n refers to the number of adjacent
15: Break elements to consider from a string of tokens. Unigrams,
16: end if bigrams, and trigrams are some examples of n-grams where n
17: end for is 1,2 or 3, respectively [19]. For this paper, we have chosen
18: end for the trigram approach for feature extraction. This choice is
19: return Lopcodes motivated by the need to capture more information while
20: end procedure maintaining scalability, particularly as additional bugs are
incorporated, allowing for more syntax to be captured for
precise classification. Additionally, all hexadecimal values
dependency, Transaction Order Dependency, and Unhandled are removed, as they are unique to each smart contract
Exceptions. and do not provide any flow information relevant to bug
identification.
1) OPCODES The vectorizing of text features is done by Term
Opcodes are obtained by using SOLC by using the input Frequency-Inverse Document Frequency (Tfidf ). Tfidf can
and output JSON method — which is also the recommended be broken down into two sections, I) Term Frequency,
way that has a consistent interface throughout all compiler 2) Inverse Document Frequency. 1) Term frequency will
versions. As not all contracts within each Solidity file will reflect frequently occurring sections of a document by
have a bug injected, a cross-check will be needed to only take using a weighting factor, in which the weight increases
in the opcode from injected contracts. Hence, given the file proportionally to the number of times a word appears in the
name and B∗used , we will sift out contracts by comparing the document. However, this is offset by 2) Inverse Document
function name with the Abstract Binary Interface(ABI). The Frequency where it buries commonly appearing words and
full algorithm of the Opcode extraction process can be found highlights rare occurring words. This allows unique features
in Algorithm (4). to surface.
As a next step, to describe the sifting process, let’s consider Post extraction, we are left with a sparse matrix. To further
C to be the set of m contracts returned by the solc. Each reduce the dimension for model training, SelectKBest based
contract in C contains both an Application Binary Interface on Chi-square and TruncatedSVD from scikit learn API [33]
(ABI) and an ordered list of opcodes. Formally, C is defined are both employed. SelectKBest will select the best 2000 fea-
as: tures from the sparse matrix followed by the TruncatedSVD.
Rather than the more commonly known dimension reduction
C = {(ABI1 , O1 ), (ABI2 , O2 ), . . . , (ABIm , Om )} method — Principle Component Analysis (PCA), which does
not work on sparse matrix. TruncatedSVD is able to work
where ABIi represents the Application Binary Interface for on it efficiently because it does not center the data before
the ith contract, and Oi represents the ordered list of opcodes computing the single value decomposition. The number of
for the ith contract. Also, ABIi = {G1 , G2 , . . . , Gr }, where components are based on the cumulative variance of 95%
each Gi is a function descriptor with a maximum number of from the selected 2000 features. With this method, we will
r function descriptors per ABI. obtain the features that have a cumulative variance of at least
Each function descriptor Gi could be represented as a tuple: 95% and thereby reducing the number of features.
Upon completion of these steps, the Opcode trigram
Gi = constanti , inputsi , namei , outputsi , feature vector is primed and ready for the machine learning
payablei , stateMutabilityi , typei


model training.

VOLUME 12, 2024 23557

 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

Algorithm 5 Extract CFG From Bugged Smart Contracts

1: procedure RuntimeBytecode(fc , B∗used )
2: Initialize Lcfg ← ∅
3: C ← SOLC(fc )
4: for (ABI , BC) ∈ C do
5: found_match ← False
6: for bug ∈ B∗used do
7: for Gi ∈ ABI do
8: if namei = bug.name then
9: found_match ← True
10: CFG ← Ethersolve(BC)
11: Lcfg ← Lcfg ∪ {CFG}
12: end if
13: end for
14: if found_match then
15: Break FIGURE 9. A snippet of digraph from Ethersolve CFG with parameters
16: end if p = 2, q = 0.5.
17: end for
18: end for
19: return Lcfg During each walk, the gathered information is input into
20: end procedure a Word2Vec model, resulting in node embeddings. For this
purpose, the Precomp model is employed. In Precomp, the
return parameter p is set to 2, and the in-out parameter q is 0.5.
This model represents an optimized version of Node2Vec,
C. CONTROL FLOW GRAPH
precomputing and storing all transition probabilities for
Other than extracting static features from opcodes using random walks. The values of p and q significantly influence
n-gram, constructing a CFG has more benefits as it contains the structure of the resultant graph. The return parameter
sequence data from the runtime opcodes. Allowing much p influences the random walk’s likelihood of selecting an
more intrinsic patterns to surface. In this work, we employ immediately preceding node, while the in-out parameter q
a CFG builder from Ethersolve [34]. It is a tool that encourages the walk to remain within its local neighborhood.
uses symbolic stack execution to resolve jump destination, With a lower value of q, the walk is more likely to visit nodes
resulting in accurate edges. As Ethersolve is built using Java, that are also connected to the previous node.
we have utilised its’ core module by creating a wrapper in The final embedded information is constrained by avail-
python contained within a docker instance. able resources, therefore the number of walks from each node
Similar to the process done in opcode for contract will be limited to 1, and walk length will be set to the average
selection, we have done the same by obtaining deployed graph length across all categories, including Clean contracts.
bytecode from solc and only process contracts that has bug Walks shorter than this average are padded when the depth of
function inside the ML model training. Full algorithm can the selected node is less than the average walk length.
be found in Algorithm 5. Below we will describe each Given the parameters and constraints, we can now do
representation. a small example on how Node2vec walks are done using
Let C be the set of contracts returned by the solc. Each a tree snippet generated by Ethersolve CFG at Figure 9.
contract in C contains both an Application Binary Interface Probabilities of paths are grouped into 3 types, direct return
(ABI) and an ordered list of opcodes. Formally, C is defined node, node that does not have a path to the direct return node
as: and node that has a return edge to the direct return node.
C = {(ABI1 , BC1 ), (ABI2 , BC2 ), . . . , (ABIm , BCm )} Assuming that we will start at node 202, it has neighbours
13, 210, 233, 214 and the return node is 13. The transition
where, ABIi represents the Application Binary Interface probabilities for each paths will be 1p to 13 as it is the return
for the ith contract, and BCi represents the ordered list of node, 1q for node 210 and 233 as they do not have a return
deployed bytecode for the ith contract. edge to node 13 and 1 for node 214 as it has a return path
Graph information was subsequently extracted using to node 13. It will then be normalized by the sum of each
PecanPy [35], a fast, efficient, and parallelized Python possible paths, which will give us probabilities of 0.111 for
implementation of Node2Vec [36]. Although Node2Vec a walk going back to 13, 0.444 to node 210 and 233, finally
is adept at learning low-dimensional representations of 0.222 to node 214. Given as such, the next walk will most
nodes within a graph, it lacks parallelization in its random probably be either 210 or 233.
walks. Addressing this limitation significantly enhances the After obtaining the embedded data, a Long Short Term
efficiency of learning in dense networks [35]. Memory (LSTM) model will be used for the evaluation.

