Mingxi Ye,Xingwei Lin,Yuhong Nan,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680321

2024-01-01

Abstract:In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.

Zheng Zhang,Baojiang Cui,Chen Chen

DOI: https://doi.org/10.1007/978-3-030-50399-4_24

2020-01-01

Abstract:Fuzzing is a common vulnerability detection method in the modern software testing, which triggers potential vulnerabilities in the target program by generating variable input. However, traditional methods have the disadvantage of low code coverage due to the blind mutation of samples. To mitigate the problem, we model the process of traditional fuzzing as the Markov decision process and take use of the reinforcement learning algorithm to guide the direction of each step in the process of mutation to improve the quality of samples and the efficiency of fuzzing. In this paper, we implemented a general fuzzing system called RLFUZZ based on the reinforcement learning, taking the edge coverage as reward and using DDPG algorithm to maximize it. Experimental results show that DDPG-based RLFUZZ achieves greater edge coverage than baseline random mutation on LAVA-M dataset.

Peng Qian,Hanjie Wu,Zeren Du,Turan Vural,Dazhong Rong,Zheng Cao,Lun Zhang,Yanbin Wang,Jianhai Chen,Qinming He

2023-12-10

Abstract:As blockchain smart contracts become more widespread and carry more valuable digital assets, they become an increasingly attractive target for attackers. Over the past few years, smart contracts have been subject to a plethora of devastating attacks, resulting in billions of dollars in financial losses. There has been a notable surge of research interest in identifying defects in smart contracts. However, existing smart contract fuzzing tools are still unsatisfactory. They struggle to screen out meaningful transaction sequences and specify critical inputs for each transaction. As a result, they can only trigger a limited range of contract states, making it difficult to unveil complicated vulnerabilities hidden in the deep state space. In this paper, we shed light on smart contract fuzzing by employing a sequence-aware mutation and seed mask guidance strategy. In particular, we first utilize data-flow-based feedback to determine transaction orders in a meaningful way and further introduce a sequence-aware mutation technique to explore deeper states. Thereafter, we design a mask-guided seed mutation strategy that biases the generated transaction inputs to hit target branches. In addition, we develop a dynamic-adaptive energy adjustment paradigm that balances the fuzzing resource allocation during a fuzzing campaign. We implement our designs into a new smart contract fuzzer named MuFuzz, and extensively evaluate it on three benchmarks. Empirical results demonstrate that MuFuzz outperforms existing tools in terms of both branch coverage and bug finding. Overall, MuFuzz achieves higher branch coverage than state-of-the-art fuzzers (up to 25%) and detects 30% more bugs than existing bug detectors.

Cryptography and Security

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Chaofan Shou,Jing Liu,Doudou Lu,Koushik Sen

2024-01-20

Abstract:As blockchain platforms grow exponentially, millions of lines of smart contract code are being deployed to manage extensive digital assets. However, vulnerabilities in this mission-critical code have led to significant exploitations and asset losses. Thorough automated security analysis of smart contracts is thus imperative. This paper introduces LLM4Fuzz to optimize automated smart contract security analysis by leveraging large language models (LLMs) to intelligently guide and prioritize fuzzing campaigns. While traditional fuzzing suffers from low efficiency in exploring the vast state space, LLM4Fuzz employs LLMs to direct fuzzers towards high-value code regions and input sequences more likely to trigger vulnerabilities. Additionally, LLM4Fuzz can leverage LLMs to guide fuzzers based on user-defined invariants, reducing blind exploration overhead. Evaluations of LLM4Fuzz on real-world DeFi projects show substantial gains in efficiency, coverage, and vulnerability detection compared to baseline fuzzing. LLM4Fuzz also uncovered five critical vulnerabilities that can lead to a loss of more than $247k.

