Is My RPC Response Reliable? Detecting RPC Bugs in Ethereum Blockchain Client under Context

TL;DR

This paper introduces EthCRAFT, a context-aware fuzzing tool that detects RPC bugs in Ethereum blockchain clients by generating context-specific RPC calls, leading to the discovery of new bugs and improving client reliability.

Contribution

EthCRAFT is the first tool to generate context-aware RPC calls based on blockchain state transitions, effectively detecting context-dependent RPC bugs in Ethereum clients.

Findings

EthCRAFT outperforms existing RPC bug detectors in detecting more bugs.

Six new RPC bugs were discovered in major Ethereum clients.

Three bugs reported by EthCRAFT received vulnerability bounties.

Abstract

Blockchain clients are fundamental software for running blockchain nodes. They provide users with various RPC (Remote Procedure Call) interfaces to interact with the blockchain. These RPC methods are expected to follow the same specification across different blockchain nodes, providing users with seamless interaction. However, there have been continuous reports on various RPC bugs that can cause unexpected responses or even Denial of Service weakness. Existing studies on blockchain RPC bug detection mainly focus on generating the RPC method calls for testing blockchain clients. However, a wide range of the reported RPC bugs are triggered in various blockchain contexts. To the best of our knowledge, little attention is paid to generating proper contexts that can trigger these context-dependent RPC bugs. In this work, we propose EthCRAFT, a Context-aware RPC Analysis and Fuzzing Tool for client RPC bug detection. EthCRAFT first proposes to explore the state transition program space of blockchain clients and generate various transactions to construct the context. EthCRAFT then designs a context-aware RPC method call generation method to send RPC calls to the blockchain clients. The responses of 5 different client implementations are used as cross-referring oracles to detect the RPC bugs. We evaluate EthCRAFT on real-world RPC bugs collected from the GitHub issues of Ethereum client implementations. Experiment results show that EthCRAFT outperforms existing client RPC detectors by detecting more RPC bugs. Moreover, EthCRAFT has found six new bugs in major Ethereum clients and reported them to the developers. One of the bug fixes has been written into breaking changes in the client's updates. Three of our bug reports have been offered a vulnerability bounty by the Ethereum Foundation.