23558 VOLUME 12, 2024

L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
TABLE 3. Opcode simplification.
Model training was implemented based on dataset size
supportable by available computational resources.
On algorithmic complexity for the Pre-processing
algorithm (Algorithm 1) and Bug insertion algorithm
(Algorithm 3), the worst-case complexity depends on the
size of the smart contract, O(S), where S represents
the number of lines in the smart contract. Whereas the
complexity of the Function filtering algorithm (Algorithm 2)
is determined based on the number of nodes in the AST
tree, O(N ). In order to extract the opcodes from a given
smart contract, the complexity depends on the total number
of function descriptors in an ABI (r) and the total number
of ordered lists of ABI, opcodes within a contract (m).
Hence the algorithmic complexity for extracting opcodes
from a smart contract (Algorithm 4) is in the order of
polynomial complexity, O(rm2 ). For a smaller number of
opcodes within a contract (which is usually true in practical
smart contract development), this time is much less. This can
be observed from Figure 13. The algorithmic complexity for
the feature selection algorithm using the n-gram algorithm
is given by O(n2 log n). Thus the worst-case complexity for
Algorithm 5 that extracts the run-time bytecode is given
by O(rm2 n2 log n). For a small number of opcodes within
a smart contract and n = 3 (for the trigram feature
selection algorithm), the polynomial complexity scales down
to a practical running time for detecting smart contract
vulnerabilities.
D. MACHINE LEARNING MODELS FOR CLASSIFICATION
Our dataset encompasses eight distinct categories, necessitat-
ing the use of a multiclass classifier algorithm for the training
of classifiers. These algorithms are capable of handling
multiple classes without the need to be adjusted or modified.
In this research, we will be using the following models
from scikit-learn api [33] for comparison: Random Forest
(RF), XGBoost (XGB), Support Vector Machine (SVM) and
Multi-layer Perceptron (MLP) which is a Neutral-Network
implementation of scikit-learn.
We will also utilize sequential neutral network models such
as Long Short-Term Memory (LSTM). LSTM is a variant
VOLUME 12, 2024
TABLE 4. Variables used in the MythSlith Algorithm.
of Recurrent Neutral Network (RNN) and it is designed to
address the problem of vanishing gradients that arises during
the back propagation process. The vanishing gradients is a
problem because weights of edges are adjusted according to
the calculated loss. This inhibit long sequences from updating
earlier layers as the update value is according to the difference
from the last layer. The main difference between LSTM and
its predecessor is the ability to retain more information within
each cell. This is done so by having ‘gates’ to control the
amount of information flow in the network. However, after
a preliminary study, CFG data with LSTM did not yield good
results and we therefore decided to combine the MLP model
into the process making it into a multi-model. MLP model
is chosen because the training epoch can be shared between
both models, allowing for simpler implementation. Inputs
are the Tfidf and CFG data. This allows increased depth
and complexity, resulting in better performance in terms of
generalizing the features.
To ensure a well-trained model, we have implemented
several measures such as k −fold validation, learning−curve
and roc curve. These checks are done to all models before
passing off for the unseen data test. K-fold validation is a data
partitioning method for assessing model performances. This
method evaluate how well a model generalise an independent
dataset. This is done so by having k folds, where k refers to a
number of divided parts for the data. After dividing, 1 part of
the k fold will be used as the independent test data while the
rest would be the training set. This method provides variance
and bias reduction ensuring a more accurate estimation. The
purpose of learning curves is to identify 2 undesirable states
during the training phase for the models, the 2 states are
Underfitting and Overfitting. These states are identified by
looking at it’s training scores, since this is a classification
task we will be using accuracy as the score. Underfitting
occurs when both training and validation scores are low and
continue to persist when more training data is added. Which
infer that the model is too simple and is incapable of capturing
the underlying pattern. Overfitting is when training score is
high while the validation score is significantly lower. This
infer that model may be too complex and will most likely
fail at generalizing the different classes. Learning curves of
each model can be found in Figure 11a. Epochs training
information is much suited for neural network representation,
for our MLP and MLP + LSTM model learning curve
comparison can be found in Figure 11b.
23559
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

