Mingxi Ye,Yuhong Nan,Hong-Ning Dai,Shuo Yang,Xiapu Luo,Zibin Zheng

DOI: https://doi.org/10.1145/3674725

IF: 3.685

2024-06-28

ACM Transactions on Software Engineering and Methodology

Abstract:With the increasing popularity of Decentralized Applications (DApps) in blockchain, securing smart contracts has been a long-term, high-priority subject in the domain. Among the various research directions for vulnerability detection, fuzzing has received extensive attention because of its high effectiveness. However, with the increasing complexity of smart contracts, existing fuzzers may waste substantial time exploring locations irrelevant to smart contract vulnerabilities. In this paper, we present FunFuzz , a function-oriented fuzzer, which is dedicatedly tailored for detecting smart contract vulnerability with high effectiveness and efficiency. The key observation in our research is that most smart contract vulnerabilities exist in specific functions rather than randomly distributed in all program code like other traditional software. To this end, unlike traditional fuzzers which mainly target code coverage, FunFuzz identifies risky functions while pruning non-risky ones in smart contracts. In this way, it significantly narrows down the exploration scope during the fuzzing process. In addition, FunFuzz employs three unique strategies to direct itself towards effectively discovering vulnerabilities specific to smart contracts (e.g., reentrancy, block dependency, and gasless send). Extensive experiments on 170 real-world contracts demonstrate that FunFuzz outperforms state-of-the-art fuzzers in terms of effectiveness and efficiency.

computer science, software engineering

Huiwen Yang,Xiguo Gu,Xiang Chen,Liwei Zheng,Zhanqi Cui

DOI: https://doi.org/10.1016/j.scico.2023.103076

IF: 1.039

2024-01-06

Science of Computer Programming

Abstract:Context: Smart contracts are computer programs that run on a blockchain. As the functions implemented by smart contracts become increasingly complex, the number of cross-contract interactions within them also rises. Consequently, the combinatorial explosion of transaction sequences poses a significant challenge for smart contract security vulnerability detection. Existing static analysis-based methods for detecting cross-contract vulnerabilities suffer from high false-positive rates and cannot generate test cases, while fuzz testing-based methods exhibit low code coverage and may not accurately detect security vulnerabilities. Objective: The goal of this paper is to address the above limitations and efficiently detect cross-contract vulnerabilities. To achieve this goal, we present CrossFuzz, a fuzz testing-based method for detecting cross-contract vulnerabilities. Method: First, CrossFuzz generates parameters of constructors by tracing data propagation paths. Then, it collects inter-contract data flow information. Finally, CrossFuzz optimizes mutation strategies for transaction sequences based on inter-contract data flow information to improve the performance of fuzz testing. Results: We implemented CrossFuzz, which is an extension of ConFuzzius, and conducted experiments on a real-world dataset containing 396 smart contracts. The results show that CrossFuzz outperforms xFuzz, a fuzz testing-based tool optimized for cross-contract vulnerability detection, with a 10.58% increase in bytecode coverage. Furthermore, CrossFuzz detects 1.82 times more security vulnerabilities than ConFuzzius. Conclusion: Our method utilizes data flow information to optimize mutation strategies. It significantly improves the efficiency of fuzz testing for detecting cross-contract vulnerabilities.

computer science, software engineering

Mingxi Ye,Xingwei Lin,Yuhong Nan,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680321

2024-01-01

Abstract:In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.

