RTMS: A Smart Contract Vulnerability Detection Method Based on Feature Fusion and Vulnerability Correlations
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsThe following comments are made to help improve this paper:
1) The authors should consider adding an explicit statement of contribution at the the end of the Introduction.
2) The authors should consider adding a summary of RTMS performance against other Smart Contract Vulnerability Detection programs to the conclusion. At the moment the conclusion is brief and needs to be improved.
Author Response
Comments 1: The authors should consider adding an explicit statement of contribution at the the end of the Introduction.
Response 1: Thank you for pointing this out. I agree with this comment. Therefore, we have added a statement of our work at the end of the introduction.
Comments 2: The authors should consider adding a summary of RTMS performance against other Smart Contract Vulnerability Detection programs to the conclusion. At the moment the conclusion is brief and needs to be improved.
Response 2: Agree.We have already enriched the comparison of effects with other methods in the Conclusion section.
Reviewer 2 Report
Comments and Suggestions for AuthorsThe abstract should be more developed, by putting more emphasis on the discoveries, also on the smart contracts and deep learning.
The introduction can be enhanced with more recent studies.
Neither one of the eight figures, nor one of the six tables mentions the source or whether they are created by the authors.
The conclusion part must be enhanced and the authors should provide more suggestions that can be used.
How and by which means is the precision and stability of classification results improved?
The authors should explain what does it means by “relatively limited in terms of vulnerability types”.
Some of the references must be replaced with newer articles, studies and books, as the following may be considered by some readers as not up-to-date information.
Szabo N. Smart contracts: building blocks for digital markets[J]. EXTROPY: The Journal of Transhumanist Thought,(16), 1996, 18(2): 28.
Buterin V. A next-generation smart contract and decentralized application platform[J]. white paper, 2014, 3(37): 2-1.
Author Response
Comments 1: The abstract should be more developed, by putting more emphasis on the discoveries, also on the smart contracts and deep learning.
Response 1: Thank you for pointing this out. I agree with this comment. Therefore, We have enriched the description in the abstract section.
Comments 2: The introduction can be enhanced with more recent studies.
Response 2: Agree.To avoid redundancy in content, we have added references to Sections 2.2 and 2.3 in the Introduction, providing appropriate summaries of the relevant studies.
Comments 3: Neither one of the eight figures, nor one of the six tables mentions the source or whether they are created by the authors.
Response 3: Agree.We have added originality statements beneath each figure and table.
Comments 4: The conclusion part must be enhanced and the authors should provide more suggestions that can be used.
Response 4: Agree.We have added suggestions for future research work in the concluding section.
Comments 5: How and by which means is the precision and stability of classification results improved.
Response 5: Agree.Our work is summarized in the introduction and conclusion sections. Mainly through the following methods: 1. Slicing strategy based on gas value to select the fragments with the richest logic. 2. The hierarchical network structure expands the input range and improves the feature extraction effect. 3. Correlation learning, correcting the initial classification results through the correlation between vulnerabilities, making the final classification results more stable.
Comments 6: The authors should explain what does it means by “relatively limited in terms of vulnerability types”.
Response 6: In the conclusion part, the limited vulnerability types are introduced in detail.
Comments 7: Some of the references must be replaced with newer articles, studies and books, as the following may be considered by some readers as not up-to-date information.
Response 7: The purpose of citing these two pieces of literature is as follows: One is to demonstrate the origin of the concept of smart contracts, and the other is to showcase the original intentions behind the establishment of Ethereum through the Ethereum white paper.
Reviewer 3 Report
Comments and Suggestions for AuthorsThe paper introduce RTMS, a novel method for detecting smart contract vulnerabilities, emphasizing efficiency and accuracy.
The paper could be further enhanced by addressing the following questions:
please expand the full acronym RTMS if it is first mentioned in the beginning (Robust Transaction Multi-vulnerability smart contract detection system? )
Is the goal here to classify the 6 vulnerability category: permission (access) control, integer overflow, reentrancy, insecure calls, others, and safe ? if so it should be addressed clearer in introduction and also in experiment section.
also if the operation code is limited to 10 tokens (Push, Log, Dup, etc. ), the embedding matrix might be much smaller than the bert-fashion model. Then is this problem essentially similar to next token prediction? but I feel confused cause it seems to estimate the vulnerability (6 classes) rather than next token estimation (10 tokens vocabulary).
The notation needs to be cleaned a bit for example, W is weight matrix and then the three multiplication of W_p W_e W_i seem can be relaxed to a large wight matrix, Maybe Figure 6, RT block is used for this case. if so the attention here may referred to convolution with the 512 token sequence instead of K, V, Q (key, value, query) attention module?
Comments on the Quality of English Language
Fair, yet can be improved
Author Response
Comments 1: please expand the full acronym RTMS if it is first mentioned in the beginning (Robust Transaction Multi-vulnerability smart contract detection system? )
Response 1: Thank you for pointing this out.RTMS is named just as a symbol to facilitate reference during manuscript writing.
Comments 2:Is the goal here to classify the 6 vulnerability category: permission (access) control, integer overflow, reentrancy, insecure calls, others, and safe ? if so it should be addressed clearer in introduction and also in experiment section.
Response 2: Agree.In the Introduction section, when RTMS is first introduced, a specific description of its detection capabilities is added. In the first paragraph of the experimental results analysis in Section 5.4, a statement about the content of the experimental dataset is included.[The purpose of all experiments is to input the opcodes to be detected and output a probability sequence indicating the likelihood of the opcodes having four types of vulnerabilities: Reentrancy, Permission Control, Integer Overflow, and Insecure Calling. The threshold is set at 50%. For example, if a segment of opcodes has both Reentrancy and Permission Control vulnerabilities, the corresponding probabilities for these two vulnerabilities will be greater than 50%, while the probabilities for the other two vulnerabilities will be below 50%.]
Comments 3: If the operation code is limited to 10 tokens (Push, Log, Dup, etc. ), the embedding matrix might be much smaller than the bert-fashion model. Then is this problem essentially similar to next token prediction? but I feel confused cause it seems to estimate the vulnerability (6 classes) rather than next token estimation (10 tokens vocabulary).
Response 3: The application of the CodeBERT model in this context is primarily as a feature extraction module, without utilizing its next-sentence prediction capability. The input vector dimension remains 512, but the vector space is reduced based on a customized vocabulary tailored to the simplified opcodes.
Comments 4:The notation needs to be cleaned a bit for example, W is weight matrix and then the three multiplication of W_p W_e W_i seem can be relaxed to a large wight matrix, Maybe Figure 6, RT block is used for this case. if so the attention here may referred to convolution with the 512 token sequence instead of K, V, Q (key, value, query) attention module?
Response 4: Agree.In Equations (5), (6), and (7), the original expression methods have been modified. In the RTBlock, the traditional K, Q, V attention scoring mechanism is not used; instead, the GAM (Global Attention Modulation) attention mechanism is adopted.
Round 2
Reviewer 2 Report
Comments and Suggestions for AuthorsThe article has been significant improve by the authors, being better structured and more engaging for the potential readers, making it more informative.