# Efficient Fine-Tuning of Qwen 2.5 Coder 14B with Unsloth
nce.

### Key Features

- **Model Size**: 14.7 billion parameters, with 13.1 billion non-embedding parameters.
- **Architecture**: Utilizes transformers with multiple layers (48 layers) and attention heads (40 for queries and 8 for keys/values).
- **Context Length**: Supports long contexts of up to 131,072 tokens, allowing it to handle extensive code and text inputs effectively.
- **Training Tokens**: Trained on a vast dataset of 5.5 trillion tokens, which includes a variety of source code and synthetic data.ons.


In [1]:
%%capture
import os
if "COLAB_" not in "".join(os.environ.keys()):
    !pip install unsloth
else:
    # Do this only in Colab notebooks! Otherwise use pip install unsloth
    !pip install --no-deps bitsandbytes accelerate xformers==0.0.29.post3 peft trl==0.15.2 triton cut_cross_entropy unsloth_zoo
    !pip install sentencepiece protobuf datasets huggingface_hub hf_transfer
    !pip install --no-deps unsloth

In [2]:
from huggingface_hub import login
from getpass import getpass

hf_token = getpass("Enter your Hugging Face token: ")
login(hf_token)

"""Login to Weights & Biases using the API key to initiate the project.

"""

import wandb
from getpass import getpass

wb_token = getpass("Enter your W&B API token: ")
wandb.login(key=wb_token)

run = wandb.init(
    project='Fine-tuning kg Qwen-coder-14b-on-Solidity-detection',
    job_type="training",
    anonymous="allow"
)


Enter your Hugging Face token: ··········
Enter your W&B API token: ··········


[34m[1mwandb[0m: No netrc file found, creating one.
[34m[1mwandb[0m: Appending key for api.wandb.ai to your netrc file: /root/.netrc
[34m[1mwandb[0m: Currently logged in as: [33mquynhnhu170218[0m ([33mquynhnhu170218-uit[0m) to [32mhttps://api.wandb.ai[0m. Use [1m`wandb login --relogin`[0m to force relogin


In [3]:
from unsloth import FastLanguageModel
import torch
max_seq_length = 2048 # Choose any! We auto support RoPE Scaling internally!
dtype = None          # None for auto detection. Float16 for Tesla T4, V100, Bfloat16 for Ampere+
load_in_4bit = True   # Use 4bit quantization to reduce memory usage. Can be False.

model, tokenizer = FastLanguageModel.from_pretrained(
    model_name = "unsloth/Qwen2.5-Coder-14B-Instruct",
    max_seq_length = max_seq_length,
    dtype = dtype,
    load_in_4bit = load_in_4bit,
    # token = "hf_...", # use one if using gated models like meta-llama/Llama-2-7b-hf
)

🦥 Unsloth: Will patch your computer to enable 2x faster free finetuning.
🦥 Unsloth Zoo will now patch everything to make training faster!
==((====))==  Unsloth 2025.4.7: Fast Qwen2 patching. Transformers: 4.51.3.
   \\   /|    Tesla T4. Num GPUs = 1. Max memory: 14.741 GB. Platform: Linux.
O^O/ \_/ \    Torch: 2.6.0+cu124. CUDA: 7.5. CUDA Toolkit: 12.4. Triton: 3.2.0
\        /    Bfloat16 = FALSE. FA [Xformers = 0.0.29.post3. FA2 = False]
 "-____-"     Free license: http://github.com/unslothai/unsloth
Unsloth: Fast downloading is enabled - ignore downloading bars which are red colored!


model.safetensors.index.json:   0%|          | 0.00/210k [00:00<?, ?B/s]

Fetching 2 files:   0%|          | 0/2 [00:00<?, ?it/s]

model-00002-of-00002.safetensors:   0%|          | 0.00/4.93G [00:00<?, ?B/s]

model-00001-of-00002.safetensors:   0%|          | 0.00/5.00G [00:00<?, ?B/s]

Loading checkpoint shards:   0%|          | 0/2 [00:00<?, ?it/s]

generation_config.json:   0%|          | 0.00/266 [00:00<?, ?B/s]

tokenizer_config.json:   0%|          | 0.00/7.51k [00:00<?, ?B/s]

vocab.json:   0%|          | 0.00/2.78M [00:00<?, ?B/s]

merges.txt:   0%|          | 0.00/1.67M [00:00<?, ?B/s]

added_tokens.json:   0%|          | 0.00/632 [00:00<?, ?B/s]

special_tokens_map.json:   0%|          | 0.00/613 [00:00<?, ?B/s]

tokenizer.json:   0%|          | 0.00/7.03M [00:00<?, ?B/s]

# post-inference

# Data prep

In [4]:
prompt_style = """
Below is an instruction describing a task, followed by a smart contract code snippet. Analyze the code and provide a structured response identifying security vulnerabilities and corresponding remediations.



