ConWatcher: Towards Adaptive and Label-Efficient Online Smart Contract Analysis in Blockchains

Download PDF
Open Webpage

Qinnan Hu, Yuntao Wang, Zhou Su, Tom H. Luan, Ruidong Li

Published: 2025, Last Modified: 02 Feb 2026INFOCOM 2025EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Due to the immutable nature of smart contracts, online contract analysis is the only viable approach for revealing vulnerabilities in deployed contracts. Existing online approaches face significant challenges in terms of efficiency, adaptability, and reliance on vulnerability labels. This paper proposes ConWatcher, an adaptive and label-efficient online contract analysis framework capable to detect yet-unknown attacks under evolving tactics without reliance on vulnerability labels. ConWatcher simulates the Advanced Persistent Threat (APT) tactics commonly used in yet-unknown attacks by continuously applying minor perturbations to legitimate interaction behaviors. It then reversely learns the denoising process, guided by potential logic vulnerabilities (i.e., functionality dependencies), to adaptively identify stealthy anomalies and detect yet-unknown attacks without needing vulnerability labels. ConWatcher proceeds in four steps. First, interaction behavior modeling. Via bytecode-level, account-level, and revenue-level modeling, we propose behavior-aware multivariate time series model to accurately represent long-term contract interactions with multi-faceted behaviors. Second, APT-like noise adding. We leverage the forward diffusion model to produce minor and stochastic APT-like noises with efficiency. Third, reverse denoising learning. To effectively guide reverse denoising using functionality dependencies, we devise an adaptive contract analysis engine equipped with heterogeneous control flow graph modeling and heterogeneous message passing mechanisms to extract function-level and bytecode-level functionality dependencies. Last, contract anomaly detection. We design a label-efficient attack detector based on reconstruction error for contract anomaly detection. Extensive empirical validations on a manually constructed dataset, covering both mainstream and novel vulnerabilities, demonstrate ConWatcher's effectiveness, adaptability, and label efficiency, with an average F1-score of 0.88 across all types of attacks without prior knowledge of corresponding vulnerabilities.