The internet sensation "strongest AI" ChatGPT, can it detect smart contract vulnerabilities?

Author: Beosin

In a single night, ChatGPT suddenly became popular and sparked an "AI storm" on the internet.

ChatGPT, which was launched by the artificial intelligence lab OpenAI on November 30 this year, is a new model.

Currently, interactions between users and ChatGPT include casual chatting, information consulting, writing poetry and essays, modifying code, and even raising concerns about whether ChatGPT could replace search engines like Google.

Today, let's explore what the wildly popular ChatGPT actually is and whether it can detect vulnerabilities in smart contracts.

What exactly is ChatGPT that has sparked an "AI storm" on the internet?

According to the official website, ChatGPT, a general-purpose chatbot supported by the computational model GPT-3.5, can answer follow-up questions, acknowledge its mistakes, question incorrect assumptions, and even refuse unreasonable requests.

From writing scripts, composing poetry, designing games, to debugging programs, and even formulating a "plan to destroy humanity," the capabilities of this AI are beyond imagination.

American entrepreneur Elon Musk asked ChatGPT how to design Twitter, and the AI responded: "To make it easier for users to view and interact with threaded internet conversations, you could transform the linear one-dimensional interface into a two-dimensional infinite grid."

On December 5, Sam Altman, founder and CEO of OpenAI, tweeted that the number of ChatGPT users had surpassed one million.

Many people have tested the chat function and have been sharing their interactions on social media. ChatGPT seems to have also left a deep impression on tech billionaire Elon Musk, who tweeted: "ChatGPT is scary good. We are not far from dangerously strong AI."

Amjad Masad, founder of tech company Replit, even sent ChatGPT a piece of JavaScript code to find bugs within it, stating: "ChatGPT might be a great debugging partner; it not only analyzed the errors but also fixed them and provided explanations."

One user even asked ChatGPT to write a letter from the perspective of AI with the goal of controlling the world.

The result was shocking. It sparked responses from renowned figures in artificial intelligence, taking the concept of world domination from science fiction a step closer to reality.

With such powerful and impressive language capabilities, ChatGPT has quietly become the center of attention, emerging as a new internet celebrity that has sparked heated discussions.

Currently, ChatGPT is still in the free testing phase and is open to the public without limits. Given its user base of over a million, the costs incurred by the platform are not insignificant. However, the feedback provided by users during the usage process is also the most valuable information for OpenAI, which can continuously train the language model and correct erroneous answers.

Can the "new internet celebrity" ChatGPT write smart contracts or detect contract vulnerabilities?

We registered and experienced a conversation with ChatGPT, starting by asking the AI to introduce itself.

It replied, "I am Assistant, a large language model trained by OpenAI. My job is to help people answer various questions and provide accurate and detailed information as much as possible. I can answer questions on a wide range of topics, whether they are about history, science, humanities, or other subjects."

As a blockchain security company, we had another idea: to ask it to write a smart contract.

Writing a simple contract didn't seem too difficult for ChatGPT. Since the code was too long, we took some screenshots to show that it does understand some basic concepts.

Next, we threw a relatively simple but vulnerable smart contract at ChatGPT and asked it to detect any issues; we took some screenshots to show its responses.

Surprisingly, ChatGPT was able to detect some simple issues.

Given this situation, it seems to have some "skills." Let's increase the difficulty!

We thought it would continue to surprise us, but it replied, "I don't understand this code."

Then we added some comments and asked it to recheck.

It said something, but it felt like it said nothing.

It then suggested we use professional security auditing tools or request a professional for an audit.

Alright, we then deployed our smart contract formal verification tool, Beosin VaaS, to check the contracts we just tested, and we could see that VaaS quickly detected the vulnerabilities in the contracts.

Screenshot of Beosin VaaS product

It’s worth noting that VaaS, as one of Beosin's flagship products, can automatically discover known and unknown vulnerabilities and business logic issues in smart contracts, providing professional remediation suggestions to help developers enhance the security of their smart contracts. If you're interested, you can compare the results; here’s the trial link for VaaS: https://vaas.beosin.com/

In addition, through our multiple rounds of comparison, we found that ChatGPT cannot solve all problems. Many vulnerabilities still require rigorous audits by experts to uncover.

For example, in the contract below, the lack of a limit on transaction fees could lead to high fees for users, which ChatGPT did not recognize.

In another case, in the _transfer function, if _trAmount=2 is triggered, all transfer addresses within 10 seconds are the dev address. ChatGPT still couldn't identify this.

After all, in security, a rigorous auditing process is essential to build a solid security defense.

Beosin's auditing process is standardized and includes more than five auditing steps, combining automated code security scanning with manual audits by security experts and formal verification specialists. Each step is cross-checked by multiple security experts and formal verification specialists to minimize omissions due to human factors.

After completing an audit round, Beosin provides feedback on the identified issues, including vulnerability descriptions, reproduction methods, and remediation suggestions, and assists the project team in completing the fixes. With a vast accumulation of security vulnerability databases and the rich auditing experience of security experts, we can directly inform the project team how to modify the code. This is much stronger than ChatGPT!

Finally, formal verification experts abstract the security issues distilled by security auditors into reusable security property invariants using strict mathematical logic, which are then handed over to a hybrid machine engine for automated detection, testing, and verification. Practical experience has shown that these reusable security property invariants can effectively discover new subtle vulnerabilities in smart contracts.

It seems we won't be replaced by ChatGPT's robots just yet.

Of course, while we focus on ChatGPT, we also need to think and explore the information revealed behind its popularity. The artificial intelligence it presents may have entered a whole new stage of development, and technology is slowly changing the world.