Michael Rodler,David Paaßen,Wenting Li,Lukas Bernhard,Thorsten Holz,Ghassan Karame,Lucas Davi

DOI: https://doi.org/10.48550/arXiv.2304.06341

2023-04-13

Abstract:Smart contracts are increasingly being used to manage large numbers of high-value cryptocurrency accounts. There is a strong demand for automated, efficient, and comprehensive methods to detect security vulnerabilities in a given contract. While the literature features a plethora of analysis methods for smart contracts, the existing proposals do not address the increasing complexity of contracts. Existing analysis tools suffer from false alarms and missed bugs in today's smart contracts that are increasingly defined by complexity and interdependencies. To scale accurate analysis to modern smart contracts, we introduce EF/CF, a high-performance fuzzer for Ethereum smart contracts. In contrast to previous work, EF/CF efficiently and accurately models complex smart contract interactions, such as reentrancy and cross-contract interactions, at a very high fuzzing throughput rate. To achieve this, EF/CF transpiles smart contract bytecode into native C++ code, thereby enabling the reuse of existing, optimized fuzzing toolchains. Furthermore, EF/CF increases fuzzing efficiency by employing a structure-aware mutation engine for smart contract transaction sequences and using a contract's ABI to generate valid transaction inputs. In a comprehensive evaluation, we show that EF/CF scales better -- without compromising accuracy -- to complex contracts compared to state-of-the-art approaches, including other fuzzers, symbolic/concolic execution, and hybrid approaches. Moreover, we show that EF/CF can automatically generate transaction sequences that exploit reentrancy bugs to steal Ether.

Cryptography and Security

Chaofan Shou,Shangyin Tan,Koushik Sen

DOI: https://doi.org/10.48550/arXiv.2306.17135

2023-06-30

Abstract:Smart contracts are critical financial instruments, and their security is of utmost importance. However, smart contract programs are difficult to fuzz due to the persistent blockchain state behind all transactions. Mutating sequences of transactions are complex and often lead to a suboptimal exploration for both input and program spaces. In this paper, we introduce a novel snapshot-based fuzzer ItyFuzz for testing smart contracts. In ItyFuzz, instead of storing sequences of transactions and mutating from them, we snapshot states and singleton transactions. To explore interesting states, ItyFuzz introduces a dataflow waypoint mechanism to identify states with more potential momentum. ItyFuzz also incorporates comparison waypoints to prune the space of states. By maintaining snapshots of the states, ItyFuzz can synthesize concrete exploits like reentrancy attacks quickly. Because ItyFuzz has second-level response time to test a smart contract, it can be used for on-chain testing, which has many benefits compared to local development testing. Finally, we evaluate ItyFuzz on real-world smart contracts and some hacked on-chain DeFi projects. ItyFuzz outperforms existing fuzzers in terms of instructional coverage and can find and generate realistic exploits for on-chain projects quickly.

Cryptography and Security,Software Engineering

Qiang Han,Lu Wang,Haoyu Zhang,Leyi Shi,Danxin Wang,Zhang, Haoyu

DOI: https://doi.org/10.1007/s11227-024-05954-9

IF: 3.3

2024-03-14

The Journal of Supercomputing

Abstract:Ethereum is the most widely used open-source public chain project, with smart contracts serving as the pattern for developing decentralized applications. The prevalence of attacks against smart contracts has increased in recent years due to the attached amounts of high-value cryptocurrency. Various attacks against smart contracts have caused significant financial losses, amounting to hundreds of millions of dollars. As manual auditing of smart contracts is time-consuming and costly, automatic detection of vulnerabilities is crucial. Existing work does not dig deeper into contextual information contained in the program, which suffers from the difficulty of covering paths with more complex conditions. In this paper, we propose Ethchecker, a smart contract vulnerability detection tool which combines fuzzing and symbolic execution techniques together. Particularly, we propose an analysis module to extract static information from smart contracts. Besides, the tool introduces a genetic algorithm to enlarge code coverage, while considering the contextual information of the code. The results of the experiment show that in terms of F1-score for vulnerability detection, Ethchecker outperforms sFuzz by an average of 21.89% and outperforms Mythril by an average of 12.5%. Furthermore, in the comparison experiments on a dataset consisting of 1000 long smart contract codes (comprising over 3000 instructions), the proposed algorithm can improve the code coverage by 18.56% compared to the random fuzzing algorithm. In addition, we also used Ethchecker to test against 8922 randomly crawled real-world smart contracts. The result demonstrates the stability of this tool.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Shuohan Wu,Zihao Li,Luyi Yan,Weimin Chen,Muhui Jiang,Chenxu Wang,Xiapu Luo,Hao Zhou