Algorithm 6 MythSlith Algorithm

1: mythrilDepth ← 22
2: if Vulnerability = Reentrancy then
3: Sr ← Slither(sc)
4: output Sr
5: else if (Vulnerability = Unauthorizedsend) or
6: (Vulnerability = Txorigin) or
7: (Vulnerability = Arithmetic) then
8: Mr ← Mythril(sc, mythrilDepth)
9: output Mr
10: else
11: Mr ← Mythril(sc, mythrilDepth)
12: if Mr .Severity = High then
13: output Mr
14: else
15: mythrilDepth ← 100
16: Sr ← Slither(sc)
17: DeepMr ← Mythril(sc, mythrilDepth)
18: if DeepMr .Severity = High then
19: output DeepMr
20: else if Sr .Severity = High then
21: output Sr
22: else if (DeepMr .Severity = Other) or
FIGURE 10. Mapping of Slither vulnerabilities to SWC. 23: (Sr .Severity = Other) then
24: if DeepMr .Severity = Other then
25: output DeepMr
The ROC curve analysis is utilized to evaluate each 26: end if
model’s ability to distinguish specific vulnerabilities from the 27: if Sr .Severity = Other and
rest. These curves, shown in Figure 12, reveal that the RF and 28: |DeepMr .MediumSeverity| < |Sr .MediumSeverity| and
MLP + LSTM models struggle to effectively differentiate 29: |DeepMr .LowSeverity| < |Sr .LowSeverity| then
between the classes. 30: output Sr
31: end if
E. MULTI-MODEL APPROACH 32: end if
Building upon traditional models, we have further developed 33: end if
a multi-model approach utilizing a combination of Tfidf 34: end if
vectorized opcodes and PecanPy node embeddings, employ-
ing a Keras multiple input model. This technique enables the
use of multiple sub-networks, which can be concatenated or
merged into a unified network at a certain point. This method Z3, to determine the satisfiability of the generated symbolic
proves particularly advantageous when dealing with diverse formula, which is a mix of dynamic and formal verification.
data sources, allowing for each to be processed by distinct In [24] an empirical study on available open-sourced tools
models. was done, the result for their curated dataset, which was
In the framework of this multi-model architecture, collected from real vulnerable contracts or injected with bugs,
we employed an MLP for opcode data and an LSTM for showed that Mythril yields an accuracy of 27% while Slither
PecanPy data processing. However, due to the extensive size 17%, though low but they are the highest among all the
of the dataset, we limited our test to only 50 randomly 9 tools presented. In conclusion, [24] suggested to use of a
selected, bugged Solidity contracts from each category. combination of Mythril and Slither which could yield a 37%
accuracy.
F. DESIGN OF MYTHSLITH Certainly, there are also other open-sourced tools available
Analysis tools are considered the go-to when checking for any but, Mythril and Slither are both actively updated and
smart contracts vulnerabilities. However, contemporary tools therefore more suited for a direct comparison. We have
are not yet capable of a full detection [37]. Hence in order designed a new integrated algorithm, MythSlith, a simple
to have a guideline for the ML model, Mythril and Slither is and elegant combination of both tools, which takes reference
used. from a normal depth Mythril analysis to decide on the
Both Mythril and Slither are considered as static tools, process. Mythril is used as the baseline for MythSlith
however, Mythril uses symbolic execution and a SMT solver, because it has a higher detection accuracy as shown

