EF↯CF: High Performance Smart Contract Fuzzing for Exploit Generation

Smart contracts are increasingly being used to manage large numbers of high-value cryptocurrency accounts. There is a strong demand for automated, efficient, and comprehensive methods to detect security vulnerabilities in a given contract. While the literature features a plethora of analysis methods for smart contracts, the existing proposals do not address the increasing complexity of contracts. Existing analysis tools suffer from false alarms and missed bugs in today’s smart contracts that are increasingly defined by complexity and interdependencies. To scale accurate analysis to modern smart contracts, we introduce EF↯CF, a high-performance fuzzer for Ethereum smart contracts. In contrast to previous work, EF↯CF efficiently and accurately models complex smart contract interactions, such as reentrancy and cross-contract interactions, at a very high fuzzing throughput rate. To achieve this, EF↯CF transpiles smart contract bytecode into native C++ code, thereby enabling the reuse of existing, optimized fuzzing toolchains. Furthermore, EF↯CF increases fuzzing efficiency by employing a structure-aware mutation engine for smart contract transaction sequences and using a contract’s ABI to generate valid transaction inputs. In a comprehensive evaluation, we show that EF↯CF scales better—without compromising accuracy—to complex contracts compared to state-of-the-art approaches, including other fuzzers, symbolic/concolic execution, and hybrid approaches. Moreover, we show that EF↯CF can automatically generate transaction sequences that exploit reentrancy bugs to steal Ether.

[1]  Alex Groce,et al.  SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses , 2021, 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Lucas Davi,et al.  My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers , 2021, ESORICS.

[3]  Alex Groce,et al.  echidna-parade: a tool for diverse multicore smart contract fuzzing , 2021, ISSTA.

[4]  Giovanni Vigna,et al.  SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds , 2021, 2022 IEEE Symposium on Security and Privacy (SP).

[5]  Antonio Ken Iannillo,et al.  ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts , 2021, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Ethan Cecchetti,et al.  Compositional Security for Reentrant Applications , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[7]  Antonio Ken Iannillo,et al.  The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts , 2021, IACR Cryptol. ePrint Arch..

[8]  Clara Schneidewind,et al.  The Good, The Bad and The Ugly: Pitfalls and Best Practices in Automated Sound Static Analysis of Ethereum Smart Contracts , 2021, ISoLA.

[9]  Alex Groce,et al.  Echidna: effective, usable, and fast fuzzing for smart contracts , 2020, ISSTA.

[10]  Karthik Pattabiraman,et al.  How effective are smart contract analysis tools? evaluating smart contract static analysis tools using bug injection , 2020, ISSTA.

[11]  Clara Schneidewind,et al.  eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts , 2020, CCS.

[12]  Jun Sun,et al.  sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[13]  Daan Leijen,et al.  Mimalloc: Free List Sharding in Action , 2019, APLAS.

[14]  Mislav Balunovic,et al.  Learning to Fuzz from Symbolic Execution with Application to Smart Contracts , 2019, CCS.

[15]  Rui Abreu,et al.  Empirical Review of Automated Analysis Tools on 47,587 Ethereum Smart Contracts , 2019, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[16]  Peter Hofer,et al.  Initialize once, start fast: application initialization at build time , 2019, Proc. ACM Program. Lang..

[17]  Heejo Lee,et al.  VERISMART: A Highly Precise Safety Verifier for Ethereum Smart Contracts , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[18]  Alex Groce,et al.  Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[19]  Valentin Wüstholz,et al.  Harvey: a greybox fuzzer for smart contracts , 2019, ESEC/SIGSOFT FSE.

[20]  Alex Groce,et al.  Slither: A Static Analysis Framework for Smart Contracts , 2019, 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[21]  Mathis Steichen,et al.  The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts , 2019, USENIX Security Symposium.

[22]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[23]  Choongwoo Han,et al.  The Art, Science, and Engineering of Fuzzing: A Survey , 2018, IEEE Transactions on Software Engineering.

[24]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[25]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[26]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[27]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[28]  Mingzhe Wang,et al.  EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers , 2018, USENIX Security Symposium.

[29]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[30]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[31]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[32]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[33]  Till Westmann,et al.  On fast large-scale program analysis in Datalog , 2016, CC.

[34]  Lionel C. Briand,et al.  A Hitchhiker's guide to statistical tests for assessing randomized algorithms in software engineering , 2014, Softw. Test. Verification Reliab..

[35]  Zhendong Su,et al.  Synthesizing method sequences for high-coverage testing , 2011, OOPSLA '11.

[36]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[37]  David Notkin,et al.  Symstra: A Framework for Generating Object-Oriented Unit Tests Using Symbolic Execution , 2005, TACAS.

[38]  Walter H. Burkhardt,et al.  Generating test programs from syntax , 1967, Computing.

[39]  Hakjoo Oh,et al.  SmarTest: Effectively Hunting Vulnerable Transaction Sequences in Smart Contracts through Language Model-Guided Symbolic Execution , 2021, USENIX Security Symposium.

[40]  Thorsten Holz,et al.  ETHBMC: A Bounded Model Checker for Smart Contracts , 2020, USENIX Security Symposium.

[41]  Andrea Fioraldi,et al.  AFL++ : Combining Incremental Steps of Fuzzing Research , 2020, WOOT @ USENIX Security Symposium.

[42]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[43]  M. Laakso,et al.  SOFTWARE SECURITY ASSESSMENT THROUGH SPECIFICATION MUTATIONS AND FAULT INJECTION , 2013 .

[44]  Dave Aitel,et al.  The Advantages of Block - Based Protocol Analysis for Security Testing , 2002 .

[45]  K. Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP '00.