{"ID":2864175,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2509.23679","arxiv_id":"2509.23679","title":"Satellite: Detecting and Analyzing Smart Contract Vulnerabilities caused by Subcontract Misuse","abstract":"Developers of smart contracts pervasively reuse subcontracts to improve development efficiency. Like any program language, such subcontract reuse may unexpectedly include, or introduce vulnerabilities to the end-point smart contract. Unfortunately, automatically detecting such issues poses several unique challenges. Particularly, in most cases, smart contracts are compiled as bytecode, whose class-level information (e.g., inheritance, virtual function table), and even semantics (e.g., control flow and data flow) are fully obscured as a single smart contract after compilation. In this paper, we propose Satellite, a new bytecode-level static analysis framework for subcontract misuse vulnerability (SMV) detection in smart contracts. Satellite incorporates a series of novel designs to enhance its overall effectiveness.. Particularly, Satellite utilizes a transfer learning method to recover the inherited methods, which are critical for identifying subcontract reuse in smart contracts. Further, Satellite extracts a set of fine-grained method-level features and performs a method-level comparison, for identifying the reuse part of subcontract in smart contracts. Finally, Satellite summarizes a set of SMV indicators according to their types, and hence effectively identifies SMVs. To evaluate Satellite, we construct a dataset consisting of 58 SMVs derived from real-world attacks and collect additional 56 SMV patterns from SOTA studies. Experiment results indicate that Satellite exhibits good performance in identifying SMV, with a precision rate of 84.68% and a recall rate of 92.11%. In addition, Satellite successfully identifies 14 new/unknown SMV over 10,011 real-world smart contracts, affecting a total amount of digital assets worth 201,358 USD.","short_abstract":"Developers of smart contracts pervasively reuse subcontracts to improve development efficiency. Like any program language, such subcontract reuse may unexpectedly include, or introduce vulnerabilities to the end-point smart contract. Unfortunately, automatically detecting such issues poses several unique challenges. Pa...","url_abs":"https://arxiv.org/abs/2509.23679","url_pdf":"https://arxiv.org/pdf/2509.23679v1","authors":"[\"Zeqin Liao\",\"Yuhong Nan\",\"Zixu Gao\",\"Henglong Liang\",\"Sicheng Hao\",\"Jiajing Wu\",\"Zibin Zheng\"]","published":"2025-09-28T06:39:58Z","proceeding":"cs.SE","tasks":"[\"cs.SE\"]","methods":"[]","has_code":false}