ChatGPT: Guardian angel of on-chain security or potential demon?

Author: MetaTrust Labs

TL;DR

• GPT should be viewed as a tool; we need to understand its functions and limitations to find the best use cases and scenarios.
• Utilizing GPT for code explanation and smart contract auditing requires enhanced supervision and improved prompt accuracy to avoid over-reliance.
• Hackers using GPT for attacks is foreseeable in the near future; we must remain vigilant and strengthen the detection of abnormal behaviors.

In the field of digital asset security, GPT has already been able to explain complex security issues related to blockchain, smart contracts, etc., but there are certain limitations and risks. To explore how to leverage GPT to protect digital asset security while preventing hacker attacks, MetaTrust Labs, in collaboration with Cointime, GoPlus Security, and moledao, held a security seminar, inviting three guests to share their insights and experiences. Let's take a look at some interesting viewpoints.

Brad Moon, a security expert from MetaTrust Labs, detailed the functions and application areas of GPT, as well as its advantages in code explanation and transaction interpretation. As a natural language processing model, GPT possesses excellent summarization and reasoning abilities, capable of explaining complex security issues related to blockchain, smart contracts, etc., while also providing very professional and accurate explanations of code, helping auditors and ordinary users quickly understand the functions and behaviors of contracts.

Therefore, the MetaScan tool developed by MetaTrust utilizes GPT technology to help developers quickly understand blockchain data and transactions. In practical applications of MetaScan, asking GPT questions in affirmative sentences makes it easier to obtain accurate results.

From a security auditing perspective, one of the most important functions of GPT is vulnerability discovery. When I receive a contract, it can provide correct and professional explanations, simulating the thought process of an auditor, helping us discover more potential vulnerabilities.

So how can we leverage GPT to empower ordinary developers with the capabilities of auditors? It's simple; MetaScan already has this capability. When code is obtained, corresponding vulnerability scanning can be performed in MetaScan, and then the results can be interacted with GPT. Based on GPT's understanding ability, it will provide a relatively complete vulnerability report, allowing one to earn bounties in Bug Bounty programs.

Allen, the business leader of GoPlus Security, shared his views on automated auditing and explored its potential and limitations. Allen is optimistic about GPT, noting that it still possesses strong capabilities in summarization and logical reasoning. However, he also sees that GPT cannot replace automated auditing as a primary role because its auditing and reasoning abilities are mainly based on existing knowledge and are not suitable for certain complex issues. Allen emphasized the importance of dynamic analysis and mentioned modifying GPT to exhibit hacker-like behaviors. By providing prior attack training and past attack cases, GPT can maximize attack coverage, identify potentially vulnerable paths in the code, and report them. In terms of dynamic analysis, GPT can perform even better.

Iris, Co-Builder of moledao, expressed her views on the feasibility of using GPT for automated auditing and the associated security risks. Although GPT as a tool is neutral and based on goodwill, it can lead to negative consequences if misused. Some malicious behaviors can exploit GPT for destructive activities by circumventing restrictions.

On one hand, GPT enables hackers to evolve; on the other hand, it empowers developers to use the MetaScan tool to improve prompt accuracy and train GPT with a large amount of historical data to become a more professional code auditor.

Additionally, GPT poses potential risks in social engineering, as it can generate coherent and convincing phishing emails, even adopting unique tones and writing styles. We should be more cautious about how to properly utilize GPT and discern its manipulations.

As blockchain technology and applications rapidly develop, security issues are becoming increasingly prominent. The emergence of GPT brings new possibilities for blockchain asset security. How to correctly use GPT, leverage its advantages to compensate for shortcomings, and address potential threats requires collective efforts from the industry to empower developers and safeguard on-chain security.

MetaScan is now open for free trial; start your security shield now.