2024-02-05

Abstract:Given the growing importance of smart contracts in various applications, ensuring their security and reliability is critical. Fuzzing, an effective vulnerability detection technique, has recently been widely applied to smart contracts. Despite numerous studies, a systematic investigation of smart contract fuzzing techniques remains lacking. In this paper, we fill this gap by: 1) providing a comprehensive review of current research in contract fuzzing, and 2) conducting an in-depth empirical study to evaluate state-of-the-art contract fuzzers' usability. To guarantee a fair evaluation, we employ a carefully-labeled benchmark and introduce a set of pragmatic performance metrics, evaluating fuzzers from five complementary perspectives. Based on our findings, we provide direction for the future research and development of contract fuzzers.

Software Engineering

Yinxing Xue,Jiaming Ye,Wei Zhang,Jun Sun,Lei Ma,Haijun Wang,Jianjun Zhao

DOI: https://doi.org/10.1109/TDSC.2022.3182373

2022-06-30

Abstract:Smart contract transactions are increasingly interleaved by cross-contract calls. While many tools have been developed to identify a common set of vulnerabilities, the cross-contract vulnerability is overlooked by existing tools. Cross-contract vulnerabilities are exploitable bugs that manifest in the presence of more than two interacting contracts. Existing methods are however limited to analyze a maximum of two contracts at the same time. Detecting cross-contract vulnerabilities is highly non-trivial. With multiple interacting contracts, the search space is much larger than that of a single contract. To address this problem, we present xFuzz, a machine learning guided smart contract fuzzing framework. The machine learning models are trained with novel features (e.g., word vectors and instructions) and are used to filter likely benign program paths. Comparing with existing static tools, machine learning model is proven to be more robust, avoiding directly adopting manually-defined rules in specific tools. We compare xFuzz with three state-of-the-art tools on 7,391 contracts. xFuzz detects 18 exploitable cross-contract vulnerabilities, of which 15 vulnerabilities are exposed for the first time. Furthermore, our approach is shown to be efficient in detecting non-cross-contract vulnerabilities as well -- using less than 20% time as that of other fuzzing tools, xFuzz detects twice as many vulnerabilities.

Cryptography and Security,Software Engineering

Zhenguang Liu,Peng Qian,Jiaxu Yang,Lingfeng Liu,Xiaojun Xu,Qinming He,Xiaosong Zhang

DOI: https://doi.org/10.48550/arXiv.2301.03943

2023-01-12

Abstract:Blockchain smart contracts have given rise to a variety of interesting and compelling applications and emerged as a revolutionary force for the Internet. Quite a few practitioners have devoted themselves to developing tools for detecting bugs in smart contracts. One line of efforts revolve around static analysis techniques, which heavily suffer from high false-positive rates. Another line of works concentrate on fuzzing techniques. Unfortunately, current fuzzing approaches for smart contracts tend to conduct fuzzing starting from the initial state of the contract, which expends too much energy revolving around the initial state and thus is usually unable to unearth bugs triggered by other states. Moreover, most existing methods treat each branch equally, failing to take care of the branches that are rare or more likely to possess bugs. This might lead to resources wasted on normal branches. In this paper, we try to tackle these challenges from three aspects: (1) In generating function invocation sequences, we explicitly consider data dependencies between functions to facilitate exploring richer states. We further prolong a function invocation sequence S1 by appending a new sequence S2, so that S2 can start fuzzing from states that are different from the initial state. (2) We incorporate a branch distance-based measure to evolve test cases iteratively towards a target branch. (3) We engage a branch search algorithm to discover rare and vulnerable branches, and design an energy allocation mechanism to take care of exercising these crucial branches. We implement IR-Fuzz and extensively evaluate it over 12K real-world contracts. Empirical results show that: (i) IR-Fuzz achieves 28% higher branch coverage than state-of-the-art fuzzing approaches, and (ii) IR-Fuzz detects more vulnerabilities and increases the average accuracy of vulnerability detection by 7% over current methods.

