HFContractFuzzer: Fuzzing Hyperledger Fabric Smart Contracts for Vulnerability Detection

TL;DR

This paper introduces HFContractFuzzer, a fuzzing-based tool designed to automatically detect security vulnerabilities in Hyperledger Fabric smart contracts written in golang, demonstrating its effectiveness on real contracts.

Contribution

The paper presents HFContractFuzzer, a novel fuzzing approach tailored for Hyperledger Fabric smart contracts, filling a gap in vulnerability detection for this platform.

Findings

Detected vulnerabilities in 4 out of 5 tested contracts

Proved the effectiveness of HFContractFuzzer in real-world scenarios

Enhanced security analysis for Hyperledger Fabric smart contracts

Abstract

With its unique advantages such as decentralization and immutability, blockchain technology has been widely used in various fields in recent years. The smart contract running on the blockchain is also playing an increasingly important role in decentralized application scenarios. Therefore, the automatic detection of security vulnerabilities in smart contracts has become an urgent problem in the application of blockchain technology. Hyperledger Fabric is a smart contract platform based on enterprise-level licensed distributed ledger technology. However, the research on the vulnerability detection technology of Hyperledger Fabric smart contracts is still in its infancy. In this paper, we propose HFContractFuzzer, a method based on Fuzzing technology to detect Hyperledger Fabric smart contracts, which combines a Fuzzing tool for golang named go-fuzz and smart contracts written by golang. We use HFContractFuzzer to detect vulnerabilities in five contracts from typical sources and discover that four of them have security vulnerabilities, proving the effectiveness of the proposed method.