23560 VOLUME 12, 2024

L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
in [24]. Furthermore, specific tools have been designated
for addressing vulnerabilities like Reentrancy, Unauthorized
send, Tx origin, and Arithmetic. This allocation stems from
the outcomes detailed in Table 5. Additionally, although
the severity level was initially absent in Slither, it has been
incorporated, referencing the SWC registry and aligning with
the identified vulnerabilities. The algorithm design can be
found in the Algorithm 6. The variables used in MythSlith
Algorithms is listed in Table 4.
G. CHALLENGES
1) MULTIPROCESSING
Multiprocessing is implemented to increase the time taken for
test, however, this has spun off a new problem while changing
solc version. Therefore, in order to prevent compilation error,
all processes are dockerized and solc-select is included inside
both Mythril and Slither dockerfile. Any action that has got
to deal with solc will be spinning up a docker container to
prevent any compiler mismatch issue.
2) UNIFIED VULNERABILITY CLASSIFICATION
Combining Mythril and Slither poses another challenge
which is the definition of vulnerabilities. Though both tools
are capable of detecting some common bugs, they do not use
the same standard. While Mythril uses the more recognized
SWC, Slither uses its own definition. To resolve this, we have
added in SWC definition in the Slither code and incorporated
the output with SWC ID. This will allow both tools to
communicate with reference to the same vulnerabilities
definition standard. In this paper, we have mapped the seven
different vulnerabilities that can be found in Slither to SWC
ID. The mapping can be found in Figure 10.
V. RESULTS AND PERFORMANCE ANALYSIS
In this section, experiment results from both analysis tools
and our ML based approach will be put against each other
for comparison. Effectiveness of each tool will be based
on four parameters namely, (i) accuracy, (ii) precision,
(iii) recall, and (iv) F1 score. These parameters will then
form the confusion matrix for better visualization. All
experiments were conducted on a machine with the following
specifications: R162-ZA1-00 with 16 CPUs x AMD EPYC
7282 16-Core Processor 64GB of RAM and 1.9TB of SSD.
In this paper, a total of 4335 manually verified Solidity
files were sourced from the smart contract sanctuary [31]
repository to track verified smart contracts from the Ethereum
mainnet and testnets, such as rinkeby, ropston, kovan, etc.
And also from Binance Chain, Polygon/Matic, and Tron.
In the mainnet repository, contract versions have a wide
spread from 0.4.1 to 0.8.7 given the latest update. For
this experiment, we will initially consider contracts from
the mainnet and Solidity versions from 0.4.11 to 0.4.26 to
compare against the known ground truths. Any contracts
below 0.4.11 will not be considered due to a known compiler
bug where source indexes could be inconsistent between
VOLUME 12, 2024
different Solidity compiler version. Inconsistency between
the source indexes will affect the bug injection process where
it is reliant on it to insert bugs.
The unseen test set is prepared by a random selection
of 100 solidity files from the Smart Contract Sanctuary.
These files are in addition to the existing 4335 contracts.
These contracts will then go through the same bug injection
and feature extraction procedure as in Algorithm 3 and
Algorithm 4, Algorithm 5.
Complete results can be found in both Table 6 and Table 5.
Table 6 illustrates the overall comparison between analysis
tools and ML models.
A. EVALUATION METRICS
To enable the comparison, SWC standard is utilized as the
benchmark and it can be found in Fig 10. The results of
the analysis tools and ML models are obtained by executing
the same set of data with seven different classifications of
vulnerabilities. The clean category is also added for clarity.
To ensure a balanced and unbiased result from the analysis
tool, each tool will run the clean dataset and then the result
will be used as the baseline, ensuring a reference ground truth.
This is because we can never assume each smart contract is
free of bugs.
Given the result from the analysis, a confusion matrix
will be constructed for the evaluation. The confusion matrix
comprises the following values in accordance with the result
prediction. These values with description can be found in
Table 7.
With these values, we will be able to construct metrics:
• Accuracy: represents ratio of correctly predicted values
to the total dataset. It is a measure of the overall
correctness.
TP + TN
Accuracy = (1)
TP + TN + FP + FN
• Precision: can also be referred as positive predicted
value, represents the number of correctly classified
positive values to the total predicted positives.
TP
Precision = (2)
TP + FP
• Recall: also known as true positive rate, hit rate or
sensitivity, represents the ratio of correctly classified
instances to all datasets.
TP
Recall = (3)
TP + FN
• F1 Score: more useful for uneven dataset or class
distribution. This metric is the weighted average for
Precision and Recall.
2 × (Precision × Recall)
F1 Score = (4)
Precision + Recall
• False Positive Rate: is a proportion for the measure of
incorrectly classified instances as positive.
FP
FPR = (5)
FP + TN
23561
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

TABLE 5. Comparison of different tools.

In this study, we will be looking at recall followed missing FN has much higher consequences than an increase
by precision and f1 score then accuracy. This is because in FP, as FN can lead to potential security breaches and

23562 VOLUME 12, 2024

L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
TABLE 6. Overall comparison different tools.
FIGURE 11. Learning rate with increasing training size (a) and increasing epochs (b).
TABLE 7. Variables used in evaluation metrics calculation.
financial losses. However, it is advised to take both Precision
and F1 scores into consideration to ensure a balanced
model.
B. PERFORMANCE OF MACHINE LEARNING MODELS
In this section, we illustrate the performance comparison
between our ML models, Mythril, Slither, and MythSlith
on the 100 bugged solidity files. The overall performance
analysis of the tools, as summarized in Table 6, shows that
the MLP and SVM models exhibited the highest levels of
accuracy, precision, recall, and F1 score, with MLP achieving
an accuracy of 0.9129 and an F1 score of 0.9127, and SVM
VOLUME 12, 2024
showing a slightly lower accuracy of 0.8954 and an F1 score
of 0.8979. FPR of the models has shed some light on the
performance, that the MLP among the all other models has
the lowest FPR at 0.0125 — which indicates its likeliness to
flag out False positive is unlikely.
The detailed results of the individual vulnerability analysis
are presented in Table 5. This analysis revealed that MLP
has consistently demonstrated superior performance across
most of the vulnerability detection, particularly for the
detection of Clean and Unauthorized send with f1 scores
of 0.8723 and 0.9153 respectively. SVM did well across
most of the categories, however, it has a little trouble with
Reentrancy, while having a high recall of 0.9518 its’ precision
took a toll at 0.7940. The XGB model displayed a consistent
performance across various categories, with a notable F1
score of 0.7716 in the Clean category, though it did not
outperform all other tools in this category. Surprisingly,
bagging ensemble learning technique like RF did not do
very well, measures across the board is not more than 0.67.
The multi-model of MLP and LSTM weak results, while
doing well in Transaction order with F1 score of 0.7176, it is
less effective in other categories. One notable FPR measure
is for the multi-model, where it is 0.4545 for Unhandled
Exceptions, this clearly indicates the low effectiveness of
the features used for the models. While MLP excels in
23563
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP

FIGURE 12. ROC Curves for various models. From left to right, top to bottom: Random Forest, XGBoost, SVM, MLP, MLP+LSTM.