Cryptography and Security,Software Engineering

Songyan Ji,Jian Dong,Jin Wu,Lishi Lu

DOI: https://doi.org/10.1109/icsme58846.2023.00036

2023-01-01

Abstract:Smart contracts manage a large number of digital assets which is attractive to attackers. There have been many attacks that have caused huge financial losses. Therefore, it is of great importance to detect vulnerabilities in smart contracts. Fuzzing is considered a promising approach to test smart contracts. However, the complexity of changing state variables and the handling of external parameters during mutation pose critical technical challenges for current smart contract fuzzers, hindering their ability to cover branches under complex constraints and leaving potential vulnerabilities for attackers to exploit. To tackle these problems, we design a guided mutation strategy combined with two novel techniques: Dynamic Dependency Learning (DDL) and Dynamic Variables Analysis (DVA). DDL learns the dependencies of sequences to provide guided transaction sequence generation for handling state variables in complex constraints, while DVA leverages variable-level dynamic taint analysis to process the external parameters and guide the mutation. We implement the proposed strategy on a fuzzer, called SeqFuzz. The experimental results show that SeqFuzz could cover more branches and detect more bugs in real-world smart contracts compared with state-of-the-art tools.

Mingxi Ye,Yuhong Nan,Hong-Ning Dai,Shuo Yang,Xiapu Luo,Zibin Zheng

DOI: https://doi.org/10.1145/3674725

IF: 3.685

2024-06-28

ACM Transactions on Software Engineering and Methodology

Abstract:With the increasing popularity of Decentralized Applications (DApps) in blockchain, securing smart contracts has been a long-term, high-priority subject in the domain. Among the various research directions for vulnerability detection, fuzzing has received extensive attention because of its high effectiveness. However, with the increasing complexity of smart contracts, existing fuzzers may waste substantial time exploring locations irrelevant to smart contract vulnerabilities. In this paper, we present FunFuzz , a function-oriented fuzzer, which is dedicatedly tailored for detecting smart contract vulnerability with high effectiveness and efficiency. The key observation in our research is that most smart contract vulnerabilities exist in specific functions rather than randomly distributed in all program code like other traditional software. To this end, unlike traditional fuzzers which mainly target code coverage, FunFuzz identifies risky functions while pruning non-risky ones in smart contracts. In this way, it significantly narrows down the exploration scope during the fuzzing process. In addition, FunFuzz employs three unique strategies to direct itself towards effectively discovering vulnerabilities specific to smart contracts (e.g., reentrancy, block dependency, and gasless send). Extensive experiments on 170 real-world contracts demonstrate that FunFuzz outperforms state-of-the-art fuzzers in terms of effectiveness and efficiency.

computer science, software engineering

Peng Qian,Zhenguang Liu,Qinming He,Roger Zimmermann,Xun Wang

DOI: https://doi.org/10.1109/access.2020.2969429

IF: 3.9

2020-01-01

IEEE Access

Abstract:In the last decade, smart contract security issues lead to tremendous losses, which has attracted increasing public attention both in industry and in academia. Researchers have embarked on efforts with logic rules, symbolic analysis, and formal analysis to achieve encouraging results in smart contract vulnerability detection tasks. However, the existing detection tools are far from satisfactory. In this paper, we attempt to utilize the deep learning-based approach, namely bidirectional long-short term memory with attention mechanism (BLSTM-ATT), aiming to precisely detect reentrancy bugs. Furthermore, we propose contract snippet representations for smart contracts, which contributes to capturing essential semantic information and control flow dependencies. Our extensive experimental studies on over 42,000 real-world smart contracts show that our proposed model and contract snippet representations significantly outperform state-of-the-art methods. In addition, this work proves that it is practical to apply deep learning-based technology on smart contract vulnerability detection, which is able to promote future research towards this area.

Songyan Ji,Jin Wu,Junfu Qiu,Jian Dong

DOI: https://doi.org/10.1016/j.infsof.2023.107213

IF: 3.9

2023-01-01

Information and Software Technology

Abstract:A large number of Ethereum smart contracts have been deployed on blockchain to manage assets. Unfortunately, due to the immutable nature of blockchain, smart contracts cannot be modified after deployment, even if vulnerabilities have been exposed to attackers. Therefore, it is critical to efficiently and thoroughly test smart contracts. Greybox fuzzing is a prosperous technique for detecting smart contract vulnerabilities. However, most existing fuzzers have a common drawback in that they cannot efficiently satisfy hard-to-cover branch constraints. The goal of this paper is to solve the problem of how to efficiently satisfy hard-to-cover branch constraints. After solving this problem, fuzz testing can execute more code, and there is a higher probability of executing vulnerabilities. We propose an approach for addressing this problem. Specifically, we design an input parameter analysis strategy to selectively mutate a subset of input parameters to reduce invalid mutations. Also, to accelerate the processing of satisfying branch constraints, we design an accelerated multi-objective search strategy to reduce the waste of resources. We implemented this approach in a tool called Effuzz and applied it to real-world smart contracts. Experiments show that Effuzz finds more vulnerabilities and is more efficient than existing state-of-the-art fuzzers. In this paper, we present an approach to efficiently satisfy hard-to-cover branch constraints. Our approach addresses two main problems, i.e., how to select the subset of input parameters for mutation with considering the characteristic of Ethereum smart contracts, and how to accelerate the search to satisfy hard-to-cover branch constraints without generating excessive ineffective test cases that waste resources. The experimental results show that our approach is effective.

