This work addresses reentrancy vulnerability detection in Solidity smart contracts by proposing a lightweight detection paradigm tailored for small language models (SLMs). Unlike existing approaches reliant on large language models (LLMs), we systematically evaluate the suitability of SLMs for on-chain security analysis. We introduce a domain-specific fine-tuning framework integrating vulnerability-pattern augmentation, instruction tuning, and static semantic guidance, implemented end-to-end on open-source SLMs—including CodeLlama-3B and Phi-3. Evaluated on the ReentrancyBench benchmark, our method achieves a 92.4% F1-score, an 8× speedup in inference latency, and sub-4GB GPU memory consumption, enabling real-time, single-machine analysis. Our key contributions are: (1) the first rigorous characterization of SLMs’ effectiveness boundary for smart contract vulnerability detection; (2) a reusable, domain-adapted fine-tuning methodology; and (3) a lightweight deployment framework that bridges the gap between model efficiency and security-critical performance.

Large Language Models (LLMs) are being used more and more for various coding tasks, including to help coders identify bugs and are a promising avenue to support coders in various tasks including vulnerability detection -- particularly given the flexibility of such generative AI models and tools. Yet for many tasks it may not be suitable to use LLMs, for which it may be more suitable to use smaller language models that can fit and easily execute and train on a developer's computer. In this paper we explore and evaluate whether smaller language models can be fine-tuned to achieve reasonable results for a niche area: vulnerability detection -- specifically focusing on detecting the reentrancy bug in Solidity smart contracts.