Cryptography and Security,Programming Languages,Software Engineering

Haoyu Wang,Zan Wang,Shuang Liu,Jun Sun,Yingquan Zhao,Yan Wan,Tai D. Nguyen

DOI: https://doi.org/10.1002/smr.2557

2023-03-18

Abstract:sFuzz2.0 is motivated by the fact that certain vulnerabilities only manifest in the presence of certain function call sequences (as well as particular arguments). sFuzz2.0 tackles the problem with two sequence generation strategies, that is, by generating function call sequences that trigger different storage‐access patterns passively or actively. The experiment result has shown that the passive strategy achieves better code coverage as well as reveals more vulnerabilities. Smart contracts are distributed self‐enforcing programs which execute on top of blockchain networks. They have the potential to revolutionize many industries and have already been adopted for applications such as distributed finance and crowdfunding. Because smart contracts are immutable once they are deployed, it is important to identify and eliminate code vulnerabilities in smart contracts systematically. In this work, we propose sFuzz2.0, a storage‐access‐pattern guided adaptive fuzzer based on sFuzz. sFuzz2.0 is motivated by the fact that certain vulnerabilities only manifest in the presence of certain function call sequences (as well as particular arguments). Given that there are exponentially many function call sequences, sFuzz randomly generates sequences without guidance. As a result, the probability of discovering those vulnerabilities is negligible. sFuzz2.0 tackles the problem with two approaches, that is, by generating function call sequences that trigger different storage‐access patterns passively (i.e., by prioritizing seeds which cover new patterns) or actively (i.e., by actively seeking out different patterns). The experiment results suggest that the passive strategy outperforms sFuzz by achieving better code coverage (i.e., 37.53%) and discovering more vulnerabilities (i.e., 20.49%).

computer science, software engineering

Peng Qian,Zhenguang Liu,Qinming He,Butian Huang,Duanzheng Tian,Xun Wang

DOI: https://doi.org/10.13328/j.cnki.jos.006375

2022-01-01

Journal of Software

Abstract: Smart contract, one of the most successful applications of blockchain, is taking the world by storm, playing an essential role in the blockchain ecosystem. However, frequent smart contract security incidents not only result in tremendous economic losses but also destroy the blockchain-based credit system. The security and reliability of smart contracts thus gain extensive attention from researchers worldwide. In this survey, we first summarize the common types and typical cases of smart contract vulnerabilities from three levels, i.e., Solidity code layer, EVM execution layer, and Block dependency layer. Further, we review the research progress of smart contract vulnerability detection and classify existing counterparts into five categories, i.e., formal verification, symbolic execution, fuzzing detection, intermediate representation, and deep learning. Empirically, we take 300 real-world smart contracts deployed on Ethereum as the test samples and compare the representative methods in terms of accuracy, F1-Score, and average detection time. Finally, we discuss the challenges in the field of smart contract vulnerability detection and combine with the deep learning technology to look forward to future research directions.

