Existing price manipulation vulnerability detection methods suffer from critical limitations: reactive approaches exhibit inherent latency, while static analyzers rely on predefined rules—both struggle to identify novel attack variants and complex economic logic. This paper proposes PMDetector, the first hybrid detection framework integrating static analysis with large language model (LLM) reasoning. It employs a three-stage pipeline—taint analysis, two-phase LLM filtering, and formal verification—to efficiently detect price manipulation vulnerabilities induced by flash loans and other emerging mechanisms. Our key innovations include a formally specified attack model and an LLM-driven dynamic reasoning mechanism, jointly enhancing generalizability without compromising reliability. Evaluated on a benchmark dataset comprising 73 real-world vulnerabilities and 288 benign protocols, PMDetector achieves 88% precision and 90% recall, with an average audit time of 4.0 seconds and cost of $0.03 per analysis—substantially outperforming state-of-the-art methods.

Decentralized Finance (DeFi) smart contracts manage billions of dollars, making them a prime target for exploits. Price manipulation vulnerabilities, often via flash loans, are a devastating class of attacks causing significant financial losses. Existing detection methods are limited. Reactive approaches analyze attacks only after they occur, while proactive static analysis tools rely on rigid, predefined heuristics, limiting adaptability. Both depend on known attack patterns, failing to identify novel variants or comprehend complex economic logic. We propose PMDetector, a hybrid framework combining static analysis with Large Language Model (LLM)-based reasoning to proactively detect price manipulation vulnerabilities. Our approach uses a formal attack model and a three-stage pipeline. First, static taint analysis identifies potentially vulnerable code paths. Second, a two-stage LLM process filters paths by analyzing defenses and then simulates attacks to evaluate exploitability. Finally, a static analysis checker validates LLM results, retaining only high-risk paths and generating comprehensive vulnerability reports. To evaluate its effectiveness, we built a dataset of 73 real-world vulnerable and 288 benign DeFi protocols. Results show PMDetector achieves 88% precision and 90% recall with Gemini 2.5-flash, significantly outperforming state-of-the-art static analysis and LLM-based approaches. Auditing a vulnerability with PMDetector costs just $0.03 and takes 4.0 seconds with GPT-4.1, offering an efficient and cost-effective alternative to manual audits.