Augmenting Smart Contract Decompiler Output through Fine-grained Dependency Analysis and LLM-facilitated Semantic Recovery

Basic Information

• Paper ID: 2501.08670
• Title: Augmenting Smart Contract Decompiler Output through Fine-grained Dependency Analysis and LLM-facilitated Semantic Recovery
• Authors: Zeqin Liao, Yuhong Nan, Zixu Gao, Henglong Liang, Sicheng Hao, Peifan Ren, Zibin Zheng
• Category: cs.SE (Software Engineering)
• Publication Date: January 2025 (arXiv preprint)
• Paper Link: https://arxiv.org/abs/2501.08670

Abstract

Smart contract decompilers are widely-used reverse engineering tools in program analysis, playing important roles in program comprehension and vulnerability detection. However, current Solidity smart contract decompilers exhibit significant limitations in reconstructing original source code, primarily manifested in three aspects: inaccurate function identification, erroneous variable type recovery, and missing contract attributes. To address these challenges, this paper proposes the SmartHalo framework, which enhances decompiler output by combining static analysis (SA) and large language models (LLM). SmartHalo leverages SA's accuracy in control flow and data flow analysis alongside LLM's capability in semantic prediction. Specifically, the framework constructs a dependency graph (DG) data structure to extract semantic dependencies, creates LLM-optimized prompts based on the DG, and finally validates LLM outputs through symbolic execution and formal verification.

Research Background and Motivation

Problem Definition

Smart contract decompilation faces three core challenges:

1. Inaccurate Function Boundary Identification: Existing decompilers cannot precisely determine function boundaries, frequently recovering multiple functions as a single function or omitting important functions
2. Variable Type Recovery Errors: Types produced by decompilers are inconsistent with static domain rules, such as incorrectly recovering the bytes32 return value of keccak256 as uint256
3. Missing Contract Attributes: State variables in smart contracts record critical contract properties (e.g., assets, identities, routers), but are completely absent in decompiled code

Importance Analysis

These deficiencies severely hinder downstream tasks:

• Impacting vulnerability detection accuracy, producing false positives and false negatives
• Reducing program comprehension efficiency
• Limiting advanced analysis tasks such as cross-contract call flow analysis

Limitations of Existing Methods

• SmartDagger: Can only partially recover contract attributes of state variables; based on deep learning models with degraded performance on emerging contracts
• Neural-FEBI: Does not support boundary recovery for modifier functions or inherited functions
• SigRec/VarLifter/DeepInfer: Can only partially recover parameter types of known function signatures; rely on predefined heuristic rules with low coverage

Research Motivation

Based on two key insights:

1. Software Natural Patterns: Programmers tend to use similar code structures, contract attributes, variable types, and function boundaries in similar contexts
2. SA-LLM Synergistic Enhancement: SA exhibits high accuracy in handling complex static constraints, while LLM demonstrates flexibility in predicting targets lacking static constraints

Core Contributions

1. Identified and systematically analyzed key limitations of current smart contract decompiler outputs
2. Proposed the SmartHalo framework, innovatively combining static analysis and large language models to optimize decompiler output
3. Designed a dependency graph (DG) data structure extracting three types of semantic dependencies (state dependencies, control flow dependencies, type dependencies)
4. Established a rigorous correctness verification mechanism through symbolic execution and formal verification to address LLM hallucination issues
5. Comprehensively evaluated and validated SmartHalo's effectiveness in function boundary, variable type, and contract attribute recovery

Methodology Details

Task Definition

Input: Pseudocode generated by decompiler Output: Optimized decompiled code with accurate function boundaries, variable types, and contract attributes Constraints: Maintain program behavioral equivalence and comply with Solidity static type rules

Model Architecture

SmartHalo employs a three-stage architecture:

1. Dependency-based Semantic Extraction

• Control Flow Analysis: Uses Tree-sitter to construct syntax trees, converts to three-address intermediate representation, generates control flow and data flow graphs
• Dependency Identification:
  • Type Dependencies: Associations between variable types and other variables or expressions
  • State Dependencies: Read-write dependencies among state variables
  • Control Flow Dependencies: Dependencies in program execution paths
• Dependency Graph Construction: DG = (Nc, Ec, Xe), where Nc is the node set (variables and expressions), Ec is the edge set (three dependency types), and Xe is the labeling function