Chaofan Shou,Jing Liu,Doudou Lu,Koushik Sen

2024-01-20

Abstract:As blockchain platforms grow exponentially, millions of lines of smart contract code are being deployed to manage extensive digital assets. However, vulnerabilities in this mission-critical code have led to significant exploitations and asset losses. Thorough automated security analysis of smart contracts is thus imperative. This paper introduces LLM4Fuzz to optimize automated smart contract security analysis by leveraging large language models (LLMs) to intelligently guide and prioritize fuzzing campaigns. While traditional fuzzing suffers from low efficiency in exploring the vast state space, LLM4Fuzz employs LLMs to direct fuzzers towards high-value code regions and input sequences more likely to trigger vulnerabilities. Additionally, LLM4Fuzz can leverage LLMs to guide fuzzers based on user-defined invariants, reducing blind exploration overhead. Evaluations of LLM4Fuzz on real-world DeFi projects show substantial gains in efficiency, coverage, and vulnerability detection compared to baseline fuzzing. LLM4Fuzz also uncovered five critical vulnerabilities that can lead to a loss of more than $247k.

Cryptography and Security,Software Engineering

Peng Qian,Hanjie Wu,Zeren Du,Turan Vural,Dazhong Rong,Zheng Cao,Lun Zhang,Yanbin Wang,Jianhai Chen,Qinming He

2023-12-10

Abstract:As blockchain smart contracts become more widespread and carry more valuable digital assets, they become an increasingly attractive target for attackers. Over the past few years, smart contracts have been subject to a plethora of devastating attacks, resulting in billions of dollars in financial losses. There has been a notable surge of research interest in identifying defects in smart contracts. However, existing smart contract fuzzing tools are still unsatisfactory. They struggle to screen out meaningful transaction sequences and specify critical inputs for each transaction. As a result, they can only trigger a limited range of contract states, making it difficult to unveil complicated vulnerabilities hidden in the deep state space. In this paper, we shed light on smart contract fuzzing by employing a sequence-aware mutation and seed mask guidance strategy. In particular, we first utilize data-flow-based feedback to determine transaction orders in a meaningful way and further introduce a sequence-aware mutation technique to explore deeper states. Thereafter, we design a mask-guided seed mutation strategy that biases the generated transaction inputs to hit target branches. In addition, we develop a dynamic-adaptive energy adjustment paradigm that balances the fuzzing resource allocation during a fuzzing campaign. We implement our designs into a new smart contract fuzzer named MuFuzz, and extensively evaluate it on three benchmarks. Empirical results demonstrate that MuFuzz outperforms existing tools in terms of both branch coverage and bug finding. Overall, MuFuzz achieves higher branch coverage than state-of-the-art fuzzers (up to 25%) and detects 30% more bugs than existing bug detectors.

Cryptography and Security

Jingxuan He,Mislav Balunović,Nodar Ambroladze,Petar Tsankov,Martin Vechev

DOI: https://doi.org/10.1145/3319535.3363230

2019-11-06

Abstract:Fuzzing and symbolic execution are two complementary techniques for discovering software vulnerabilities. Fuzzing is fast and scalable, but can be ineffective when it fails to randomly select the right inputs. Symbolic execution is thorough but slow and often does not scale to deep program paths with complex path conditions. In this work, we propose to learn an effective and fast fuzzer from symbolic execution, by phrasing the learning task in the framework of imitation learning. During learning, a symbolic execution expert generates a large number of quality inputs improving coverage on thousands of programs. Then, a fuzzing policy, represented with a suitable architecture of neural networks, is trained on the generated dataset. The learned policy can then be used to fuzz new programs. We instantiate our approach to the problem of fuzzing smart contracts, a domain where contracts often implement similar functionality (facilitating learning) and security is of utmost importance. We present an end-to-end system, ILF (for Imitation Learning based Fuzzer), and an extensive evaluation over >18K contracts. Our results show that ILF is effective: (i) it is fast, generating 148 transactions per second, (ii) it outperforms existing fuzzers (e.g., achieving 33% more coverage), and (iii) it detects more vulnerabilities than existing fuzzing and symbolic execution tools for Ethereum.