Zhenguang Liu,Peng Qian,Jiaxu Yang,Lingfeng Liu,Xiaojun Xu,Qinming He,Xiaosong Zhang

DOI: https://doi.org/10.48550/arXiv.2301.03943

2023-01-12

Abstract:Blockchain smart contracts have given rise to a variety of interesting and compelling applications and emerged as a revolutionary force for the Internet. Quite a few practitioners have devoted themselves to developing tools for detecting bugs in smart contracts. One line of efforts revolve around static analysis techniques, which heavily suffer from high false-positive rates. Another line of works concentrate on fuzzing techniques. Unfortunately, current fuzzing approaches for smart contracts tend to conduct fuzzing starting from the initial state of the contract, which expends too much energy revolving around the initial state and thus is usually unable to unearth bugs triggered by other states. Moreover, most existing methods treat each branch equally, failing to take care of the branches that are rare or more likely to possess bugs. This might lead to resources wasted on normal branches. In this paper, we try to tackle these challenges from three aspects: (1) In generating function invocation sequences, we explicitly consider data dependencies between functions to facilitate exploring richer states. We further prolong a function invocation sequence S1 by appending a new sequence S2, so that S2 can start fuzzing from states that are different from the initial state. (2) We incorporate a branch distance-based measure to evolve test cases iteratively towards a target branch. (3) We engage a branch search algorithm to discover rare and vulnerable branches, and design an energy allocation mechanism to take care of exercising these crucial branches. We implement IR-Fuzz and extensively evaluate it over 12K real-world contracts. Empirical results show that: (i) IR-Fuzz achieves 28% higher branch coverage than state-of-the-art fuzzing approaches, and (ii) IR-Fuzz detects more vulnerabilities and increases the average accuracy of vulnerability detection by 7% over current methods.

Cryptography and Security,Programming Languages,Software Engineering

Kairui Gong,Wenchuan Yang,Baojiang Cui,Chen Chen

DOI: https://doi.org/10.1109/EIECT58010.2022.00080

2022-01-01

Abstract:With the development of information technology, program vulnerabilities have become more complex and diversified, posing a great threat to the security of computer systems. Among many vulnerability detection methods, fuzzing is an popular method of automatic vulnerability mining which efficiency depends on the quality of generated samples. Some work has introduced reinforcement learning into fuzzing to provide an intelligent scheme for vulnerability mining, but there is still the problem of exploring invalid sample space. In order to solve this problem, this paper proposes a new fuzzer called DRLFCfuzzer, which is based on data boundary segmentation technology and guided by multi-dimensional deep reinforcement learning. We model the fuzzing process as a Markov decision process, add the segmentation of data boundaries and the selection of data blocks on the basis of multi-dimensional mutation, and improve the efficiency of the fuzzing by pruning unnecessary exploration of sample spaces. The experimental results show that DRLFCfuzzer achieves code coverage of 128% to 800% of AFL and 112% to 160% of general deep reinforcement learning fuzzer and more crashes in some programs of the Fuzzer-Test-Suite dataset and three real world programs.

