pith. machine review for the scientific record. sign in

arxiv: 2604.15118 · v1 · submitted 2026-04-16 · 💻 cs.CR

Recognition: unknown

NFTDELTA: Detecting Permission Control Vulnerabilities in NFT Contracts through Multi-View Learning

Hailu Kuang , Xiaoqi Li , Wenkai Li , Zongwei Li
Authors on Pith no claims yet

Pith reviewed 2026-05-10 10:41 UTC · model grok-4.3

classification 💻 cs.CR
keywords NFT contractspermission control vulnerabilitiesmulti-view learningstatic analysiscontrol flow graphvulnerability detectionsmart contract securityreentrancy
0
0 comments X

The pith

A multi-view detector identifies permission control vulnerabilities in NFT contracts by combining sequence and graph features from their control flow graphs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents a framework that scans NFT smart contracts for weaknesses in how they enforce access permissions. These weaknesses can let attackers bypass checks and gain unauthorized control over tokens. The method pulls out two different representations of each function's control flow—one as a sequence of steps and one as a graph structure—then merges them into a single view. It matches this combined representation against patterns for three specific vulnerability types through similarity analysis. The approach matters because it provides an automated way to check code before it handles valuable assets.

Core claim

The central claim is that extracting both sequence features and graph features from the control flow graphs of NFT contract functions, integrating them into a unified representation, and applying multi-view similarity analysis against three defined categories of permission control vulnerabilities enables reliable detection of defects such as bypass auth reentrancy, weak auth validation, and loose permission management.

What carries the argument

Multi-view integration of sequence features representing execution paths and graph features capturing structural control flow from function CFGs, used with similarity analysis to match against three manually defined permission vulnerability categories.

If this is right

  • Permission control vulnerabilities exist in a substantial portion of deployed NFT contracts and fall into the categories of bypass auth reentrancy, weak auth validation, and loose permission management.
  • Static analysis that merges sequence and graph views of control flow can locate these defects at scale across hundreds of collections.
  • High precision and F1 scores from the detector indicate it can support practical security checks for NFT ecosystems.
  • The method improves efficiency and scalability compared to purely manual review of contract code.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same multi-view CFG technique could be tested on permission issues in non-NFT smart contracts such as those used for decentralized finance.
  • Repeated application of the detector over time might reveal whether new NFT projects are adopting stronger permission patterns.
  • If the similarity thresholds are tuned further, the approach could extend to flagging related control-flow weaknesses like missing checks in other contract functions.

Load-bearing premise

The three manually defined vulnerability categories together with the multi-view feature similarity analysis will surface actual permission defects in NFT code without missing many cases or producing too many incorrect alerts.

What would settle it

Take a set of NFT contracts already known from manual review to contain one of the three permission vulnerability types and check whether the detector flags all of them while avoiding false positives on equivalent non-vulnerable code.

Figures

Figures reproduced from arXiv: 2604.15118 by Hailu Kuang, Wenkai Li, Xiaoqi Li, Zongwei Li.

Figure 1
Figure 1. Figure 1: The Overall Workflow of the NFTDELTA Framework, Comprising Three Phases: (1) Static Analysis [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Mapping Defects and Features via Function Selectors. [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Reorganize and Fusion Sequence Features into Graph Features. [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Distribution of Defects in the Embedding Dataset Divided into Contract and Function-Level Defect [PITH_FULL_IMAGE:figures/full_fig_p015_4.png] view at source ↗
read the original abstract

Permission control vulnerabilities in Non-fungible token (NFT) contracts can result in significant financial losses, as attackers may exploit these weaknesses to gain unauthorized access or circumvent critical permission checks. In this paper, we propose NFTDELTA, a framework that leverages static analysis and multi-view learning to detect permission control vulnerabilities in NFT contracts. Specifically, we extract comprehensive function Control Flow Graph (CFG) information via two views: sequence features (representing execution paths) and graph features (capturing structural control flow). These two views are then integrated to create a unified code representation. We also define three specific categories of permission control vulnerabilities and employ a custom detector to identify defects through multi-view feature similarity analysis. Our evaluation of 795 popular NFT collections identified 241 confirmed permission control vulnerabilities, comprising 214 cases of Bypass Auth Reentrancy, 15 of Weak Auth Validation, and 12 of Loose Permission Management. Manual verification demonstrates the detector's high reliability, achieving an average precision of 97.92% and an F1-score of 81.09%. Furthermore, NFTDELTA demonstrates enhanced efficiency and scalability, proving its effectiveness in securing NFT ecosystems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

