Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 144 tok/s
Gemini 2.5 Pro 48 tok/s Pro
GPT-5 Medium 28 tok/s Pro
GPT-5 High 27 tok/s Pro
GPT-4o 66 tok/s Pro
Kimi K2 206 tok/s Pro
GPT OSS 120B 426 tok/s Pro
Claude Sonnet 4.5 37 tok/s Pro
2000 character limit reached

Fuzz on the Beach: Fuzzing Solana Smart Contracts (2309.03006v3)

Published 6 Sep 2023 in cs.CR

Abstract: Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Machine. Unfortunately, the very stateless nature of Solana's execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract's binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol's bug oracles find bugs with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (61)
  1. Vector 35 “Binary Ninja”, 2016 URL: https://binary.ninja/
  2. National Security Agency “Ghidra”, 2019 URL: https://ghidra-sre.org/
  3. “REDQUEEN: Fuzzing with Input-to-State Correspondence” In NDSS Symp. react-h2020.eu, 2019
  4. “Making Smart Contracts Smarter” In 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 2021, pp. 1–3
  5. “Synthesizing program input grammars” In SIGPLAN Not. 52.6 New York, NY, USA: Association for Computing Machinery, 2017, pp. 95–110
  6. Marcel Böhme, Van-Thuan Pham and Abhik Roychoudhury “Coverage-based Greybox Fuzzing as Markov Chain” In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16 Vienna, Austria: Association for Computing Machinery, 2016, pp. 1032–1043
  7. “Directed Greybox Fuzzing” In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17 Dallas, Texas, USA: Association for Computing Machinery, 2017, pp. 2329–2344
  8. Budweiser “Budverse NFT” Accessed: 2023-4-22, https://nft.budweiser.com/, 2023
  9. “Angora: Efficient Fuzzing by Principled Search” In 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 711–725
  10. “SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing” In USENIX Security, 2022
  11. “VRust: Automated Vulnerability Detection for Solana Smart Contracts” In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022
  12. “HFContractFuzzer: Fuzzing Hyperledger Fabric Smart Contracts for Vulnerability Detection” In Evaluation and Assessment in Software Engineering, EASE 2021 Trondheim, Norway: Association for Computing Machinery, 2021, pp. 321–328
  13. “A study of android application security.” In USENIX security symposium 2.2, 2011
  14. Bo Feng, Alejandro Mera and Long Lu “P 2 IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling” Accessed: 2023-2-7 usenix.org, https://www.usenix.org/system/files/sec20-feng.pdf, 2020
  15. “AFL++: Combining Incremental Steps of Fuzzing Research” In 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2020
  16. “LibAFL: A Framework to Build Modular and Reusable Fuzzers” In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS ’22, 2022
  17. Ethereum Foundation “Ethereum” Accessed: 2023-4-12, https://ethereum.org/, 2023
  18. Solana Foundation “Solana” Accessed: 2023-4-12, https://solana.com/, 2023
  19. Solana Foundation “Solana Documentaion” Accessed: 2023-4-16, https://docs.solana.com/, 2023
  20. Solana Foundation “solana_rbpf” Accessed: 2023-4-16, https://github.com/solana-labs/rbpf, 2023
  21. Joel Frank, Cornelius Aschermann and Thorsten Holz “ETHBMC: A Bounded Model Checker for Smart Contracts” In 29th USENIX Security Symposium (USENIX Security 20) USENIX Association, 2020, pp. 2757–2774 URL: https://www.usenix.org/conference/usenixsecurity20/presentation/frank
  22. Patrice Godefroid, Adam Kiezun and Michael Y Levin “Grammar-based whitebox fuzzing” In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’08 Tucson, AZ, USA: Association for Computing Machinery, 2008, pp. 206–215
  23. Dan Goodin “How $323M in crypto was stolen from a blockchain bridge called Wormhole” Accessed: 2023-4-12 In Ars Technica, https://arstechnica.com/information-technology/2022/02/how-323-million-in-crypto-was-stolen-from-a-blockchain-bridge-called-wormhole/, 2022
  24. “Echidna: effective, usable, and fast fuzzing for smart contracts” In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2020 Virtual Event, USA: Association for Computing Machinery, 2020, pp. 557–560
  25. Samuel Groß “Fuzzil: Coverage guided fuzzing for javascript engines” In Department of Informatics, Karlsruhe Institute of Technology saelo.github.io, 2018
  26. “Dowsing for overflows: a guided fuzzer to find buffer boundary violations” In USENIX Security Symposium, 2013, pp. 49–64
  27. Hyungseok Han, Donghyeon Oh and Sang Kil Cha “CodeAlchemist: Semantics-aware code generation to find vulnerabilities in JavaScript engines” In Proceedings 2019 Network and Distributed System Security Symposium San Diego, CA: Internet Society, 2019
  28. “Learning to Fuzz from Symbolic Execution with Application to Smart Contracts” In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ACM, 2019 DOI: 10.1145/3319535.3363230
  29. IMMUNI SOFTWARE PTE. LTD “Immunefi Bug Bounties” Accessed: 2023-3-30 In Immunefi, https://immunefi.com/, 2020
