The authors evaluated whether LLMs can reliably identify security vulnerabilities in smart contracts (blockchain code) and whether they could replace traditional static-analysis tools. They built an automated framework that achieves 92% accuracy in classifying LLM outputs and found that LLMs suffer from lexical bias—they rely on superficial cues like variable names rather than actual program semantics, leading to high false-positive rates.
Main takeaways:
- LLMs show lexical bias: they flag vulnerabilities based on identifier naming and other surface patterns rather than real semantic analysis
- This reliance on non-semantic heuristics produces many false positives when used as autonomous security auditors
- There's a precision-recall tradeoff when using different prompting techniques—you can tune for fewer false alarms or better coverage but not both
- Current LLMs are better suited as complements to traditional tools rather than replacements for rigorous static analysis