4 major / 2 minor

Summary. The paper proposes NFTDELTA, a static analysis framework for detecting permission control vulnerabilities in NFT smart contracts. It extracts function Control Flow Graph (CFG) information via two views—sequence features for execution paths and graph features for structural control flow—integrates them into a unified representation, defines three vulnerability categories (Bypass Auth Reentrancy, Weak Auth Validation, Loose Permission Management), and uses multi-view feature similarity analysis to flag defects. Evaluation on 795 popular NFT collections reports 241 confirmed vulnerabilities (214/15/12 by category) with 97.92% average precision and 81.09% F1-score from manual verification, plus claims of improved efficiency and scalability.

Significance. If the detection approach proves robust and reproducible, the work could offer a useful auditing aid for NFT ecosystems, where permission flaws have caused real financial losses. The multi-view CFG integration is a reasonable extension of static analysis techniques to this domain and could improve coverage over single-view methods if the similarity analysis is well-justified. The scale of the evaluation (795 collections) is a positive aspect, but the absence of baselines, parameter details, and verification methodology limits the assessed contribution to the field.

major comments (4)
  1. [Evaluation section] The central empirical results (241 vulnerabilities, 97.92% precision, 81.09% F1) rest on manual verification of detector outputs, yet no section describes the verification rubrics, number of reviewers, inter-rater process, or how ground truth was constructed. This directly affects the reliability of the reported counts and metrics.
  2. [Evaluation section] F1-score computation requires a recall denominator (total true vulnerabilities across the 795 collections). Manual review of positives supports precision but not recall; the paper does not explain how false-negative coverage was established or whether exhaustive labeling was performed.
  3. [Methodology (multi-view learning and detector description)] The multi-view similarity detector depends on a similarity threshold and feature weighting between sequence and graph views (free parameters listed in the analysis). No values, selection method, or sensitivity analysis are provided, so the reported detections may reflect post-hoc choices on the evaluation set rather than a fixed, generalizable procedure.
  4. [Vulnerability categories definition] The three vulnerability categories are manually defined without a systematic derivation, completeness argument, or mapping to a broader taxonomy of NFT permission issues. It is unclear whether the detector systematically misses other common patterns or overfits to these hand-chosen definitions.
minor comments (2)
  1. [Abstract] The abstract states 'enhanced efficiency and scalability' without quantitative runtime comparisons, memory usage, or baseline tools.
  2. [Throughout methodology] Notation for the unified representation, similarity metric, and CFG feature extraction lacks explicit equations or pseudocode, making the multi-view integration hard to reproduce from the text alone.

Simulated Author's Rebuttal

4 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below, providing clarifications and committing to revisions that strengthen the manuscript without altering its core claims.

read point-by-point responses

  1. Referee: [Evaluation section] The central empirical results (241 vulnerabilities, 97.92% precision, 81.09% F1) rest on manual verification of detector outputs, yet no section describes the verification rubrics, number of reviewers, inter-rater process, or how ground truth was constructed. This directly affects the reliability of the reported counts and metrics.

    Authors: We agree that the manual verification process requires explicit documentation for transparency and reproducibility. In the revised manuscript, we will add a new subsection in the Evaluation section that details the verification rubrics (based on code inspection against the defined vulnerability patterns), the involvement of two independent reviewers with security auditing experience, the inter-rater agreement process (including resolution of disagreements via discussion), and the construction of ground truth through consensus. revision: yes

  2. Referee: [Evaluation section] F1-score computation requires a recall denominator (total true vulnerabilities across the 795 collections). Manual review of positives supports precision but not recall; the paper does not explain how false-negative coverage was established or whether exhaustive labeling was performed.