Ismael Medeiros,Fausto Carvalho,Alexandre Ferreira,Rodrigo Bonifácio,Fabiano Cavalcanti Fernandes

2024-09-03

Abstract:Ethereum is a distributed, peer-to-peer blockchain infrastructure that has attracted billions of dollars. Perhaps due to its success, Ethereum has become a target for various kinds of attacks, motivating researchers to explore different techniques to identify vulnerabilities in EVM bytecode (the language of the Ethereum Virtual Machine), including formal verification, symbolic execution, and fuzz testing. Although recent studies empirically compare smart contract fuzzers, there is a lack of literature investigating how simpler greybox fuzzers compare to more advanced ones. To fill this gap, in this paper, we present DogeFuzz, an extensible infrastructure for fuzzing Ethereum smart contracts, currently supporting black-box fuzzing and two grey-box fuzzing strategies: coverage-guided grey-box fuzzing (DogeFuzz-G) and directed grey-box fuzzing (DogeFuzz-DG). We conduct a series of experiments using benchmarks already available in the literature and compare the DogeFuzz strategies with state-of-the-art fuzzers for smart contracts. Surprisingly, although DogeFuzz does not leverage advanced techniques for improving input generation (such as symbolic execution or machine learning), DogeFuzz outperforms sFuzz and ILF, two state-of-the-art fuzzers. Nonetheless, the Smartian fuzzer shows higher code coverage and bug-finding capabilities than DogeFuzz.

Cryptography and Security,Software Engineering

Sally Junsong Wang,Jianan Yao,Kexin Pei,Hidedaki Takahashi,Junfeng Yang

DOI: https://doi.org/10.48550/arXiv.2409.04597

2024-09-07

Abstract:Smart contracts are susceptible to critical vulnerabilities. Hybrid dynamic analyses, such as concolic execution assisted fuzzing and foundation model assisted fuzzing, have emerged as highly effective testing techniques for smart contract bug detection recently. This hybrid approach has shown initial promise in real-world benchmarks, but it still suffers from low scalability to find deep bugs buried in complex code patterns. We observe that performance bottlenecks of existing dynamic analyses and model hallucination are two main factors limiting the scalability of this hybrid approach in finding deep bugs. To overcome the challenges, we design an interactive, self-deciding foundation model based system, called SmartSys, to support hybrid smart contract dynamic analyses. The key idea is to teach foundation models about performance bottlenecks of different dynamic analysis techniques, making it possible to forecast the right technique and generates effective fuzz targets that can reach deep, hidden bugs. To prune hallucinated, incorrect fuzz targets, SmartSys feeds foundation models with feedback from dynamic analysis during compilation and at runtime. The interesting results of SmartSys include: i) discovering a smart contract protocol vulnerability that has escaped eleven tools and survived multiple audits for over a year; ii) improving coverage by up to 14.3\% on real-world benchmarks compared to the baselines.

Software Engineering,Machine Learning,Programming Languages

Ruichao Liang,Jing Chen,Cong Wu,Kun He,Yueming Wu,Ruochen Cao,Ruiying Du,Yang Liu,Ziming Zhao

2024-08-20

Abstract:Smart contracts, the cornerstone of decentralized applications, have become increasingly prominent in revolutionizing the digital landscape. However, vulnerabilities in smart contracts pose great risks to user assets and undermine overall trust in decentralized systems. But current smart contract fuzzers fall short of expectations in testing efficiency for two primary reasons. Firstly, smart contracts are stateful programs, and existing approaches, primarily coverage-guided, lack effective feedback from the contract state. Consequently, they struggle to effectively explore the contract state space. Secondly, coverage-guided fuzzers, aiming for comprehensive program coverage, may lead to a wastage of testing resources on benign code areas. This wastage worsens in smart contract testing, as the mix of code and state spaces further complicates comprehensive testing. To address these challenges, we propose Vulseye, a stateful directed graybox fuzzer for smart contracts guided by vulnerabilities. Different from prior works, Vulseye achieves stateful directed fuzzing by prioritizing testing resources to code areas and contract states that are more prone to vulnerabilities. We introduce Code Targets and State Targets into fuzzing loops as the testing targets of Vulseye. We use static analysis and pattern matching to pinpoint Code Targets, and propose a scalable backward analysis algorithm to specify State Targets. We design a novel fitness metric that leverages feedback from both the contract code space and state space, directing fuzzing toward these targets. With the guidance of code and state targets, Vulseye alleviates the wastage of testing resources on benign code areas and achieves effective stateful fuzzing. In comparison with state-of-the-art fuzzers, Vulseye demonstrated superior effectiveness and efficiency.