Haoyu Wang,Zan Wang,Shuang Liu,Jun Sun,Yingquan Zhao,Yan Wan,Tai D. Nguyen

DOI: https://doi.org/10.1002/smr.2557

2023-03-18

Abstract:sFuzz2.0 is motivated by the fact that certain vulnerabilities only manifest in the presence of certain function call sequences (as well as particular arguments). sFuzz2.0 tackles the problem with two sequence generation strategies, that is, by generating function call sequences that trigger different storage‐access patterns passively or actively. The experiment result has shown that the passive strategy achieves better code coverage as well as reveals more vulnerabilities. Smart contracts are distributed self‐enforcing programs which execute on top of blockchain networks. They have the potential to revolutionize many industries and have already been adopted for applications such as distributed finance and crowdfunding. Because smart contracts are immutable once they are deployed, it is important to identify and eliminate code vulnerabilities in smart contracts systematically. In this work, we propose sFuzz2.0, a storage‐access‐pattern guided adaptive fuzzer based on sFuzz. sFuzz2.0 is motivated by the fact that certain vulnerabilities only manifest in the presence of certain function call sequences (as well as particular arguments). Given that there are exponentially many function call sequences, sFuzz randomly generates sequences without guidance. As a result, the probability of discovering those vulnerabilities is negligible. sFuzz2.0 tackles the problem with two approaches, that is, by generating function call sequences that trigger different storage‐access patterns passively (i.e., by prioritizing seeds which cover new patterns) or actively (i.e., by actively seeking out different patterns). The experiment results suggest that the passive strategy outperforms sFuzz by achieving better code coverage (i.e., 37.53%) and discovering more vulnerabilities (i.e., 20.49%).

computer science, software engineering

Michael Rodler,David Paaßen,Wenting Li,Lukas Bernhard,Thorsten Holz,Ghassan Karame,Lucas Davi

DOI: https://doi.org/10.48550/arXiv.2304.06341

2023-04-13

Abstract:Smart contracts are increasingly being used to manage large numbers of high-value cryptocurrency accounts. There is a strong demand for automated, efficient, and comprehensive methods to detect security vulnerabilities in a given contract. While the literature features a plethora of analysis methods for smart contracts, the existing proposals do not address the increasing complexity of contracts. Existing analysis tools suffer from false alarms and missed bugs in today's smart contracts that are increasingly defined by complexity and interdependencies. To scale accurate analysis to modern smart contracts, we introduce EF/CF, a high-performance fuzzer for Ethereum smart contracts. In contrast to previous work, EF/CF efficiently and accurately models complex smart contract interactions, such as reentrancy and cross-contract interactions, at a very high fuzzing throughput rate. To achieve this, EF/CF transpiles smart contract bytecode into native C++ code, thereby enabling the reuse of existing, optimized fuzzing toolchains. Furthermore, EF/CF increases fuzzing efficiency by employing a structure-aware mutation engine for smart contract transaction sequences and using a contract's ABI to generate valid transaction inputs. In a comprehensive evaluation, we show that EF/CF scales better -- without compromising accuracy -- to complex contracts compared to state-of-the-art approaches, including other fuzzers, symbolic/concolic execution, and hybrid approaches. Moreover, we show that EF/CF can automatically generate transaction sequences that exploit reentrancy bugs to steal Ether.

Cryptography and Security

Yinxing Xue,Jiaming Ye,Wei Zhang,Jun Sun,Lei Ma,Haijun Wang,Jianjun Zhao

DOI: https://doi.org/10.1109/TDSC.2022.3182373

2022-06-30

Abstract:Smart contract transactions are increasingly interleaved by cross-contract calls. While many tools have been developed to identify a common set of vulnerabilities, the cross-contract vulnerability is overlooked by existing tools. Cross-contract vulnerabilities are exploitable bugs that manifest in the presence of more than two interacting contracts. Existing methods are however limited to analyze a maximum of two contracts at the same time. Detecting cross-contract vulnerabilities is highly non-trivial. With multiple interacting contracts, the search space is much larger than that of a single contract. To address this problem, we present xFuzz, a machine learning guided smart contract fuzzing framework. The machine learning models are trained with novel features (e.g., word vectors and instructions) and are used to filter likely benign program paths. Comparing with existing static tools, machine learning model is proven to be more robust, avoiding directly adopting manually-defined rules in specific tools. We compare xFuzz with three state-of-the-art tools on 7,391 contracts. xFuzz detects 18 exploitable cross-contract vulnerabilities, of which 15 vulnerabilities are exposed for the first time. Furthermore, our approach is shown to be efficient in detecting non-cross-contract vulnerabilities as well -- using less than 20% time as that of other fuzzing tools, xFuzz detects twice as many vulnerabilities.

