2026年3月23日から3月27日にかけて、The 41st ACM/SIGAPP Symposium On Applied Computing (ACM SAC 2026) がギリシャで開催されました。本学会において、当研究所の研究員である佐古健太郎、伊藤大貴、渡邉卓弥、高田雄太、熊谷裕志、神薗雅紀が 研究論文を発表しました。
Evaluation of Smart Contract Tools for Comprehensive Vulnerability Detection and Optimal Integration
著者:Kentaro Sako (Waseda University/DTCY), Daiki Ito, Takuya Watanabe, Yuta Takata, Hiroshi Kumagai (DTCY), Masaki Kamizono (DTCY/DTSI), Tatsuya Mori (Waseda University/RIKEN AIP/NICT)
概要:Smart contracts (SCs) cannot be modified once deployed on the blockchain, making pre-deployment vulnerability identification essential. Although numerous SC vulnerability (SCVul) detection tools (SCTs) have been developed, prior evaluations have examined only limited vulnerability types, leaving it uncertain whether SCTs can comprehensively detect vulnerabilities and what characteristics their detectable vulnerabilities exhibit. Because each SCT employs distinct analysis methods and detection strategies, using multiple SCTs can be advantageous; however, the detection accuracy of such combinations has not yet been systematically evaluated. In this study, we comprehensively investigate the types and characteristics of SCVuls targeted by eight SCTs whose execution environments were successfully established and verified. Our study is grounded in a comprehensive SCVul list for assessing detection completeness and characteristic biases, and in an evaluation dataset built to assess both individual tools and their combinations. Our evaluation shows clear limits in current SCTs. Specifically, 23.5% of vulnerabilities in our list were untargeted and approximately 35% remained undetected even after aggregating tools, with the excluded or missed cases predominantly context-dependent vulnerabilities that require interpreting business logic or developer intent. Tool combinations improved performance only in limited ways. Intersections achieved the highest F1-score but reduced coverage, while unions broadened coverage at the cost of many false positives. Neither strategy materially enabled detection of context-dependent vulnerabilities. These results offer practical guidance on when combinations help and where fundamental gaps remain.