    Authors: We acknowledge that exhaustive labeling of all 795 collections is impractical at this scale. Recall was estimated via manual inspection of a stratified random sample of 100 contracts (selected to cover popular collections and diverse code patterns) to identify missed vulnerabilities, with the resulting rate extrapolated to the full set. We will revise the Evaluation section to fully describe this sampling methodology, report the sample size and selection criteria, and add a limitations paragraph discussing the uncertainty in the recall estimate. revision: partial

  3. Referee: [Methodology (multi-view learning and detector description)] The multi-view similarity detector depends on a similarity threshold and feature weighting between sequence and graph views (free parameters listed in the analysis). No values, selection method, or sensitivity analysis are provided, so the reported detections may reflect post-hoc choices on the evaluation set rather than a fixed, generalizable procedure.

    Authors: We will update the Methodology section to report the exact parameter values used (cosine similarity threshold of 0.8 and equal weighting of 0.5 for sequence and graph views), the selection procedure (grid search over a small validation subset of 50 contracts disjoint from the evaluation set), and a sensitivity analysis table showing how the number of detections and precision change across threshold values from 0.6 to 0.9. revision: yes

  4. Referee: [Vulnerability categories definition] The three vulnerability categories are manually defined without a systematic derivation, completeness argument, or mapping to a broader taxonomy of NFT permission issues. It is unclear whether the detector systematically misses other common patterns or overfits to these hand-chosen definitions.

    Authors: The categories were derived from an empirical review of 50 known NFT exploits documented in public audit reports and security advisories. We will expand the Vulnerability Categories section to include a more systematic derivation (listing the specific exploit patterns examined), a mapping to relevant entries in the Smart Contract Weakness Classification (SWC) registry, and an explicit discussion of coverage limitations, including potential missed patterns such as certain access-control edge cases in proxy contracts. revision: partial

Circularity Check

0 steps flagged

No circularity: detection pipeline and metrics are produced by explicit static analysis plus external manual review rather than self-referential construction.

full rationale

The paper defines three vulnerability categories explicitly, extracts sequence and graph features from CFGs, integrates them into a unified representation, and applies a custom multi-view similarity detector. Reported counts (241 vulnerabilities) and metrics (97.92% precision, 81.09% F1) result from running this detector on an external corpus of 795 NFT collections followed by post-hoc manual verification of its outputs. No equations, fitted parameters, or self-citations are shown to reduce the final counts or scores to the detector's own construction by definition; the manual step supplies an independent check, and the categories are stated as author-defined rather than derived from the evaluation set itself. The derivation chain is therefore self-contained.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 0 invented entities

The approach depends on ad-hoc definitions of the three vulnerability categories and on unspecified similarity thresholds or model hyperparameters that are fitted or chosen to produce the reported detections; no external axioms or machine-checked components are referenced.

free parameters (2)
  • similarity threshold
    Used to decide when a function matches a vulnerable pattern; value not stated and must be set to achieve the reported precision.
  • feature weighting between sequence and graph views
    Controls how the two views are combined; any learned or hand-chosen weights constitute free parameters.
axioms (1)
  • domain assumption The three defined categories (Bypass Auth Reentrancy, Weak Auth Validation, Loose Permission Management) exhaustively or representatively cover permission control defects in NFT contracts.
    Invoked when the detector is limited to these three classes.

pith-pipeline@v0.9.0 · 5507 in / 1485 out tokens · 45749 ms · 2026-05-10T10:41:32.208664+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

61 extracted references · 11 canonical work pages · 2 internal anchors

  1. [1]

    Qurat Ul Ain, Wasi Haider Butt, Muhammad Waseem Anwar, Farooque Azam, and Bilal Maqbool. 2019. A systematic review on code clone detection.IEEE access7 (2019), 86121–86144

    2019

  2. [2]

    Lennart Ante. 2022. The non-fungible token (NFT) market and its relationship with Bitcoin and Ethereum.FinTech1, 3 (2022), 216–224

    2022

  3. [3]

    Lennart Ante. 2023. Non-fungible token (NFT) markets on the Ethereum blockchain: Temporal development, cointe- gration and interrelations.Economics of Innovation and New Technology32, 8 (2023), 1216–1234

    2023

  4. [4]

    Rob Behnke. 2023. Explained: The NFT Trader Hack (December 2023). Website. https://www.halborn.com/blog/post/ explained-the-nft-trader-hack-december-2023

    2023

  5. [5]

    Blur. 2024. Blur: NFT Marketplace for Pro Traders. Website. https://blur.io

    2024

  6. [6]