2. LLM-driven Semantic Enhancement

• Code Context Generation:
  • Variables: Performs code slicing based on DG to extract code fragments related to target variables
  • Functions: Searches the call chain containing the target function
• Inference Candidate Generation:
  • Variable type candidates: Collects built-in types from Solidity documentation
  • Contract attribute candidates: Limit, Fee, Flag, Address, Asset, Router, Others
• Chain-of-Thought (COT) Prompting: Converts dependencies in DG into reasoning step descriptions

3. Correctness Verification

• Program Behavioral Equivalence Checking:
  • Performs symbolic execution on original and optimized functions
  • Uses Z3 solver for formal verification
  • Equivalence assertion: Φ = ¬(s ⇔ s′)
• Static Rule Violation Checking: Detects type inference errors based on Solidity type rules

Technical Innovations

1. Fine-grained Dependency Analysis: First systematically extracts and leverages three types of semantic dependencies
2. SA-LLM Synergistic Framework: Innovatively combines static analysis accuracy with LLM semantic understanding capability
3. Rigorous Correctness Guarantee: Ensures optimization result correctness through symbolic execution and formal verification
4. Universal Design: Supports integration with different LLMs and decompilers

Experimental Setup

Datasets

• Evaluation Dataset: Randomly selected 500 functions from the largest open-source smart contract dataset, ultimately obtaining 456 source code and decompiled output pairs
• Complex Contract Dataset: Randomly selected 50 smart contracts from 682 real DApps (approximately 900 functions)
• Vulnerability Detection Dataset: Contains 81 reentrancy vulnerability labels, 18 attack contract pairs, 50 integer overflow vulnerability contracts

Evaluation Metrics

• Function Boundary Matching: Start and end points completely match source code-level functions
• Type Matching: Predicted types completely match ground truth types (including data layout and field information)
• Contract Attribute Matching: Predicted attributes completely match ground truth attributes
• Recompilation Failure Rate: Compilation error rate of optimized code

Baseline Methods

• SmartDagger: For contract attribute recovery comparison
• VarLifter: For variable type inference comparison
• Original Decompilers: Gigahorse/Dedaub as baseline

Implementation Details

• Development Environment: Python 3.8.10, 1799 lines of code
• LLM Selection: Primarily uses GPT-3.5, supports GPT-4o mini, Llama-3, Deepseek-v3, Qwen-2.5-coder
• Hardware Configuration: Intel i9-10980XE CPU, RTX 3090 GPU, 250GB RAM

Experimental Results

Main Results

Overall Performance Comparison (vs. Original Decompiler)

Comparison with SOTA Methods

• vs SmartDagger (Contract Attributes): Precision improvement +44.69%, recall improvement +80.86%
• vs VarLifter (Variable Types): Precision improvement +13.51%, recall improvement +77.08%

Performance Comparison Across Different LLMs

Ablation Study

Comparing SA, LLM used independently, and the complete SmartHalo framework:

• SA Contribution: Provides accurate dependency extraction and constraint verification
• LLM Contribution: Provides semantic understanding and rare pattern recognition capability
• Synergistic Effect: SmartHalo improves over LLM alone by 19.23%/29.23% on function boundaries

Generalization Ability Verification

• Cross-decompiler: Significant improvements on Heimdall and Panoramix
• Complex Contracts: Maintains good performance on real complex DApps
• Efficiency Analysis: Average processing time 23.99 seconds, cost $0.00136/function

Downstream Task Performance

• Reentrancy Vulnerability Detection: Precision improved from 72.16% to 80.41%
• Attack Identification: Recall improved from 83.33% to 100.00%
• Integer Overflow Detection: Precision improvement +21.96%, recall improvement +38.00%

