This repository contains the datasets, analysis code, and research artifacts for the paper "Have We Solved Access Control Vulnerability Detection in Smart Contracts? A Benchmark Study" in ASE 2025. It provides resources for studying access control vulnerabilities in blockchain systems through four distinct research questions (RQs).
The structure of the repository is as follows:
AccessControlVulnerabilities/
├── datasets/ # Primary vulnerability datasets
│ ├── datasets.xlsx # Consolidated vulnerability dataset
│ ├── DeFiHackLabsCVEs/ # Curated vulnerabilities from DeFiHackLabs
│ └── Code4rena/ # Access control reports from Code4rena audits
│
├── RQ1/ # Research Question 1: Vulnerability Taxonomy
│ └── taxonomy.xlsx # Classification taxonomy for access control vulnerabilities
│
├── RQ2/ # Research Question 2: SOTA Tool Effectiveness
│ ├── Code/ # Analysis scripts for RQ2
│ └── result/ # Processed outputs/results for RQ2
│
├── RQ3/ # Research Question 3: Practical Gaps
│ ├── Code/ # Analysis scripts for RQ3
│ └── result/ # Processed outputs/results for RQ3
│
└── RQ4/ # Research Question 4: LLM-based Detection
├── Code/ # Implementation code for detection approach
├── full_prompt.txt # Complete LLM prompt used in the study
└── result/ # Detection results and evaluations- 📁 Datasets
- datasets.xlsx: Consolidated dataset of access control vulnerabilities
- DeFiHackLabsCVEs/: Real-world vulnerability cases from DeFiHackLabs and CVE database
- Code4rena/: Access control vulnerabilities from Code4rena audits
- 🔍 Research Questions
- RQ1: Vulnerability Taxonomy (taxonomy.xlsx)
- RQ2: SOTA Tool Effectiveness
Analysis scripts in RQ2/Code/
Processed results in RQ2/result/ - RQ3: Practical Gaps
Analysis scripts in RQ3/Code/
Processed results in RQ3/result/ - RQ4: LLM Capabilities
Complete LLM prompt: RQ4/full_prompt.txt
Detection implementation: RQ4/Code/
Evaluation results: RQ4/result/
- Clone the repository:
git clone
- For datasets:
- Navigate to the
datasets/directory to access the vulnerability datasets. datasets.xlsxcontains the consolidated dataset with detailed vulnerability information.DeFiHackLabsCVEs/andCode4rena/directories contain curated vulnerabilities from DeFiHackLabs, CVEs and Code4rena audits, respectively.- For each vulnerability, we provide the successful compilation binary and the source code, saved in the
source_code/subdirectory and thebinary/subdirectory, respectively. - Also, we provide a configuration file
config.jsonthat contains the compilation parameters used to compile the source code.
- Navigate to the
- For RQ2,
- Navigate to the
RQ2/Code/directory to find analysis scripts for evaluating SOTA tools. - How to run the scripts is described in
RQ2/Code/README.md. - Processed results can be found in
RQ2/result/.
- Navigate to the
- For RQ3,
- Navigate to the
RQ3/Code/directory for analysis scripts focused on practical gaps anlysis. - How to run the scripts is described in
RQ3/Code/README.md. - Processed results are available in
RQ3/result/.
- Navigate to the
- For RQ4,
- Navigate to the
RQ4/Code/directory for the implementation code of the LLM-based detection approach. - The complete LLM prompt used in the study is available in
RQ4/full_prompt.txt. - How to run the detection code is described in
RQ4/Code/README.md. - Detection results and evaluations can be found in
RQ4/result/.
- Navigate to the
This project is released under the MIT License.
Please cite the paper as follows if you use the data or code from this paper:
@inproceedings{liu2025ACBenchmark,
title={{Have We Solved Access Control Vulnerability Detection in Smart Contracts? A Benchmark Study}},
author={Liu, Han and Wu, Daoyuan and Sun, Yuqiang and Wang, Shuai and Liu, Yang},
booktitle={Proc. IEEE/ACM Automated Software Engineering (ASE)},
year={2025}
}