Smart Contract Fuzzing Towards Profitable Vulnerabilities

TL;DR

VERITE is a profit-centric smart contract fuzzing framework that effectively detects and maximizes profitable vulnerabilities, significantly outperforming existing methods and uncovering high-value exploits in real-world DeFi projects.

Contribution

The paper introduces VERITE, a novel fuzzing framework that focuses on maximizing profits from vulnerabilities and automates vulnerability exploitation in smart contracts.

Findings

VERITE automatically extracted over $18 million in potential profits.

It outperformed state-of-the-art fuzzers by 29 times in detection and 134 times in profit exploitation.

Found 6 zero-day vulnerabilities with high severity and monetary rewards.

Abstract

Billions of dollars are transacted through smart contracts, making vulnerabilities a major financial risk. One focus in the security arms race is on profitable vulnerabilities that attackers can exploit. Fuzzing is a key method for identifying these vulnerabilities. However, current solutions face two main limitations: a lack of profit-centric techniques for expediting detection, and insufficient automation in maximizing the profitability of discovered vulnerabilities, leaving the analysis to human experts. To address these gaps, we have developed VERITE, a profit-centric smart contract fuzzing framework that not only effectively detects those profitable vulnerabilities but also maximizes the exploited profits. VERITE has three key features: 1) DeFi action-based mutators for boosting the exploration of transactions with different fund flows; 2) potentially profitable candidates identification criteria, which checks whether the input has caused abnormal fund flow properties during testing; 3) a gradient descent-based profit maximization strategy for these identified candidates. VERITE is fully developed from scratch and evaluated on a dataset consisting of 61 exploited real-world DeFi projects with an average of over 1.1 million dollars loss. The results show that VERITE can automatically extract more than 18 million dollars in total and is significantly better than state-of-the-art fuzzer ITYFUZZ in both detection (29/10) and exploitation (134 times more profits gained on average). Remarkably, in 12 targets, it gains more profits than real-world attacking exploits (1.01 to 11.45 times more). VERITE is also applied by auditors in contract auditing, where 6 (5 high severity) zero-day vulnerabilities are found with over $2,500 bounty rewards.