Related Work

Smart Contract Decompilation

• Gigahorse/Elipmoc: Convert EVM bytecode to three-address code representation
• Erays/EtherSolve: Recover control flow graphs from EVM bytecode
• SigRec/DeepInfer: Recover public function signatures

Decompilation Optimization

• Semantic Information Recovery: DEBIN, OSPREY, BDA and others recover program dependencies through static analysis
• Variable Name and Type Optimization: DIRE, DIRTY, DeGPT and others use deep learning to optimize decompiler output

Advantages of This Work

Compared to existing work, SmartHalo offers:

1. More Comprehensive Optimization Targets: Simultaneously addresses function boundaries, variable types, and contract attributes
2. Stronger Generalization Ability: Does not depend on specific training data, adapts to emerging contracts
3. Rigorous Correctness Guarantee: Ensures optimization result correctness through formal verification

Conclusions and Discussion

Main Conclusions

1. SmartHalo significantly improves smart contract decompilation quality, achieving substantial improvements across three key metrics
2. SA-LLM synergistic framework proves effective, fully leveraging the complementary advantages of both approaches
3. Rigorous correctness verification mechanism successfully controls LLM hallucination issues
4. Framework demonstrates good generalization ability, supporting multiple LLMs and decompilers

Limitations

1. Inheritance Structure Recovery: Cannot recover inheritance relationships within contracts due to missing class information at bytecode level
2. Dataset Scale: Evaluation dataset is relatively small (456 functions), but comparable to SOTA research scale
3. LLM API Evolution: May impact result reproducibility
4. Complex Scenario Handling: Limited performance in low-level calls, inline assembly, and off-chain dependencies

Future Directions

1. Inheritance Structure Recovery: Explore pattern matching-based inheritance relationship inference
2. Larger-scale Evaluation: Verify method robustness on larger datasets
3. Specialized Model Training: Train specialized smart contract understanding models
4. Real-time Optimization: Support online decompilation optimization

In-depth Evaluation

Strengths

1. Clear Problem Definition: Systematically identifies and analyzes core problems in smart contract decompilation
2. Strong Method Innovation: First proposes SA-LLM synergistic framework with ingeniously designed dependency graph data structure
3. Complete Technical Solution: Forms a complete closed loop from semantic extraction, optimization enhancement to correctness verification
4. Comprehensive Experimental Evaluation: Multi-dimensional comparative experiments including ablation studies and downstream task validation
5. High Practical Value: 60.22% of optimized code can be directly recompiled, significantly improving practicality

Weaknesses

1. Insufficient Theoretical Analysis: Lacks in-depth analysis of theoretical guarantees for the method
2. Limited Error Analysis: Root cause analysis of optimization failures could be more thorough
3. Computational Overhead: Symbolic execution and formal verification may introduce significant computational costs
4. External Tool Dependency: Depends on quality of existing decompilers and LLM APIs

Impact

1. Academic Contribution: Provides new research paradigm for smart contract analysis field
2. Practical Value: Can be directly applied to smart contract security analysis and program comprehension
3. Extensibility: Framework design supports integration of different analysis tools and models
4. Open Source Contribution: Authors commit to open-sourcing code and datasets, facilitating research reproducibility

Applicable Scenarios

1. Smart Contract Security Auditing: Improves readability and accuracy of decompiled code
2. Vulnerability Detection Tools: Serves as preprocessing step to enhance detection precision
3. Program Comprehension Tools: Assists developers in understanding third-party contract logic
4. Academic Research: Provides high-quality data for smart contract analysis research

References

The paper cites 96 related references, primarily including:

• Smart Contract Analysis: Classic works such as Gigahorse, SmartDagger, VarLifter
• Program Analysis Theory: Literature on symbolic execution and formal verification
• Machine Learning Applications: Applications of deep learning in program analysis
• Decompilation Techniques: Traditional decompilation optimization methods and tools

Overall Assessment: This is a high-quality software engineering research paper proposing an innovative solution to the important problem of smart contract decompilation. The method design is sound, experimental evaluation is comprehensive, and practical value is prominent. Although some limitations exist, the overall contribution is significant and has important implications for advancing the smart contract security analysis field.