    Jiuyang Bu, Wenkai Li, Zongwei Li, Zeng Zhang, and Xiaoqi Li. 2025. Smartbugbert: Bert-enhanced vulnerability detection for smart contract bytecode.arXiv preprint arXiv:2504.05002(2025)

    work page arXiv 2025

  7. [7]

    Krzysztof Choromanski, Valerii Likhosherstov, David Dohan, Xingyou Song, Andreea Gane, Tamas Sarlos, Peter Hawkins, Jared Davis, Afroz Mohiuddin, Lukasz Kaiser, et al . 2020. Rethinking attention with performers.arXiv preprint arXiv:2009.14794(2020)

    work page internal anchor Pith review arXiv 2020

  8. [8]

    Hanting Chu, Pengcheng Zhang, Hai Dong, Yan Xiao, Shunhui Ji, and Wenrui Li. 2023. A survey on smart contract vulnerabilities: Data sources, detection and repair.Information and Software Technology159 (2023), 107221

    2023

  9. [9]

    Crytic. 2024. Abstraction layer for smart contract build systems. GitHub. https://github.com/crytic/crytic-compile

    2024

  10. [10]

    Crytic. 2024. Manage and switch between Solidity compiler versions. GitHub. https://github.com/crytic/solc-select

    2024

  11. [11]

    Dipanjan Das, Priyanka Bose, Nicola Ruaro, Christopher Kruegel, and Giovanni Vigna. 2022. Understanding security issues in the NFT ecosystem. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 667–681

    2022

  12. [12]

    William Entriken. 2018. ERC-721: Non-Fungible Token Standard. Website. https://eips.ethereum.org/EIPS/eip-721

    2018

  13. [13]

    Witek Radomski et al. 2018. ERC-1155: Multi Token Standard. Website. https://eips.ethereum.org/EIPS/eip-1155

    2018

  14. [14]

    Ethereum. 2024. The leading platform for innovative apps and blockchain networks. Website. https://ethereum.org/en/

    2024

  15. [15]

    Josselin Feist, Gustavo Grieco, and Alex Groce. 2019. Slither: a static analysis framework for smart contracts. In2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, 8–15

    2019

  16. [16]

    João F Ferreira, Pedro Cruz, Thomas Durieux, and Rui Abreu. 2020. SmartBugs: A Framework to Analyze Solidity Smart Contracts. InProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 1349–1352

    2020

  17. [17]

    Zhipeng Gao, Vinoj Jayasundara, Lingxiao Jiang, Xin Xia, David Lo, and John Grundy. 2019. Smartembed: A tool for clone and bug detection in smart contracts through structural code embedding. In2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 394–397

    2019

  18. [18]

    Zhipeng Gao, Lingxiao Jiang, Xin Xia, David Lo, and John Grundy. 2020. Checking Smart Contracts with Structural Code Embedding.IEEE Transactions on Software Engineering(2020)

    2020

  19. [19]

    Asem Ghaleb and Karthik Pattabiraman. 2020. How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection. InProceedings of the 29th ACM SIGSOFT international symposium on software testing and analysis. 415–427. 18 Kuang et al

    2020

  20. [20]

    Asem Ghaleb, Julia Rubin, and Karthik Pattabiraman. 2023. Achecker: Statically detecting smart contract access control vulnerabilities. In2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 945–956

    2023

  21. [21]

    Alex Groce and Gustavo Grieco. 2021. echidna-parade: A tool for diverse multicore smart contract fuzzing. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 658–661

    2021

  22. [22]

    Ningyu He, Lei Wu, Haoyu Wang, Yao Guo, and Xuxian Jiang. 2020. Characterizing code clones in the ethereum smart contract ecosystem. InFinancial Cryptography and Data Security: 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10–14, 2020 Revised Selected Papers 24. Springer, 654–675

    2020

  23. [23]

    Jianjun Huang, Songming Han, Wei You, Wenchang Shi, Bin Liang, Jingzheng Wu, and Yanjun Wu. 2021. Hunting vulnerable smart contracts via graph embedding based bytecode matching.IEEE Transactions on Information Forensics and Security16 (2021), 2144–2156

    2021

  24. [24]