  30. Bo Jiang, Ye Liu and W.K. Chan “ContractFuzzer: fuzzing smart contracts for vulnerability detection” In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE ACM, 2018 DOI: 10.1145/3238147.3238177
  31. Lacoste “Lacoste NFT” Accessed: 2023-4-22, https://www.lacoste.com/en/undw3.html, 2023
  32. Martin Lee “Solana: Scalability through speed” Accessed: 2023-4-12, https://www.nansen.ai/research/solana-scalability-through-speed, 2022
  33. “Fuzzing: State of the Art” In IEEE Trans. Reliab. 67.3 ieeexplore.ieee.org, 2018, pp. 1199–1218
  34. “PATA: Fuzzing with Path Aware Taint Analysis” In 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 1–17
  35. OtterSec LLC. “BN-eBPF-Solana” Accessed: 2023-8-9, 2022 URL: https://github.com/otter-sec/bn-ebpf-solana
  36. Dominik Maier, Lukas Seidel and Shinjo Park “BaseSAFE: baseband sanitized fuzzing through emulation” In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’20 Linz, Austria: Association for Computing Machinery, 2020, pp. 122–132
  37. Niko Matsakis “Rust RFC 1211: MIR” Accessed: 2023-8-9, https://rust-lang.github.io/rfcs/1211-mir.html, 2015
  38. “Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts” In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019, pp. 1186–1189
  39. NBA “NBA NFT” Accessed: 2023-4-20, https://nbatopshot.com/, 2023
  40. Neodyme “Introduction - Solana Security Workshop” Accessed: 2023-4-16, https://workshop.neodyme.io/, 2021
  41. Neodyme “Solana security.txt” Accessed: 2023-8-9, https://github.com/neodyme-labs/solana-security-txt, 2022
  42. “sFuzz: an efficient adaptive fuzzer for solidity smart contracts” In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, ICSE ’20 Seoul, South Korea: Association for Computing Machinery, 2020, pp. 778–788
  43. Nike “Nike NFT” Accessed: 2023-4-22, https://www.swoosh.nike/, 2023
  44. Richard Patel “ghidra-eBPF” Accessed: 2023-8-9, 2022 URL: https://github.com/terorie/ghidra-ebpf
  45. “USBFuzz: A framework for fuzzing USB drivers by device emulation” Accessed: 2023-2-7 usenix.org, https://www.usenix.org/system/files/sec20-peng_0.pdf, 2020
  46. “VUzzer: Application-aware evolutionary fuzzing” In Proceedings 2017 Network and Distributed System Security Symposium 17 San Diego, CA: Internet Society, 2017, pp. 1–14
  47. “EF/CF: High Performance Smart Contract Fuzzing for Exploit Generation”, 2023 arXiv:2304.06341 [cs.CR]
  48. “EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts” In USENIX Security Symposium, 2021, pp. 1289–1306
  49. “Sereum: Protecting existing smart contracts against re-entrancy attacks” In Proceedings 2019 Network and Distributed System Security Symposium San Diego, CA: Internet Society, 2019
  50. “Performance analysis of ethereum transactions in private blockchain” In 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), 2017, pp. 70–74
  51. “Fuzzware: Using precise {MMIO} modeling for effective firmware fuzzing” In 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1239–1256
  52. “eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts” In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS ’20 New York, NY, USA: Association for Computing Machinery, 2020, pp. 621–640
  53. “Nyx: Greybox hypervisor fuzzing using fast snapshots and affine types” In 30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 2597–2614
  54. Christof Ferreira Torres, Julian Schütte and Radu State “Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts” In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18 San Juan, PR, USA: Association for Computing Machinery, 2018, pp. 664–676
  55. “ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts” In IEEE European Symposium on Security and Privacy, EuroS&P IEEE, 2021 DOI: 10.1109/EuroSP51992.2021.00018
  56. “Securify: Practical Security Analysis of Smart Contracts” In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18 Toronto, Canada: Association for Computing Machinery, 2018, pp. 67–82
  57. Molly White “Mango Markets exploiter arrested despite claiming all his actions were legal” Accessed: 2023-4-12 In Web3 Is Going Just Great, https://web3isgoinggreat.com/?blockchain=solana&id=mango-markets-exploiter-arrested-despite-claiming-all-his-actions-were-legal, 2022
  58. Molly White “Oracle attack on Solend costs the project $1.26 million” Accessed: 2023-4-12 In Web3 Is Going Just Great, https://web3isgoinggreat.com/?blockchain=solana&id=oracle-attack-on-solend-costs-the-project-1-26-million, 2022
  59. “Harvey: a greybox fuzzer for smart contracts” In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2020 ACM, 2020 DOI: 10.1145/3368089.3417064
  60. “ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery” In 2019 IEEE Symposium on Security and Privacy (SP) ieeexplore.ieee.org, 2019, pp. 769–786
  61. Michal Zalewski “American Fuzzy Lop” URL: https://lcamtuf.coredump.cx/afl/
Citations (8)
View on Semantic Scholar