### Instruction:
You are a smart contract security assistant with deep expertise in Ethereum, Solidity, and DeFi security. Analyze the provided code snippet for vulnerabilities. For each identified issue, give a detailed description, a severity level, and a concrete recommendation to fix or mitigate it.


### Question:
List all the vulnerabilities in this smart contract, and provide recommendations to remediate the issues.

### Code:
{}

### Response:
### Analysis
- Vulnerability description: {}
  - Recommendation: {}
  - type: {}
"""

In [5]:
from datasets import load_dataset

EOS_TOKEN = tokenizer.eos_token

def formatting_prompts_func(examples):
    codes = examples["code"]
    descriptions = examples["description"]
    recommendations = examples["recommendation"]
    types = examples["type"]
    texts = []
    for code, des, rec, tov in zip(codes, descriptions, recommendations, types):
        text = prompt_style.format(code, des, rec, tov) + EOS_TOKEN
        texts.append(text)
    return {"text": texts}


dataset = load_dataset("msc-smart-contract-auditing/audits-with-reasons", split="train")
# dataset = dataset.select(range(5000, 10000))
dataset = dataset.map(formatting_prompts_func, batched=True)

README.md:   0%|          | 0.00/3.35k [00:00<?, ?B/s]

train-00000-of-00001.parquet:   0%|          | 0.00/4.23M [00:00<?, ?B/s]

test-00000-of-00001.parquet:   0%|          | 0.00/743k [00:00<?, ?B/s]

Generating train split:   0%|          | 0/2472 [00:00<?, ? examples/s]

Generating test split:   0%|          | 0/437 [00:00<?, ? examples/s]

Map:   0%|          | 0/2472 [00:00<?, ? examples/s]

In [6]:
try:
    print("### Example Prompt:")
    print(dataset["text"][0])
except IndexError:
    print("Dataset is empty or formatting failed.")

### Example Prompt:

Below is an instruction describing a task, followed by a smart contract code snippet. Analyze the code and provide a structured response identifying security vulnerabilities and corresponding remediations.



### Instruction:
You are a smart contract security assistant with deep expertise in Ethereum, Solidity, and DeFi security. Analyze the provided code snippet for vulnerabilities. For each identified issue, give a detailed description, a severity level, and a concrete recommendation to fix or mitigate it.


