LogicScan: An LLM-driven Framework for Detecting Business Logic Vulnerabilities in Smart Contracts

Business logic vulnerabilities have become one of the most damaging yet least understood classes of smart contract vulnerabilities. Unlike traditional bugs such as reentrancy or arithmetic errors, these vulnerabilities arise from missing or incorrectly enforced business invariants and are tightly coupled with protocol semantics. Existing static analysis techniques struggle to capture such high-level logic, while recent large language model based approaches often suffer from unstable outputs and low accuracy due to hallucination and limited verification. In this paper, we propose LogicScan, an automated contrastive auditing framework for detecting business logic vulnerabilities in smart contracts. The key insight behind LogicScan is that mature, widely deployed on-chain protocols implicitly encode well-tested and consensus-driven business invariants. LogicScan systematically mines these invariants from large-scale on-chain contracts and reuses them as reference constraints to audit target contracts. To achieve this, LogicScan introduces a Business Specification Language (BSL) to normalize diverse implementation patterns into structured, verifiable logic representations. It further combines noise-aware logic aggregation with contrastive auditing to identify missing or weakly enforced invariants while mitigating LLM-induced false positives. We evaluate LogicScan on three real-world datasets, including DeFiHacks, Web3Bugs, and a set of top-200 audited contracts. The results show that LogicScan achieves an F1 score of 85.2%, significantly outperforming state-of-the-art tools while maintaining a low false-positive rate on production-grade contracts. Additional experiments demonstrate that LogicScan maintains consistent performance across different LLMs and is cost-effective, and that its false-positive suppression mechanisms substantially improve robustness.

💡 Research Summary

LogicScan introduces a novel, LLM‑driven framework for automatically detecting business‑logic vulnerabilities in Ethereum smart contracts. Unlike traditional static or dynamic analysis tools that excel at low‑level bugs such as re‑entrancy or integer overflow, LogicScan targets high‑level semantic errors that arise when a contract fails to enforce essential business invariants (e.g., health‑factor checks in lending protocols). The core insight is that mature, widely deployed on‑chain protocols implicitly encode a set of consensus‑based invariants through repeated audits and community usage. By mining these invariants from a large corpus of on‑chain contracts and using them as reference constraints, LogicScan can flag missing or weakly enforced checks in target contracts.

The system consists of two main components: Logic Miner and Logic Checker. Logic Miner scans thousands of verified contracts, extracts their business logic using a lightweight LLM, and translates the raw Solidity code into a structured intermediate representation called the Business Specification Language (BSL). BSL captures three layers—state variables, business entry functions, and internal logic functions—and normalizes all guard clauses into a unified checkCondition syntax (assert, require, or if‑revert transformed into positive assertions). This normalization enables cross‑contract matching despite diverse coding styles.

Logic Checker performs “contrastive auditing.” For a given target contract, it retrieves semantically similar reference contracts from the mined database, obtains their BSL‑encoded invariants, and prompts an LLM to generate the expected pre‑conditions for each target function. The generated BSL is then compared against the target’s actual implementation. A noise‑aware aggregation module combines multi‑dimensional embeddings (function‑level, version‑level, category‑level) to produce high‑quality invariant clusters and to filter out hallucinated or redundant checks produced by the LLM. When a required invariant is absent, Logic Checker emits a warning with the precise location and the missing condition.

The authors evaluate LogicScan on three real‑world datasets: DeFiHacks (a collection of known DeFi exploits), Web3Bugs (publicly disclosed bugs), and the top‑200 audited contracts by market cap. Across all datasets, LogicScan achieves an average F1 score of 85.2%, substantially outperforming state‑of‑the‑art static tools (Slither, Mythril), dynamic fuzzers (Echidna, ContractFuzzer), and recent LLM‑based scanners (GPTScan, PropertyGPT). Notably, on DeFiHacks it detects 94.3% of the known vulnerabilities while maintaining a false‑positive rate below 7.1% on production‑grade contracts. The framework’s performance remains stable when swapping LLM back‑ends (GPT‑3.5, Claude‑2, LLaMA‑2), and the cost analysis shows a per‑token expense of roughly $0.001, making large‑scale audits economically feasible.

Key contributions are: (1) a contrastive auditing paradigm that leverages consensus business invariants mined from live contracts; (2) the design of BSL, a lightweight yet expressive IR that bridges unstructured Solidity code and automated logic analysis while mitigating LLM hallucinations through dual validation; (3) a noise‑aware logic aggregation technique that handles implementation diversity and data noise; and (4) a comprehensive empirical validation demonstrating superior accuracy, robustness, and cost‑effectiveness.

Limitations include dependence on the quality and coverage of the mined on‑chain dataset—rare or emerging protocols may lack sufficient reference invariants—and the current BSL focus on simple pre‑condition/action patterns, which may not capture more intricate state‑transition logic. Future work could extend BSL to model complex state machines, integrate on‑chain governance metadata, and apply the framework to other domains such as NFT marketplaces or DAO contracts. Overall, LogicScan represents a significant step toward practical, automated security auditing of smart contract business logic.