A Bounded Game Semantics Checker for Precise Smart Contract Analysis

We present a new approach to finding smart contract vulnerabilities that is precise (no false positives up to our EVM-Yul interpreter), bounded-complete, and, when instrumented with domain knowledge, scales to real-world contracts. Our method is based on game semantics, modelling computation as an interaction between a contract and its environment, reducing reasoning about unknown or malicious external contracts to trace enumeration. We implement this in a tool we refer to as YulToolkit, a bounded game-semantics checker for Yul, the intermediate language of Solidity. By exploring only feasible interactions, YulToolkit avoids over-approximation, and by relying on the theory of game semantics it achieves bounded completeness. To make exploration tractable, YulToolkit supports instrumentation written in Solidity and propagated to Yul, comparable in effort to creating a test harness. Unlike tests, however, our technique explores all admissible traces within the chosen parameters and bounds. We evaluate YulToolkit on three real-world incidents: The DAO, PredyPool, and Lendf.Me, as well as benchmark contracts. In all cases, YulToolkit detects the known vulnerabilities (producing a violation-triggering trace), and after applying fixes, reports no further violations within bounds. These results show that bounded game semantics exploration is an effective and precise addition to the smart contract analysis toolbox, particularly for vulnerabilities such as reentrancy that are hard to detect precisely in real code.