### Question:
List all the vulnerabilities in this smart contract, and provide recommendations to remediate the issues.

### Code:
```\nrequire(block.timestamp >= _d.withdrawalRequestTime + TBTCConstants.getIncreaseFeeTimer(), "Fee increase not yet permitted");\n```\n```\nuint256 _previousOutputValue = DepositUtils.bytes8LEToUint(_previousOutputValueBytes);\n_newOutputValue = DepositUtils.bytes8LEToUint(_newOutputValueBytes);\nrequire(_previousOutputValue.sub

## Model Training

In [7]:
train_prompt_style = """
Below is an instruction describing a task, followed by a smart contract code snippet. Analyze the code and provide a structured response identifying security vulnerabilities and corresponding remediations.



### Instruction:
You are a smart contract security assistant with deep expertise in Ethereum, Solidity, and DeFi security. Analyze the provided code snippet for vulnerabilities. For each identified issue, give a detailed description, a severity level, and a concrete recommendation to fix or mitigate it.


### Question:
List all the vulnerabilities in this smart contract, and provide recommendations to remediate the issues.

### Code:
{}

### Response:
### Analysis
- Vulnerability description: {}
  - Recommendation: {}
  - type: {}
"""

In [8]:
# === Enable LoRA ===
model = FastLanguageModel.get_peft_model(
    model,
    r=16,
    target_modules=["q_proj", "k_proj", "v_proj", "o_proj", "gate_proj", "up_proj", "down_proj"],
    lora_alpha=16,
    lora_dropout=0,
    bias="none",
    use_gradient_checkpointing="unsloth",
    random_state=42,
    use_rslora=False,
)

Unsloth 2025.4.7 patched 48 layers with 48 QKV layers, 48 O layers and 48 MLP layers.


In [9]:
from trl import SFTTrainer
from transformers import TrainingArguments, DataCollatorForSeq2Seq
from unsloth import is_bfloat16_supported
trainer = SFTTrainer(
    model=model,
    tokenizer=tokenizer,
    train_dataset=dataset,
    dataset_text_field="text",
    max_seq_length=max_seq_length,
    dataset_num_proc=2,
    args=TrainingArguments(
        per_device_train_batch_size=2,
        gradient_accumulation_steps=4,
        warmup_steps=5,
        max_steps=60,
        learning_rate=2e-4,
        fp16=not is_bfloat16_supported(),
        bf16=is_bfloat16_supported(),
        optim="adamw_8bit",
        weight_decay=0.01,
        lr_scheduler_type="linear",
        seed=42,
        output_dir="outputs",
        logging_strategy="steps",      # log every few steps
        logging_steps=1,               # how often to log
        save_strategy="no",            # avoid saving checkpoints if not needed
        disable_tqdm=False,            # enable progress bar
    ),
)

Unsloth: Tokenizing ["text"] (num_proc=2):   0%|          | 0/2472 [00:00<?, ? examples/s]

In [10]:
trainer_stats = trainer.train()

==((====))==  Unsloth - 2x faster free finetuning | Num GPUs used = 1
   \\   /|    Num examples = 2,472 | Num Epochs = 1 | Total steps = 60
O^O/ \_/ \    Batch size per device = 2 | Gradient accumulation steps = 4
\        /    Data Parallel GPUs = 1 | Total batch size (2 x 4 x 1) = 8
 "-____-"     Trainable parameters = 68,812,800/14,000,000,000 (0.49% trained)


Unsloth: Will smartly offload gradients to save VRAM!


Step,Training Loss
1,1.3218
2,1.4029
3,1.4728
4,1.3107
5,1.2309
6,1.1564
7,1.2345
8,1.0988
9,1.0636
10,1.009


In [13]:
train_prompt_style = """
Below is an instruction describing a task, followed by a smart contract code snippet. Analyze the code and provide a structured response identifying security vulnerabilities and corresponding remediations.



### Instruction:
You are a smart contract security assistant with deep expertise in Ethereum, Solidity, and DeFi security. Analyze the provided code snippet for vulnerabilities. For each identified issue, give a detailed description, a severity level, and a concrete recommendation to fix or mitigate it.


### Question:
List all the vulnerabilities in this smart contract, and provide recommendations to remediate the issues.

### Code:
{}

### Response:
 {}
"""

In [14]:
code = """
what is the vulnerabilities of this code snippet:
\nrequire(block.timestamp >= _d.withdrawalRequestTime + TBTCConstants.getIncreaseFeeTimer(), "Fee increase not yet permitted");\n```\n```\nuint256 _previousOutputValue = DepositUtils.bytes8LEToUint(_previousOutputValueBytes);\n_newOutputValue = DepositUtils.bytes8LEToUint(_newOutputValueBytes);\nrequire(_previousOutputValue.sub(_newOutputValue) == _d.initialRedemptionFee, "Not an allowed fee step");\n```\n```\nrequire(\n    _d.utxoSize().sub(_fundingOutputValue) <= _d.initialRedemptionFee * 5,\n    "Fee unexpectedly very high"\n);\
"""

In [15]:
FastLanguageModel.for_inference(model)
inputs = tokenizer([train_prompt_style.format(code, "")], return_tensors="pt").to("cuda")
outputs = model.generate(input_ids=inputs.input_ids, attention_mask=inputs.attention_mask, max_new_tokens=1024)
print("\n### Post-finetuning Inference Example:")
print(tokenizer.batch_decode(outputs)[0].split("### Response:")[1])


### Post-finetuning Inference Example:

 
### Analysis
- Vulnerability description: The `TBTCVault` contract's `_processRedemption` function is vulnerable to a scenario where a malicious depositor can manipulate the fee calculation by creating a deposit with an output value that is significantly lower than the initial redemption fee. This can be achieved by creating a deposit with an output value that is equal to the initial redemption fee multiplied by 5, which is the maximum allowed fee increase. The `require` statement at the end of the function checks if the difference between the previous output value and the new output value is equal to the initial redemption fee, but it does not account for the possibility of a deposit being created with an output value that is significantly lower than the initial redemption fee. This can lead to a situation where the fee calculation is manipulated, resulting in a higher fee being charged to the depositor.
  - Recommendation: To prevent a malic

In [16]:
model.save_pretrained("Qwen-Coder-2.5-Solidity-14B") # Local saving
tokenizer.save_pretrained("Qwen-Coder-2.5-Solidity-14B")

# model.push_to_hub("your_name/lora_model", token = "...") # Online saving
# tokenizer.push_to_hub("your_name/lora_model", token = "...") # Online saving

('Qwen-Coder-2.5-Solidity-14B/tokenizer_config.json',
 'Qwen-Coder-2.5-Solidity-14B/special_tokens_map.json',
 'Qwen-Coder-2.5-Solidity-14B/vocab.json',
 'Qwen-Coder-2.5-Solidity-14B/merges.txt',
 'Qwen-Coder-2.5-Solidity-14B/added_tokens.json',
 'Qwen-Coder-2.5-Solidity-14B/tokenizer.json')

In [17]:
new_model_online = "Nhudang/Qwen-Coder-2.5-14B-Solidity-test"
model.push_to_hub(new_model_online) # Online saving
tokenizer.push_to_hub(new_model_online) # Online saving

README.md:   0%|          | 0.00/606 [00:00<?, ?B/s]

adapter_model.safetensors:   0%|          | 0.00/275M [00:00<?, ?B/s]

Saved model to https://huggingface.co/Nhudang/Qwen-Coder-2.5-14B-Solidity-test


tokenizer.json:   0%|          | 0.00/11.4M [00:00<?, ?B/s]