Using ChatGPT for logic vulnerability detection.
- Install dependencies,
- Requires Python 3.10+
- Install Python dependencies:
pip install -r requirements.txt
- Run GPTScan
For example, if the source code is stored in the /source directory, run the command:
python3.10 main.py -s /sourcecode -o /sourcecode/output.json -k OPEN_AI_API_KEY_xxxxxxxxxxxxx- Check the output
The output results are located at the location specified by the -o parameter, in the example above, it is located at /sourcecode/output.json.
Currently supported project types include:
- Single file, i.e., a single
.solfile - Multi-file, i.e., a directory with multiple
.solfiles, without any other external dependencies - Common framework projects, such as Truffle, Hardhat, Brownie, etc.
Tested frameworks include:
- Hardhad
- Truffle
- Brownie
Note that this project does not include the compilation environment, such as Node.js, which needs to be installed separately.
Dataset used to evaluate GPTScan in the paper, are the following:
- Web3Bugs: https://github.com/MetaTrustLabs/GPTScan-Web3Bugs
- DefiHacks: https://github.com/MetaTrustLabs/GPTScan-DefiHacks
- Top200: https://github.com/MetaTrustLabs/GPTScan-Top200
@inproceedings{sun2024gptscan,
author = {Sun, Yuqiang and Wu, Daoyuan and Xue, Yue and Liu, Han and Wang, Haijun and Xu, Zhengzi and Xie, Xiaofei and Liu, Yang},
title = {{GPTScan}: Detecting Logic Vulnerabilities in Smart Contracts by Combining GPT with Program Analysis},
year = {2024},
isbn = {9798400702174},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3597503.3639117},
doi = {10.1145/3597503.3639117},
booktitle = {Proceedings of the IEEE/ACM 46th International Conference on Software Engineering},
articleno = {166},
numpages = {13},
series = {ICSE '24}
}