    Wenkai Li, Zongwei Li, Xiaoqi Li, Chunyi Zhang, Xiaoyan Zhang, and Yuqing Zhang. 2025. Beyond the Hype: A Large-Scale Empirical Analysis of On-Chain Transactions in NFT Scams.arXiv preprint arXiv:2512.01577(2025)

    work page arXiv 2025

  25. [25]

    Wei Liang, Yaqin Liu, Ce Yang, Songyou Xie, Kuanching Li, and Willy Susilo. 2024. On identity, transaction, and smart contract privacy on permissioned and permissionless blockchain: A comprehensive survey.Comput. Surveys56, 12 (2024), 1–35

    2024

  26. [26]

    Bowen Liu, Siwei Sun, and Pawel Szalachowski. 2020. Smacs: smart contract access control service. In2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 221–232

    2020

  27. [27]

    Ye Liu, Yi Li, Shang-Wei Lin, and Cyrille Artho. 2022. Finding permission bugs in smart contracts with role mining. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 716–727

    2022

  28. [28]

    Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 254–269

    2016

  29. [29]

    Yu A Malkov and Dmitry A Yashunin. 2018. Efficient and robust approximate nearest neighbor search using hierarchical navigable small world graphs.IEEE transactions on pattern analysis and machine intelligence42, 4 (2018), 824–836

    2018

  30. [30]

    Tomas Mikolov. 2013. Efficient estimation of word representations in vector space.arXiv preprint arXiv:1301.3781 (2013)

    work page internal anchor Pith review arXiv 2013

  31. [31]

    Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1186–1189

    2019

  32. [32]

    Mythril. 2024. Security analysis tool for EVM bytecode. GitHub. https://github.com/Consensys/mythril

    2024

  33. [33]

    Matthieu Nadini, Laura Alessandretti, Flavio Di Giacinto, Mauro Martino, Luca Maria Aiello, and Andrea Baronchelli

  34. [34]

    Mapping the NFT revolution: market trends, trade networks, and visual features.Scientific reports11, 1 (2021), 20902

    2021

  35. [35]

    Iulian Neamtiu, Jeffrey S Foster, and Michael Hicks. 2005. Understanding source code evolution using abstract syntax tree matching. InProceedings of the 2005 international workshop on Mining software repositories. 1–5

    2005

  36. [36]

    OpenSea. 2024. OpenSea, the largest NFT marketplace. Website. https://opensea.io

    2024

  37. [37]

    OpenSeaAPI. 2024. opensea developers. Website. https://docs.opensea.io/reference/api-overview

    2024

  38. [38]

    Martin Ortner and Shayan Eskandari. 2024. Smart Contract Sanctuary. GitHub. https://github.com/tintinweb/smart- contract-sanctuary

    2024

  39. [39]

    Patricio Palladino. 2024. truffle-flattener. Website. https://www.npmjs.com/package/truffle-flattener

    2024

  40. [40]

    Michele Pasqua, Andrea Benini, Filippo Contro, Marco Crosara, Mila Dalla Preda, and Mariano Ceccato. 2023. Enhancing Ethereum smart-contracts static analysis by computing a precise Control-Flow Graph of Ethereum bytecode.Journal of Systems and Software200 (2023), 111653

    2023

  41. [41]

    Hongli Peng, Wenkai Li, Chunyi Zhang, Xiaoqi Li, and Yuqing Zhang. 2026. TriFortis: Fortifying Erroneous Control Flow Vulnerability Detection in Smart Contracts with Multimodal Deep Learning.Blockchain: Research and Applications (2026), 100478

    2026

  42. [42]

    Protofire. 2024. Solhint. GitHub. https://github.com/protofire/solhint

    2024

  43. [43]

    Solidity. 2024. A statically-typed curly-braces programming language designed for developing smart contracts that run on Ethereum. Website. https://soliditylang.org

    2024

  44. [44]

    B Sriman and S Ganesh Kumar. 2022. Decentralized finance (defi): the future of finance and defi application for Ethereum blockchain based finance market. In2022 International Conference on Advances in Computing, Communication and Applied Informatics (ACCAI). IEEE, 1–9

    2022

  45. [45]

    Rakshith S Srinivasa, Cao Xiao, Lucas Glass, Justin Romberg, and Jimeng Sun. 2020. Fast graph attention networks using effective resistance based graph sparsification.arXiv preprint arXiv:2006.08796(2020)

    work page arXiv 2020

  46. [46]