Software Engineering

Ying Fu,Meng Ren,Fuchen Ma,Yu Jiang,Heyuan Shi,Jiaguang Sun

DOI: https://doi.org/10.48550/arXiv.1903.08483

2019-04-08

Abstract:Ethereum Virtual Machine (EVM) is the run-time environment for smart contracts and its vulnerabilities may lead to serious problems to the Ethereum ecology. With lots of techniques being developed for the validation of smart contracts, the security problems of EVM have not been well-studied. In this paper, we propose EVMFuzz, aiming to detect vulnerabilities of EVMs with differential fuzz testing. The core idea of EVMFuzz is to continuously generate seed contracts for different EVMs' execution, so as to find as many inconsistencies among execution results as possible, eventually discover vulnerabilities with output cross-referencing. First, we present the evaluation metric for the internal inconsistency indicator, such as the opcode sequence executed and gas used. Then, we construct seed contracts via a set of predefined mutators and employ dynamic priority scheduling algorithm to guide seed contracts selection and maximize the inconsistency. Finally, we leverage different EVMs as crossreferencing oracles to avoid manual checking of the execution output. For evaluation, we conducted large-scale mutation on 36,295 real-world smart contracts and generated 253,153 smart contracts. Among them, 66.2% showed differential performance, including 1,596 variant contracts triggered inconsistent output among EVMs. Accompanied by manual root cause analysis, we found 5 previously unknown security bugs in four widely used EVMs, and all had been included in Common Vulnerabilities and Exposures (CVE) database.

Software Engineering

Sven Smolka,Jens-Rene Giesen,Pascal Winkler,Oussama Draissi,Lucas Davi,Ghassan Karame,Klaus Pohl

DOI: https://doi.org/10.48550/arXiv.2309.03006

2023-10-04

Abstract:Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Machine. Unfortunately, the very stateless nature of Solana's execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract's binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol's bug oracles find bugs with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.

Cryptography and Security

Jianfei Zhou,Tianxing Jiang,Shuwei Song,Ting Chen

DOI: https://doi.org/10.48550/arXiv.2211.02652

2022-11-02

Abstract:In the past few years, several attacks against the vulnerabilities of EOSIO smart contracts have caused severe financial losses to this prevalent blockchain platform. As a lightweight test-generation approach, grey-box fuzzing can open up the possibility of improving the security of EOSIO smart contracts. However, developing a practical grey-box fuzzer for EOSIO smart contracts from scratch is time-consuming and requires a deep understanding of EOSIO internals. In this work, we proposed AntFuzzer, the first highly extensible grey-box fuzzing framework for EOSIO smart contracts. AntFuzzer implements a novel approach that interfaces AFL to conduct AFL-style grey-box fuzzing on EOSIO smart contracts. Compared to black-box fuzzing tools, AntFuzzer can effectively trigger those hard-to-cover branches. It achieved an improvement in code coverage on 37.5% of smart contracts in our benchmark dataset. AntFuzzer provides unified interfaces for users to easily develop new detection plugins for continually emerging vulnerabilities. We have implemented 6 detection plugins on AntFuzzer to detect major vulnerabilities of EOSIO smart contracts. In our large-scale fuzzing experiments on 4,616 real-world smart contracts, AntFuzzer successfully detected 741 vulnerabilities. The results demonstrate the effectiveness and efficiency of AntFuzzer and our detection pl

Cryptography and Security