Existing smart contract access control vulnerability detectors require compilable code to generate analysis representations, limiting their applicability to incomplete or syntactically invalid intermediate code prevalent in early-stage development repositories. Method: We propose the first detection framework for non-compilable contract repositories: (1) leveraging large language models to semantically complete non-compilable fragments into equivalent compilable contracts; (2) constructing function call graphs from abstract syntax trees (ASTs), enhanced with control-flow graph (CFG)-derived node features for precise identification of sensitive functions and rigorous permission validation. Results: Our approach detects 14 out of 15 known vulnerabilities in the CVE dataset, achieving 89.2% precision on 5,000 on-chain contracts and 87.0% on real-world development repositories—substantially outperforming state-of-the-art tools.

Smart contract vulnerabilities, particularly improper Access Control that allows unauthorized execution of restricted functions, have caused billions of dollars in losses. GitHub hosts numerous smart contract repositories containing source code, documentation, and configuration files-these serve as intermediate development artifacts that must be compiled and packaged before deployment. Third-party developers often reference, reuse, or fork code from these repositories during custom development. However, if the referenced code contains vulnerabilities, it can introduce significant security risks. Existing tools for detecting smart contract vulnerabilities are limited in their ability to handle complex repositories, as they typically require the target contract to be compilable to generate an abstract representation for further analysis. This paper presents TRACE, a tool designed to secure non-compilable smart contract repositories against access control vulnerabilities. TRACE employs LLMs to locate sensitive functions involving critical operations (e.g., transfer) within the contract and subsequently completes function snippets into a fully compilable contract. TRACE constructs a function call graph from the abstract syntax tree (AST) of the completed contract. It uses the control flow graph (CFG) of each function as node information. The nodes of the sensitive functions are then analyzed to detect Access Control vulnerabilities. Experimental results demonstrate that TRACE outperforms state-of-the-art tools on an open-sourced CVE dataset, detecting 14 out of 15 CVEs. In addition, it achieves 89.2% precision on 5,000 recent on-chain contracts, far exceeding the best existing tool at 76.9%. On 83 real-world repositories, TRACE achieves 87.0% precision, significantly surpassing DeepSeek-R1's 14.3%.