AttackPathGNN: Cross-function vulnerability detection in smart contracts using state interference graphs and conjunction pooling

2026-06-04 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Blockchain & Distributed Ledger Technology · Depth: Expert, quick

Summary

AttackPathGNN is a novel graph neural network designed for detecting cross-function vulnerabilities in Solidity smart contracts, addressing limitations of existing learning-based detectors that focus on single functions. This GNN identifies complex exploits, such as those seen in The DAO and Cream Finance, by reasoning over explicit attack paths. Its architecture incorporates a State Interference Graph, which connects functions sharing mutable storage through typed, weighted edges and directed reentrancy-path edges based on a five-condition predicate. Additionally, it employs conjunction pooling, a differentiable AND-aggregator that evaluates eight exploit preconditions, ensuring scores collapse if mitigations like reentrancy guards or SafeMath are present. AttackPathGNN achieves 92.3+/-0.2% F1 on the SmartBugs Wild test partition, with a 4.3+/-0.3% false-negative rate, and a 90.8+/-2.5% detection rate on SmartBugs Curated. It recovers 6/10 DASP10 categories at 100% and Reentrancy at 98.7+/-1.8%, providing actionable, function-level remediation reports.

Key takeaway

For AI Security Engineers developing smart contract auditing tools, AttackPathGNN demonstrates a critical shift from single-function analysis to cross-function vulnerability detection. You should consider integrating graph neural networks that explicitly model inter-function state interference and conditional exploit paths. This approach significantly improves the detection of complex exploits like reentrancy, offering more comprehensive and actionable remediation reports for your audits.

Key insights

Cross-function smart contract vulnerabilities are detectable by GNNs modeling inter-function state interference and conditional exploit paths.

Principles

• Vulnerabilities often arise from inter-function relationships.
• Explicitly model state interference between functions.
• Conjunction pooling can represent conditional exploit logic.

Method

AttackPathGNN constructs a State Interference Graph with typed, weighted edges and reentrancy-path edges. It then uses conjunction pooling, a log-sigmoid AND-aggregator, over eight exploit preconditions to determine vulnerability.

In practice

• Use GNNs for complex smart contract vulnerability detection.
• Incorporate explicit state interference modeling.
• Design aggregators sensitive to mitigation presence.

Topics

• Smart Contract Security
• Graph Neural Networks
• Solidity Vulnerabilities
• Reentrancy Detection
• State Interference Graphs
• Conjunction Pooling

Best for: Research Scientist, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

• AttackPathGNN: Cross-function vulnerability detection in smart contracts using state interference graphs and conjunction pooling — Cross-function smart contract vulnerabilities require reasoning over inter-function relationships, not just single-function patterns.
• AI cybersecurity is not proof of work — AI cybersecurity success depends on model intelligence and understanding, not merely "proof of work" computational resources.
• Joint Sensor Deployment and Physics-Informed Graph Transformer for Smart Grid Attack Detection — Jointly optimizing sensor placement and physics-informed graph transformers significantly enhances smart grid attack detection and robustness.
• Decoupled Smart Contract Audits: Lightweight LLM Framework via Distillation and Aggregation — Lightweight LLMs can achieve high accuracy in smart contract auditing by decoupling tasks and employing distillation and aggregation strategies.
• New benchmark shows AI agents can exploit most smart contract vulnerabilities on their own — AI agents demonstrate significant capability in exploiting and fixing smart contract vulnerabilities, especially with location hints.
• FlowGuard: Flow Matching for Identity-Independent Detection of Data-Free Model Stealing Attacks on Energy System Intrusion Detection Systems — FlowGuard detects data-free model stealing in energy IDS by identifying synthetic queries as out-of-distribution via flow matching.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.