Effectively Generating Vulnerable Transaction Sequences in Smart Contracts with Reinforcement Learning‑Guided Fuzzing

Smart contracts are increasingly used in decentralized applications, but their growing complexity introduces hard‑to‑detect security vulnerabilities that often require specific transaction sequences to be triggered.

To address this, the authors propose RLF, a reinforcement‑learning‑guided fuzzing framework that treats fuzzing as a Markov Decision Process. An agent selects actions (function groups) based on states derived from contract execution traces, and receives a composite reward that blends vulnerability detection (binary reward) with average block coverage of function groups.

The agent’s policy is implemented with a Deep Recurrent Q‑Network (DRQN) and trained using an ε‑greedy strategy and experience replay. Actions correspond to selecting function groups categorized by state‑changing operations (Payable, Call, Store, Selfdestruct), enabling the generation of multi‑function transaction sequences that can expose complex bugs.

Experiments on a dataset of 85 vulnerable contracts (including Ether‑leaking and suicidal contracts) show that RLF discovers significantly more vulnerabilities than several state‑of‑the‑art tools, achieving 8%–69% higher detection rates within the same time budget.

The study concludes that integrating vulnerability‑oriented and coverage‑oriented rewards in a reinforcement‑learning framework effectively guides fuzzing toward transaction sequences that expose both simple and complex smart‑contract bugs.