Cryptography and Security,Software Engineering

Zeli Wang,Weiqi Dai,Ming Li,Kim-Kwang Raymond Choo,Deqing Zou

DOI: https://doi.org/10.1016/j.jnca.2024.103984

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Smart contracts are self-executing digital agreements that automatically enforce the terms between parties, playing a crucial role in blockchain systems. However, due to the potential losses of digital assets caused by vulnerabilities, the security issues of Ethereum smart contracts have garnered widespread attention. To address this, researchers have developed various techniques to detect vulnerabilities in smart contracts, with fuzzing techniques achieving promising results. Nonetheless, current fuzzers are unable to effectively exercise suspicious targets because they overlook two key factors: comprehensively exploring all paths to the targets and providing high-quality directed seed inputs. This paper presents a Directed vulnerability veriFier (DFier), which elaborates effective transaction sequences with directed inputs for the fuzzer. This focuses on exploring target paths and automatically validating whether the specified locations are vulnerable. Specifically, DFier employs static analysis to help locate target paths, facilitating their comprehensive exploration. Additionally, we devise three heuristic strategies to enable our fuzzing technique to generate directed inputs that effectively validate the targets. Extensive experiments demonstrate that DFier is effective in verifying contract security, compared with three existing contract fuzzers (i.e., contractFuzzer, sFuzz, and conFuzzius), while the performance losses are in an acceptable range.

Jingxuan He,Mislav Balunović,Nodar Ambroladze,Petar Tsankov,Martin Vechev

DOI: https://doi.org/10.1145/3319535.3363230

2019-11-06

Abstract:Fuzzing and symbolic execution are two complementary techniques for discovering software vulnerabilities. Fuzzing is fast and scalable, but can be ineffective when it fails to randomly select the right inputs. Symbolic execution is thorough but slow and often does not scale to deep program paths with complex path conditions. In this work, we propose to learn an effective and fast fuzzer from symbolic execution, by phrasing the learning task in the framework of imitation learning. During learning, a symbolic execution expert generates a large number of quality inputs improving coverage on thousands of programs. Then, a fuzzing policy, represented with a suitable architecture of neural networks, is trained on the generated dataset. The learned policy can then be used to fuzz new programs. We instantiate our approach to the problem of fuzzing smart contracts, a domain where contracts often implement similar functionality (facilitating learning) and security is of utmost importance. We present an end-to-end system, ILF (for Imitation Learning based Fuzzer), and an extensive evaluation over >18K contracts. Our results show that ILF is effective: (i) it is fast, generating 148 transactions per second, (ii) it outperforms existing fuzzers (e.g., achieving 33% more coverage), and (iii) it detects more vulnerabilities than existing fuzzing and symbolic execution tools for Ethereum.

Tai D. Nguyen,Long H. Pham,Jun Sun,Yun Lin,Quang Tran Minh

DOI: https://doi.org/10.1145/3377811.3380334

2020-01-01

Abstract:Smart contracts are Turing-complete programs that execute on the infrastructure of the blockchain, which often manage valuable digital assets. Solidity is one of the most popular programming languages for writing smart contracts on the Ethereum platform. Like traditional programs, smart contracts may contain vulnerabilities. Unlike traditional programs, smart contracts cannot be easily patched once they are deployed. It is thus important that smart contracts are tested thoroughly before deployment. In this work, we present an adaptive fuzzer for smart contracts on the Ethereum platform called sFuzz. Compared to existing Solidity fuzzers, sFuzz combines the strategy in the AFL fuzzer and an efficient lightweight multi-objective adaptive strategy targeting those hard-to-cover branches. sFuzz has been applied to more than 4 thousand smart contracts and the experimental results show that (1) sFuzz is efficient, e.g., two orders of magnitude faster than state-of-the-art tools; (2) sFuzz is effective in achieving high code coverage and discovering vulnerabilities; and (3) the different fuzzing strategies in sFuzz complement each other.