Timestamp Dependency with the lowest measure at 0.0037,
indicating high confidence in the detection.
C. PERFORMANCE COMPARISON WITH SOFTWARE
VERIFICATION AND VALIDATION TOOLS
Results of the tools can be found at Table 5. Right off
the bat, it is clear that current analysis tool is unable to
identify some vulnerabilities. Transaction order seem to be
a challenge for the analysis tools, while Arithmetic proof
to be too hard for Slither to handle. In addition, while it
seem great from the precision point of view for the 3 tools,
recall and F1 score of the does not do very well. This has
yet again emphasised on the findings from [17]. And current
tools has difficulty identifying Clean contracts, with Slither
leading the pack at only 0.375 in precision while the rest
is well below 0.2. Another vulnerability to highlight is the
TimestampDependency, surprisingly all 3 tools did not fare
well with recall being lesser than 0.2. FPR of clean contracts
for Mythril is particularly high at 0.2590, and this behaviour
continues in Reentrancy and Arithmetic. However, it did
really well in Unhandled exceptions where no FP were raised.
Slither did really well in Tx origin with just 0.0007 for its
FPR. However, such performance is not backed by its recall
and f1 score which has clearly indicate poor TP. MythSlith
results were not spectacular, it is just hovering between
Mythil and Slither measures. One example is Timestamp
Dependency where MythSlith has a FPR of 0.0428, Mythril
and Slither have 0.0505 and 0.0179 respectively. Due to its
design, it can never be better than the highest measure by
either tools.
These findings highlight the varying strengths and limi-
tations of each model or tool, underscoring the influence of
vulnerability type on the effectiveness of detection methods.
VI. ANALYSIS AND INFERENCES
A. PRE-PROCESSING AND FEATURE EXTRACTION
In our methodology, opcode sequences are utilized and
simplified technique aimed at enhancing variance. We then
employ Tfidf technique with trigram-based feature extrac-
tion. While this approach is efficient and straightforward,
it suffers from a lack of context awareness. This limitation
stems from its focus on only three consecutive opcodes
at a time, leading to a sparsity issue. The sparsity results
from the model’s limited exposure to examples, potentially
compromising its accuracy and robustness.
Furthermore, the sparse nature of the Tfidf repre-
sentation presents computational challenges, particularly
as data volumes escalate. In the context of our opcode
dataset, this method generates 4, 824 feature columns via
the Tfidf vectorizer. Additionally, the process of opcode
simplification, while conserving computational resources,
introduces significant drawbacks. A primary concern is the
discarding of hexadecimal values, resulting in the loss of vital
address information crucial for source location tracing.
Looking ahead, the adoption of an alternative vectorizer
to Tfidf could potentially yield improved contextual
understanding, enhancing the models’ learning capabilities.
B. COMPARISON OF MYTHSLITH AND MLP MODEL
From the test conducted, it is clear that relying on one tool
for smart contract analysis is not ideal. Current Software and
verification tools such as Mythril [14] and Slither [13] tend to
be on the safe side because the result has high precision with
low recall and f1 score. In our effort to combine them and
weave through the cracks by constructing MythSlith, such
behavior still exists. No significant detection progress was

