Home » Collaborative Artificial Intelligence Security Tool (CAIST)

Collaborative Artificial Intelligence Security Tool (CAIST)

CAIST integrates advanced artificial intelligence techniques with manual security audit expertise to revolutionize smart contract vulnerability detection

Get Started

Summary of our project

We want to build a tool to assist in the detection of vulnerabilities in smart contracts. This tool will leverage powerful artificial intelligence constructs like Open AI’s LLMs, and our knowledge and experience, in manual security audits.

Existing smart contract security tools do not suffice: even when the distributed apps are developed by very professional teams (e.g., check https://rekt.news/leaderboard/ ). Tools used to find bugs in Solidity/Eetherem smart contracts -for example- may require extensive setup, they generate a good deal of false positives for which developers need to invest serious time to discard. In reality, no research like this has been tried or published. If successful, it will provide a breakthrough improving security overall and spanning more research. We believe that there is an exponential and untapped growth of LLMs that may well solve security problems. Hence, our aim is to combine a great deal of experience in Security Research with LLMs power to build this tool.

Building Collaborative Artificial Intelligence Security Tool (CAIST), will combine automatic, human, and AI analysis techniques. Our goal is to allow developers, security auditors, and QA specialists to iterate in a bug-finding process with the intervention of multiple artificial intelligence techniques. Human-machine iteration makes the search for security issues to be reinforced positively.

Using AI clustering will focus on identification of potential issues and implement a semantic query language to facilitate computer-human interactions. In order to facilitate bug-finding CAIST starts with a classification phase where Solidity smart contracts are included in categories (e.g. AMMs) and subcategories, next elicits questions (and helps to answer them) particularly to the smart contracts (sub)categories, and assists in either confirming or rejecting a security issue.

Our Recent Related Work

During 2023, we researched clustering. This proof of concept aims to classify Solidity smart contracts unsupervised, aiming to create a vulnerability detection tool. Smart contracts are grouped into clusters based on functionality, providing a targeted vulnerability detection approach. Repositories from Github (2017-2023, >20 stars) were used, and main contracts were parsed for information. The initial approach involved listing function names and assessing their similarity. Clustering techniques, including DBSCAN, were applied to principal components for noise reduction, and contract networking via functions was studied. Promising outcomes revealed clusters such as DEX/DeFi platforms, Yield Farming & Staking, Governance, ERC Standards, Ownership Management. The research focuses on refining data processing and examining the best similarity measure and vector representation for the problem.

We have an ongoing collaboration on knowledge transfer and open-source projects with the Universidad de Buenos Aires in the context of MEGA-ACE project, funded by the Algorand Foundation, which aims to build a mobility network of researchers and students which allows the project to target research and implementation efforts to problems informed by the needs of societies in all five continents. Among other participating universities are Purdue University – USA, Cornell – USA, UCLA – USA; Bar-Ilan – Israel, Reichman University – Israel, Ecole Polytechnique – France, Universidad Nacional Autonoma de Mexico – Mexico, etc.

Throughout 2022 and early 2023, we collaborated with the Laboratory on Foundations and Tools for Software Engineering (LaFHIS) at the University of Buenos Aires to establish analysis techniques and tools for detecting vulnerabilities in code, as well as to create an initial list of vulnerability classes for smart contracts and code examples. We started this collaboration with a grant from NEAR Foundation in 2022, where we focused on reviewing available tools applicable for detecting vulnerabilities in Rust. This research was followed in 2023 by a series of grants financed by Web3 Foundation and Aleph Zero Ecosystem Grants, that led to the release of our vulnerability detector for smart contracts Scout.

We believe that, by working on a thorough classification of smart contract vulnerabilities, we can leverage LLM as a powerful technique for vulnerability detection. This would be a new application in the context of vulnerabilities for smart contracts in Solidity, as well as Rust based blockchains.