ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection

TL;DR

ContractFuzzer is a novel tool that systematically tests Ethereum smart contracts for security vulnerabilities, successfully identifying numerous critical issues that have caused significant financial losses.

Contribution

It introduces a new fuzzing approach tailored for Ethereum smart contracts, utilizing ABI specifications and EVM instrumentation for vulnerability detection.

Findings

Flagged over 459 vulnerabilities in 6991 contracts

Successfully detected high-profile vulnerabilities causing millions in losses

Demonstrated effectiveness of fuzzing in smart contract security

Abstract

Decentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while minimizing trusts. Millions of smart contracts have been deployed in various decentralized applications. The security vulnerabilities within those smart contracts pose significant threats to their applications. Indeed, many critical security vulnerabilities within smart contracts on Ethereum platform have caused huge financial losses to their users. In this work, we present ContractFuzzer, a novel fuzzer to test Ethereum smart contracts for security vulnerabilities. ContractFuzzer generates fuzzing inputs based on the ABI specifications of smart contracts, defines test oracles to detect security vulnerabilities, instruments the EVM to log smart contracts runtime behaviors, and analyzes these logs to report security vulnerabilities. Our fuzzing of 6991 smart contracts has flagged more than 459 vulnerabilities with high precision. In particular, our fuzzing tool successfully detects the vulnerability of the DAO contract that leads to USD 60 million loss and the vulnerabilities of Parity Wallet that have led to the loss of $30 million and the freezing of USD 150 million worth of Ether.