23564 VOLUME 12, 2024

L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
FIGURE 13. Pre-processing time (in ms) for opcode extraction with respect to (from left to right): Line Count, AST Node Count, and Opcode count,
respectively.
TABLE 8. Average time taken for Smart contract vulnerability detection
tool to analyze each smart contract.
made, which then again is expected as no improvement was
done to each tool. However, MythSlith did cover Slither’s
inability to detect Arithmetic vulnerabilities. This can be
observed in Table 5.
In our proposed method, we show that detection via
extracted features from smart contracts presents viable
patterns for machine learning models to learn and classify
them. However, the suitability of different models varies
for this specific application, this can be clearly seen from
the results of RF. Unlike the gradient correction method
employed by XGB, the ensemble bagging approach of RF
did not yield equally effective results. In terms of neural
network method, MLP did well for all categories. In contrast,
the multi-model of MLP + LSTM did not. This is primarily
due to the CFG features derived from Ethersolve [34].
These CFG features did not present a strong pattern for our
model to learn effectively. Furthermore, the generation of
features using PecanPy [35] takes up a substantial amount of
time due to random walks generation. However, the limited
effectiveness of Ethersolve features in this context does not
inherently diminish their value; the challenge may lie more
with PecanPy’s processing demands.
C. RUNNING TIME
In Table 8, we analyze and compare the running times
for the various software validation tools. The running
time for MythSlith is comparable to that of Mythril (or
VOLUME 12, 2024
sometimes lesser). The average running time for MythSlith is
1102.14 seconds whereas that of Mythril is 1270.33 seconds.
Note that unlike Mythril, the average running time of Slither
is only 5.36 seconds since it does not involve the depth of the
symbolic execution. The average running time for MythSlith
is slightly less than that of Mythril since the depth of the
symbolic execution is only increased for certain types of
vulnerabilities, whereas for all other cases where Slither has
better detection accuracy, MythSlith chooses Slither.
As observed in the Table 8, the running time to analyze
a smart contract using ML models is much lesser (in
the order of < 7 seconds) compared to the software
verification tools except for the multi-model MLP+LSTM
since it involves two ML models. It is evident that the time
taken to analyze the smart contract features and predict
using the ML-model is real-time for the smart contract
analysis. Whereas the pre-processing and training time for
the ML-model is an offline process. The pre-processing time
for opcode extraction with respect to the number of lines
in the smart contract, number of AST nodes and number
of CFG opcodes is depicted in Figure 13 from left to right,
respectively. The maximum pre-processing time observed for
a smart contract with 3500 lines is 26 seconds. While most
practical smart contracts with less than 1000 lines of code
take < 10 seconds for pre-processing and opcode extraction.
VII. CONCLUSION AND FUTURE WORKS
Securing smart contracts is no easy feat, as they are not pro-
tected and visible to everyone. Current software verification
tools tend to be on a defensive stance, only flagging the bugs
if they are fully sure about it. This however would let the False
negatives slip through. Therefore, we proposed a machine
learning approach to effectively and efficiently detect seven
types of vulnerabilities while also identifying clean contracts.
This was done by employing models such as Random
Forest, XGBoost, Support Vector Machine, Multi-Layer
Perception, and Long-Short Term Memory. To insert practical
bugs and increase the vulnerability space, we proposed
a practical bug injection technique that injects bugs into
verified smart contracts that were cleaned using our proposed
pre-processing algorithm. This helps to scale up the smart
contracts’ vulnerability space using features such as opcodes
and CFG that were extracted for the model training. Prior
23565
 L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
to vectorization, simplification was done to the opcodes in
order to reduce the dimension and remove contract-specific
hexadecimal values. TDIDF was utilized with trigram for the
vectorization and the CFG data was processed by PencanPy
where random walks are generated and vectorized with the
Word2Vec model.
The results of the models were then benchmarked with
software verification tools such as Mythril, Slither, and
an experimental tool proposed in our work — MythSlith.
From the results, machine learning models have shown
superior performance in vulnerability detection than existing
Software verification tools. While testing with real-time
smart contracts, the MLP model performs the best at having
91% accuracy along with higher recall and f1-scores.
The FPR measures show that MLP achieved the best
performance with the lowest average among all other tools
at 0.0125, while MLP+LSTM achieved the lowest FPR of
0.0015 for unauthorized send.
While the current model improves the accuracy with
significantly less FPR while detecting contract-wide bugs,
it can further be improved by pinpointing the exact source
location. One possible solution is to use a combination
of fuzzing with formal verification to extend our current
