Smart contract functional vulnerabilities exhibit high stealthiness, with existing tools suffering >80% false-negative rates—primarily due to a semantic gap between business logic and code implementation, and the absence of vulnerability-feature-oriented automated oracles. Method: We propose PROMFUZZ, an end-to-end detection system featuring (i) LLM-based dual-agent prompting engineering to precisely localize vulnerable functions; (ii) a logic-driven invariant checker generation method; and (iii) a vulnerability-guided fuzzing engine that establishes verifiable mappings from business logic to code implementation. Contributions/Results: On standard benchmarks, PROMFUZZ achieves 86.96% recall and 93.02% F1-score—improving over state-of-the-art by >50%. Applied to real-world DeFi projects, it discovers 30 zero-day vulnerabilities, 24 of which have been assigned CVE identifiers.

Smart contracts are fundamental pillars of the blockchain, playing a crucial role in facilitating various business transactions. However, these smart contracts are vulnerable to exploitable bugs that can lead to substantial monetary losses. A recent study reveals that over 80% of these exploitable bugs, which are primarily functional bugs, can evade the detection of current tools. The primary issue is the significant gap between understanding the high-level logic of the business model and checking the low-level implementations in smart contracts. Furthermore, identifying deeply rooted functional bugs in smart contracts requires the automated generation of effective detection oracles based on various bug features. To address these challenges, we design and implement PROMFUZZ, an automated and scalable system to detect functional bugs, in smart contracts. In PROMFUZZ, we first propose a novel Large Language Model (LLM)-driven analysis framework, which leverages a dual-agent prompt engineering strategy to pinpoint potentially vulnerable functions for further scrutiny. We then implement a dual-stage coupling approach, which focuses on generating invariant checkers that leverage logic information extracted from potentially vulnerable functions. Finally, we design a bug-oriented fuzzing engine, which maps the logical information from the high-level business model to the low-level smart contract implementations, and performs the bug-oriented fuzzing on targeted functions. We compare PROMFUZZ with multiple state-of-the-art methods. The results show that PROMFUZZ achieves 86.96% recall and 93.02% F1-score in detecting functional bugs, marking at least a 50% improvement in both metrics over state-of-the-art methods. Moreover, we perform an in-depth analysis on real-world DeFi projects and detect 30 zero-day bugs. Up to now, 24 zero-day bugs have been assigned CVE IDs.