Skip to content
Sagan

Paper

Benchmarking LLM-Based Static Analysis for Secure Smart Contract Development: Reliability, Limitations, and Potential Hybrid Solutions

Unreadunread

AI summary

The authors evaluated whether LLMs can reliably identify security vulnerabilities in smart contracts (blockchain code) and whether they could replace traditional static-analysis tools. They built an automated framework that achieves 92% accuracy in classifying LLM outputs and found that LLMs suffer from lexical bias—they rely on superficial cues like variable names rather than actual program semantics, leading to high false-positive rates.

Main takeaways:

  • LLMs show lexical bias: they flag vulnerabilities based on identifier naming and other surface patterns rather than real semantic analysis
  • This reliance on non-semantic heuristics produces many false positives when used as autonomous security auditors
  • There's a precision-recall tradeoff when using different prompting techniques—you can tune for fewer false alarms or better coverage but not both
  • Current LLMs are better suited as complements to traditional tools rather than replacements for rigorous static analysis