    Matthew Tan. 2024. The Ethereum Blockchain Explorer. Website. https://etherscan.io

    2024

  47. [47]

    Zhenzhou Tian, Yaqian Huang, Jie Tian, Zhongmin Wang, Yanping Chen, and Lingwei Chen. 2022. Ethereum Smart Contract Representation Learning for Robust Bytecode-Level Similarity Detection.. InSEKE. 513–518

    2022

  48. [48]

    Paul Wackerow. 2024. Opcodes for the EVM. Website. https://ethereum.org/en/developers/docs/evm/opcodes NFTDELTA: Detecting Permission Control Vulnerabilities in NFT Contracts through Multi-View Learning 19

    2024

  49. [49]

    Qin Wang, Rujia Li, Qi Wang, and Shiping Chen. 2021. Non-fungible token (NFT): Overview, evaluation, opportunities and challenges.arXiv preprint arXiv:2105.07447(2021)

    work page arXiv 2021

  50. [50]

    Bryan White, Aniket Mahanti, and Kalpdrum Passi. 2022. Characterizing the OpenSea NFT marketplace. InCompanion Proceedings of the Web Conference 2022. 488–496

    2022

  51. [51]

    Jixuan Wu, Lei Xie, and Xiaoqi Li. 2025. Security vulnerabilities in ethereum smart contracts: A systematic analysis. arXiv preprint arXiv:2504.05968(2025)

    work page arXiv 2025

  52. [52]

    Xiangfan Wu, Ju Xing, and Xiaoqi Li. 2025. Exploring vulnerabilities and concerns in solana smart contracts.arXiv preprint arXiv:2504.07419(2025)

    work page arXiv 2025

  53. [53]

    Lei Xiao, Shuo Yang, Wen Chen, and Zibin Zheng. 2025. WakeMint: Detecting Sleepminting Vulnerabilities in NFT Smart Contracts. In2025 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 740–750

    2025

  54. [54]

    Shuo Yang, Jiachi Chen, Mingyuan Huang, Zibin Zheng, and Yuan Huang. 2024. Uncover the premeditated attacks: Detecting exploitable reentrancy vulnerabilities by identifying attacker contracts. InProceedings of the IEEE/ACM 46th International Conference on Software Engineering. 1–12

    2024

  55. [55]

    Shuo Yang, Jiachi Chen, and Zibin Zheng. 2023. Definition and detection of defects in NFT smart contracts. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 373–384

    2023

  56. [56]

    Yuhuan Yang, Shipeng Ye, and Xiaoqi Li. 2025. A Multi-Layered Security Analysis of Blockchain Systems: From Attack Vectors to Defense and System Hardening.arXiv preprint arXiv:2504.09181(2025)

    work page arXiv 2025

  57. [57]

    Jango Zhang. 2024. Combining GPT and Code-Based Similarity Checking for Effective Smart Contract Vulnerability Detection.arXiv preprint arXiv:2412.18225(2024)

    work page arXiv 2024

  58. [58]

    Wei Zhang, Ju Xing, and Xiaoqi Li. 2025. Penetration testing for system security: Methods and practical approaches. arXiv preprint arXiv:2505.19174(2025)

    work page arXiv 2025

  59. [59]

    Zhijie Zhong, Zibin Zheng, Hong-Ning Dai, Qing Xue, Junjia Chen, and Yuhong Nan. 2024. PrettySmart: Detecting Permission Re-delegation Vulnerability for Token Behaviors in Smart Contracts. InProceedings of the IEEE/ACM 46th International Conference on Software Engineering. 1–12

    2024

  60. [60]

    Di Zhu, Feng Yue, Jianmin Pang, Xin Zhou, Wenjie Han, and Fudong Liu. 2022. Bytecode similarity detection of smart contract across optimization options and compiler versions based on triplet network.Electronics11, 4 (2022), 597

    2022

  61. [61]

    Yaling Zhu, Jia Zeng, Fangchen Weng, Dan Han, Yiyu Yang, Xiaoqi Li, and Yuqing Zhang. 2024. Sybil attacks detection and traceability mechanism based on beacon packets in connected automobile vehicles.Sensors24, 7 (2024), 2153

    2024