model to add this feature. This solution however will face a
constraint that model patterns cannot be traced back to the
source location. We can explore some viable solutions for
this constraint by tagging the source index (that may not
be used for model training) to a specific feature, thereby
allowing traceback to the source. Bug injection method
ensures that newer forms of features and inherent patterns
are added. The current bug injection method leverages on
function descriptors. However, not all bugs are in the form
of functions. In future works, we will explore more generic
bug injection methods.
REFERENCES
[1] PR Newswire. (2023). Global Smart Contracts Market to Reach USD
9850 Million by 2030 With 24% CAGR | Revolutionizing Contract
Management, Exploring the Opportunities and Trends Report By
Zion Market Research. Accessed: Sep. 3, 2023. [Online]. Available:
https://finance.yahoo.com/news/global-smart-contracts-market-reach-
160000824.html
[2] P. Praitheeshan, L. Pan, J. Yu, J. Liu, and R. Doss, ‘‘Security analysis
methods on Ethereum smart contract vulnerabilities: A survey,’’ 2019,
arXiv:1908.08605.
[3] K. Ramana, R. M. Mohana, C. K. Kumar Reddy, G. Srivastava, and
T. R. Gadekallu, ‘‘A blockchain-based data-sharing framework for cloud
based Internet of Things systems with efficient smart contracts,’’ in
Proc. IEEE Int. Conf. Commun. Workshops (ICC Workshops), May 2023,
pp. 452–457.
[4] W. Wang, Z. Han, T. R. Gadekallu, S. Raza, J. Tanveer, and C. Su,
‘‘Lightweight blockchain-enhanced mutual authentication protocol for
uavs,’’ IEEE Internet Things J., early access, Oct. 13, 2023, doi:
10.1109/JIOT.2023.3324543.
[5] J. Korn. (Aug. 2022). Report: $1.9 Billion Stolen in Crypto Hacks
So Far This Year. Accessed: Aug. 16, 2022. [Online]. Available:
https://edition.cnn.com/2022/08/16/tech/crypto-hack-rise-2022/index.
html
[6] Binance. (2023). Poolz Finance Hacked, Token Price Drops 93%.
Accessed: May 23, 2023. [Online]. Available: https://www.binance.
com/en/feed/post/309330
23566
[7] SolidityScan. (2023). Poolz Finance Hack Analysis: Still Experiencing
Overflow. SolidityScan Blog. Accessed: May 23, 2023. [Online].
Available: https://blog.solidityscan.com/poolz-finance-hack-analysis-
still-experiencing-overflow-fcf35ab8a6c5
[8] OpenZeppelin. (2022). Developing Smart Contracts. Accessed:
Dec. 26, 2022. [Online]. Available: https://docs.openzeppelin.com
/learn/developing-smart-contracts
[9] ConsenSys. (2022). Smart Contract Best Practices. Accessed:
Dec. 26, 2022. [Online]. Available: https://consensys.github.io/smart-
contract-best-practices/
[10] Crytic. (2022). Detector Documentation. Accessed: Dec. 26, 2022.
[Online]. Available: https://github.com/crytic/slither/wiki/Detector-
Documentation
[11] SmartContractSecurity. (2022). Smart Contract Weakness
Classification Registry. Accessed: Dec. 26, 2022. [Online]. Available:
https://swcregistry.io/
[12] NCC Group. (2024). Top 10 Decentralized Application Security Risks.
Accessed: Dec. 26, 2022. [Online]. Available: https://dasp.co/
[13] J. Feist, G. Grieco, and A. Groce, ‘‘Slither: A static analysis framework for
smart contracts,’’ in Proc. IEEE/ACM 2nd Int. Workshop Emerg. Trends
Softw. Eng. Blockchain (WETSEB), May 2019, pp. 8–15.
[14] B. Mueller, ‘‘Smashing Ethereum smart contracts for fun and real profit,’’
HITB SECCONF Amsterdam, vol. 9, p. 54, Apr. 2018.
[15] M. Mossberg, F. Manzano, E. Hennenfent, A. Groce, G. Grieco,
J. Feist, T. Brunson, and A. Dinaburg, ‘‘Manticore: A user-friendly
symbolic execution framework for binaries and smart contracts,’’ in Proc.
34th IEEE/ACM Int. Conf. Automated Softw. Eng. (ASE), Nov. 2019,
pp. 1186–1189.
[16] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, ‘‘Making smart
contracts smarter,’’ in Proc. ACM SIGSAC Conf. Comput. Commun. Secur.,
2016, pp. 254–269.
[17] X. Tang, K. Zhou, J. Cheng, H. Li, and Y. Yuan, ‘‘The vulnerabilities in
smart contracts: A survey,’’ in Proc. 7th Int. Conf. Adv. Artif. Intell. Secur.
(ICAIS) 2021, Dublin, Ireland. Cham, Switzerland: Springer, Jul. 2021,
pp. 177–190.
[18] P. Momeni, Y. Wang, and R. Samavi, ‘‘Machine learning model for smart
contracts security analysis,’’ in Proc. 17th Int. Conf. Privacy, Secur. Trust
(PST), Aug. 2019, pp. 1–6.
[19] W. Wang, J. Song, G. Xu, Y. Li, H. Wang, and C. Su, ‘‘ContractWard:
Automated vulnerability detection models for ethereum smart contracts,’’
IEEE Trans. Netw. Sci. Eng., vol. 8, no. 2, pp. 1133–1144, Apr. 2021.
[20] S. Shakya, A. Mukherjee, R. Halder, A. Maiti, and A. Chaturvedi, ‘‘Smart-
MixModel: Machine learning-based vulnerability detection of solidity
smart contracts,’’ in Proc. IEEE Int. Conf. Blockchain (Blockchain),
Aug. 2022, pp. 37–44.
[21] A. Ghaleb and K. Pattabiraman, ‘‘How effective are smart contract analysis
tools? Evaluating smart contract static analysis tools using bug injection,’’
in Proc. 29th ACM SIGSOFT Int. Symp. Softw. Test. Anal., Jul. 2020,
pp. 415–427.
[22] T. M. Corporation. Common Weakness Enumeration. Accessed: Dec. 28,
2022. [Online]. Available: https://cwe.mitre.org/
[23] G. Wood, ‘‘Ethereum: A secure decentralised generalised transaction
ledger,’’ Ethereum Project Yellow Paper, vol. 151, pp. 1–32, Apr. 2014.
[24] T. Durieux, J. F. Ferreira, R. Abreu, and P. Cruz, ‘‘Empirical review of
automated analysis tools on 47,587 Ethereum smart contracts,’’ in Proc.
IEEE/ACM 42nd Int. Conf. Softw. Eng. (ICSE), Montreal, QC, Canada,
Oct. 2020, pp. 530–541.
