This paper addresses the challenge of automatically detecting high-impact vulnerabilities—such as economically consequential logic flaws—in smart contracts. We propose a novel approach that balances high completeness with domain adaptability. Our method innovatively infers domain-specific knowledge via statistical analysis of large-scale deployed contracts, deliberately relaxing traditional low-false-positive constraints to prioritize recall on high-risk contracts—even at the cost of moderate false positives—thereby significantly improving detection of high-value vulnerabilities. It integrates high-completeness static analysis, statistical inference, and expert knowledge, and introduces a warning-rate–precision trade-off analytical framework. Evaluated in practice, our method successfully identified 10 high-bounty vulnerabilities, earning over $3 million in rewards, and detected hundreds of defects during pre-deployment audits—demonstrating both real-world effectiveness and strong generalizability.

A widespread belief in the blockchain security community is that automated techniques are only good for detecting shallow bugs, typically of small value. In this paper, we present the techniques and insights that have led us to repeatable success in automatically discovering high-value smart contract vulnerabilities. Our vulnerability disclosures have yielded 10 bug bounties, for a total of over $3M, over high-profile deployed code, as well as hundreds of bugs detected in pre-deployment or under-audit code. We argue that the elements of this surprising success are a) a very high-completeness static analysis approach that manages to maintain acceptable precision; b) domain knowledge, provided by experts or captured via statistical inference. We present novel techniques for automatically inferring domain knowledge from statistical analysis of a large corpus of deployed contracts, as well as discuss insights on the ideal precision and warning rate of a promising vulnerability detector. In contrast to academic literature in program analysis, which routinely expects false-positive rates below 50% for publishable results, we posit that a useful analysis for high-value real-world vulnerabilities will likely flag very few programs (under 1%) and will do so with a high false-positive rate (e.g., 95%, meaning that only one-of-twenty human inspections will yield an exploitable vulnerability).