AdvSCanner：使用 LLM 和静态分析生成对抗性智能合约以利用重入漏洞

智能合约容易出现漏洞，重入攻击因其破坏性潜力而带来重大风险。虽然存在各种方法来检测智能合约中的重入漏洞，例如静态分析，但这些方法通常存在较高的误报率，并且无法直接说明如何在攻击中利用检测到的漏洞。<br>在本文中，我们解决了一项具有挑战性的任务，即为已识别的重入漏洞生成漏洞利用。为了解决这一难题，我们引入了AdvSCanner，这是一种利用大型语言模型（LLM）和静态分析自动生成对抗性智能合约（ASC）的新方法，旨在利用受害者合约中的重入漏洞。AdvSCanner 的基本思想是使用静态分析提取与重入漏洞相关的攻击流，并利用它们来指导 LLM 生成 ASC。为了减少 LLM 输出中固有的不准确性，AdvSCanner 合并了一个自反射组件，该组件从生成的 ASC 中收集编译和攻击触发反馈，并在必要时优化 ASC 生成。实验评估证明了AdvSCanner的有效性，与仅达到32.05%的最佳基线方法相比，其成功率（85.90%）明显更高。此外，一个案例研究表明，在审计过程中使用AdvSCanner可以大大减少审计时间，从24小时（无帮助）减少到大约3小时。

Smart contracts are prone to vulnerabilities, and reentrancy attacks pose significant risks due to their destructive potential. While various methods exist for detecting reentrancy vulnerabilities in smart contracts—such as static analysis—these approaches typically suffer from high false positive rates and fail to directly illustrate how to exploit the detected vulnerabilities in attacks. In this paper, we address a challenging task: generating exploits for identified reentrancy vulnerabilities. To address this challenge, we introduce AdvSCanner, a novel method that leverages large language models (LLMs) and static analysis to automatically generate adversarial smart contracts (ASCs) designed to exploit reentrancy vulnerabilities in victim contracts. The core idea of AdvSCanner is to use static analysis to extract attack flows related to reentrancy vulnerabilities, and leverage these flows to guide LLMs in generating ASCs. To mitigate the inherent inaccuracies in LLM outputs, AdvSCanner incorporates a self-reflective component that collects compilation and attack-triggered feedback from the generated ASCs, and optimizes ASC generation when necessary. Experimental evaluations demonstrate the effectiveness of AdvSCanner: its success rate (85.90%) is significantly higher than that of the state-of-the-art baseline method, which only achieves 32.05%. Furthermore, a case study shows that using AdvSCanner during the audit process can drastically reduce audit time, from 24 hours (without assistance) to approximately 3 hours.