Bixin Li,Zhenyu Pan,Tianyuan Hu

DOI: https://doi.org/10.1109/tnse.2024.3447025

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Reentrancy vulnerability is one of the most serious security issues in smart contracts, resulting in millions of dollars in economic losses and posing a threat to the trust of the blockchain ecosystem. Therefore, researchers are paying more attention to this problem and have proposed various methods to detect and eliminate potential reentrancy vulnerabilities before contract deployment. Compared to symbolic execution and pattern-matching methods, fuzz testing method can achieve higher accuracy and are better suitable for detecting cross-contract vulnerabilities. However, existing fuzz testing tools often spend a long time exploring states with little pruning, and most of them adopt the reentrancy vulnerability oracle used by static analysis tools, which ignores whether the vulnerability can be exploited to compromise the access control, mutex, or time locks. To address these issues, we propose EvoFuzzer, an evolutionary fuzzer that focuses on the detection of reentrancy vulnerabilities. EvoFuzzer first leverages static analysis to exclude branches that have no impact on state transitions, then continuously optimizes test case generation using a genetic algorithm that considers both function sequence and parameter assignment, and Meanwhile, EvoFuzzer confirms whether reentrancy vulnerabilities can be exploited by simulating attacks. Our experiments have performed on 198 annotated contracts and 47 honeypot contracts, and experimental results show that EvoFuzzer can detect 91.7% of reentrancy vulnerabilities with no false positives, achieve the highest F1 score with 95.7%, which is 5.9% higher than the next best approach (Confuzzius), and we also find that it reduces more than 10% of branches when EvoFuzzer adopts a pruning strategy.

Songyan Ji,Jin Wu,Junfu Qiu,Jian Dong

DOI: https://doi.org/10.1016/j.infsof.2023.107213

IF: 3.9

2023-01-01

Information and Software Technology

Abstract:A large number of Ethereum smart contracts have been deployed on blockchain to manage assets. Unfortunately, due to the immutable nature of blockchain, smart contracts cannot be modified after deployment, even if vulnerabilities have been exposed to attackers. Therefore, it is critical to efficiently and thoroughly test smart contracts. Greybox fuzzing is a prosperous technique for detecting smart contract vulnerabilities. However, most existing fuzzers have a common drawback in that they cannot efficiently satisfy hard-to-cover branch constraints. The goal of this paper is to solve the problem of how to efficiently satisfy hard-to-cover branch constraints. After solving this problem, fuzz testing can execute more code, and there is a higher probability of executing vulnerabilities. We propose an approach for addressing this problem. Specifically, we design an input parameter analysis strategy to selectively mutate a subset of input parameters to reduce invalid mutations. Also, to accelerate the processing of satisfying branch constraints, we design an accelerated multi-objective search strategy to reduce the waste of resources. We implemented this approach in a tool called Effuzz and applied it to real-world smart contracts. Experiments show that Effuzz finds more vulnerabilities and is more efficient than existing state-of-the-art fuzzers. In this paper, we present an approach to efficiently satisfy hard-to-cover branch constraints. Our approach addresses two main problems, i.e., how to select the subset of input parameters for mutation with considering the characteristic of Ethereum smart contracts, and how to accelerate the search to satisfy hard-to-cover branch constraints without generating excessive ineffective test cases that waste resources. The experimental results show that our approach is effective.

Ruichao Liang,Jing Chen,Cong Wu,Kun He,Yueming Wu,Ruochen Cao,Ruiying Du,Yang Liu,Ziming Zhao

2024-08-20

Abstract:Smart contracts, the cornerstone of decentralized applications, have become increasingly prominent in revolutionizing the digital landscape. However, vulnerabilities in smart contracts pose great risks to user assets and undermine overall trust in decentralized systems. But current smart contract fuzzers fall short of expectations in testing efficiency for two primary reasons. Firstly, smart contracts are stateful programs, and existing approaches, primarily coverage-guided, lack effective feedback from the contract state. Consequently, they struggle to effectively explore the contract state space. Secondly, coverage-guided fuzzers, aiming for comprehensive program coverage, may lead to a wastage of testing resources on benign code areas. This wastage worsens in smart contract testing, as the mix of code and state spaces further complicates comprehensive testing. To address these challenges, we propose Vulseye, a stateful directed graybox fuzzer for smart contracts guided by vulnerabilities. Different from prior works, Vulseye achieves stateful directed fuzzing by prioritizing testing resources to code areas and contract states that are more prone to vulnerabilities. We introduce Code Targets and State Targets into fuzzing loops as the testing targets of Vulseye. We use static analysis and pattern matching to pinpoint Code Targets, and propose a scalable backward analysis algorithm to specify State Targets. We design a novel fitness metric that leverages feedback from both the contract code space and state space, directing fuzzing toward these targets. With the guidance of code and state targets, Vulseye alleviates the wastage of testing resources on benign code areas and achieves effective stateful fuzzing. In comparison with state-of-the-art fuzzers, Vulseye demonstrated superior effectiveness and efficiency.

Software Engineering