[25] S. S. Kushwaha, S. Joshi, D. Singh, M. Kaur, and H. Lee, ‘‘Systematic
review of security vulnerabilities in Ethereum blockchain smart contract,’’
IEEE Access, vol. 10, pp. 6605–6621, 2022.
[26] L. Duan, L. Yang, C. Liu, W. Ni, and W. Wang, ‘‘A new smart contract
anomaly detection method by fusing opcode and source code features for
blockchain services,’’ IEEE Trans. Netw. Service Manage., vol. 20, no. 4,
pp. 4354–4368, Dec. 2023.
[27] J. Zheng, L. Williams, N. Nagappan, W. Snipes, J. P. Hudepohl, and
M. A. Vouk, ‘‘On the value of static analysis for fault detection in
software,’’ IEEE Trans. Softw. Eng., vol. 32, no. 4, pp. 240–253, Apr. 2006.
[28] T. Ball, ‘‘The concept of dynamic analysis,’’ ACM SIGSOFT Softw. Eng.
Notes, vol. 24, no. 6, pp. 216–234, Nov. 1999.
[29] R. Calinescu, C. Ghezzi, K. Johnson, M. Pezzé, Y. Rafiq, and
G. Tamburrelli, ‘‘Formal verification with confidence intervals to establish
quality of service properties of software systems,’’ IEEE Trans. Rel.,
vol. 65, no. 1, pp. 107–125, Mar. 2016.
VOLUME 12, 2024
L. S. H. Colin et al.: Integrated Smart Contract Vulnerability Detection Tool Using MLP
[30] J. Chen, X. Xia, D. Lo, J. Grundy, X. Luo, and T. Chen, ‘‘DefectChecker:
Automated smart contract defect detection by analyzing EVM bytecode,’’
IEEE Trans. Softw. Eng., vol. 48, no. 7, pp. 2189–2207, Jul. 2022.
[31] M. Ortner and S. Eskandari. Smart Contract Sanctuary. [Online].
Available: https://github.com/tintinweb/smart-contract-sanctuary
[32] W. B. Cavnar and J. M. Trenkle, ‘‘N -gram-based text categorization,’’ in
Proc. 3rd Annu. Symp. Document Anal. Inf. Retr. (SDAIR), vol. 161175.
Las Vegas, NV, USA, 1994, pp. 1–14.
[33] L. Buitinck, G. Louppe, M. Blondel, F. Pedregosa, A. Mueller,
O. Grisel, V. Niculae, P. Prettenhofer, A. Gramfort, J. Grobler, R. Layton,
J. VanderPlas, A. Joly, B. Holt, and G. Varoquaux, ‘‘API design for
machine learning software: Experiences from the scikit-learn project,’’ in
Proc. ECML PKDD Workshop Lang. Data Mining Mach. Learn., 2013,
pp. 108–122.
[34] F. Contro, M. Crosara, M. Ceccato, and M. D. Preda, ‘‘EtherSolve:
Computing an accurate control-flow graph from Ethereum bytecode,’’ in
Proc. 29th IEEE/ACM Int. Conf. Program Comprehension, May 2021,
pp. 127–137.
[35] R. Liu and A. Krishnan, ‘‘PecanPy: A fast, efficient and parallelized
Python implementation of node2vec,’’ Bioinformatics, vol. 37, no. 19,
pp. 3377–3379, Oct. 2021.
[36] A. Grover and J. Leskovec, ‘‘node2vec: Scalable feature learning for
networks,’’ in Proc. 22nd ACM SIGKDD Int. Conf. Knowl. Discovery Data
Mining, Aug. 2016.
[37] P. Qian, Z. Liu, Q. He, B. Huang, D. Tian, and X. Wang, ‘‘Smart contract
vulnerability detection technique: A survey,’’ 2022, arXiv:2209.05872.
LEE SONG HAW COLIN (Member, IEEE)
received the bachelor’s degree in mechatron-
ics engineering from the Singapore Institute of
Technology–University of Glasgow, in 2016. He is
currently pursuing the Master of Engineering
degree in future communications and blockchain
with the Singapore Institute of Technology. He is
a Research Engineer with the Singapore Institute
of Technology. His professional journey includes a
significant role in the development of a COVID-19
CMS application with the GP Connect Team. His current research interests
include the intersection of AI, blockchain, and their applications in 5G
networks.
VOLUME 12, 2024
PURNIMA MURALI MOHAN (Member, IEEE)
received the M.S. and Ph.D. degrees in electrical
and computer engineering from the National
University of Singapore, in 2014 and 2018, respec-
tively. She held a postdoctoral researcher position
with the National University of Singapore, until
2018. She is currently an Assistant Professor with
the Information and Communications Technology
Cluster, Singapore Institute of Technology. She
has expertise in Layer 2 and Layer 3 network pro-
tocols while working with the industry. Her current research interests include
blockchain and AI, security in next-generation networks, optimization, and
heuristics algorithm design.
JONATHAN PAN (Member, IEEE) received the
Ph.D. degree in information technology and cyber
security from Murdoch University, Australia. He is
currently the Chief of the Disruptive Technolo-
gies Office and the Director of Cybersecurity
of the Home Team Science and Technology
Agency, which is a statutory board formed under
Singapore’s Ministry of Home Affairs to develop
science and technology capabilities for the Home
Team. He is also an Adjunct Associate Professor
with Nanyang Technological University, Singapore. His research interests
include cybersecurity, AI, and blockchain.
PETER LOH KOK KEONG (Senior Member,
IEEE) received the M.Sc. degree in computer sci-
ence from the University of Manchester, U.K., and
the Ph.D. degree in computer engineering from
Nanyang Technological University, Singapore.
He is currently an Associate Professor with
the Information and Communications Technology
Cluster, Singapore Institute of Technology. He is a
registered Professional Engineer in Singapore and
a Chartered Engineer in U.K. He has more than
35 years of professional engineering, research, academic, and consultative
experience. To date, he has authored/coauthored more than 100 publications,
with several in high-impact, international, and peer-reviewed journals. His
research interests include information and cyber security, data analytics and
machine learning for digital crime, blockchain and the IoT, and malware
analysis and classification.
23567