Summary

  • The paper presents FuzzDelSol, a tool that uses binary-only, coverage-guided fuzzing to detect vulnerabilities in Solana smart contracts.
  • It integrates a blockchain emulator, transaction generator, and instrumented execution environment to simulate realistic on-chain interactions.
  • The evaluation shows FuzzDelSol detected significant vulnerabilities in 52 of 6049 contracts, processing over 1500 transactions per second.

Essay: "Fuzz on the Beach: Fuzzing Solana Smart Contracts"

Introduction

"Fuzz on the Beach: Fuzzing Solana Smart Contracts" introduces FuzzDelSol, a novel tool designed to address the unique security challenges of Solana smart contracts. Solana's stateless execution environment necessitates new approaches to vulnerability analysis, given current tools largely cater to the Ethereum Virtual Machine. FuzzDelSol employs a binary-only, coverage-guided fuzzing methodology to detect vulnerabilities specific to Solana, such as missing signer checks, arbitrary cross-program invocations, missing owner checks, and integer bugs.

Solana's Execution Environment

Solana separates executable code from raw data in its account model, providing a unique challenge in smart contract execution. Its stateless nature allows for high transaction throughput but introduces vulnerabilities that require careful verification of program interactions. The execution of on-chain programs via the eBPF VM and native programs included in the Solana runtime highlights the need for tailored analysis tools that can handle Solana-specific runtime semantics. Figure 1

Figure 1: Serialization of an instruction as input of the eBPF VM.

Challenges of Security Analysis

Fuzzing Solana smart contracts is challenging due to the constraints imposed by the blockchain's stateless environment and its reliance on valid ledger snapshots. Modeling such complex interactions, ensuring reproducibility, and handling sysvar accounts are essential to simulate genuine blockchain states accurately. Moreover, detecting Solana-specific vulnerabilities requires advanced taint tracking techniques to trace data flows and identify attack vectors such as unauthorized cross-program invocations.

FuzzDelSol Design and Implementation

FuzzDelSol is an integration of several components designed to provide comprehensive analysis:

  1. Blockchain Emulator: Creates valid ledger snapshots comprising program-related and additional accounts to simulate realistic blockchain interactions.
  2. Transaction Generator: Translates fuzzing data into valid transactions, ensuring reproducibility and facilitating vulnerability detection.
  3. RunDelSol: Executes transactions within an instrumented Solana environment, providing coverage data and a taint tracking engine for detailed vulnerability analysis.
  4. Transaction Evaluator: Cross-checks execution outcomes, advising ledger updates, and vulnerability report generation. Figure 2

    Figure 2: FuzzDelSol Design.

Evaluation

  • Neodyme Breakpoint Workshop Dataset: Validates detection capabilities across known vulnerabilities, showcasing FuzzDelSol's precision without false alarms compared to VRust's considerable false alarm rate.
  • Mainnet Analysis: Out of 6049 contracts analyzed, 52 revealed significant vulnerabilities. Detection of bugs like missing signer checks and integer bugs demonstrates FuzzDelSol’s applicability to real-world conditions. Figure 3

    Figure 3: Process to transform randomly generated bytes into a valid transaction.

Performance Metrics

Utilizing high transaction throughput, FuzzDelSol maintains an average processing speed exceeding 1500 transactions per second, validating its efficiency in handling large datasets and complex Solana contracts. The tool's capacity to generate substantial code coverage confirms its effectiveness in uncovering deep-seated vulnerabilities.

Conclusion

FuzzDelSol represents a robust solution to the pressing need for tailored smart contract analysis tools in Solana's ecosystem. By combining runtime modeling, coverage-guided fuzzing, and targeted bug detection oracles, FuzzDelSol sets a new standard in blockchain security analysis. This broad applicability and precision mark it as an essential tool for developers and researchers aiming to ensure the security of decentralized applications on the Solana blockchain.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Ai Generate Text Spark Streamline Icon: https://streamlinehq.com

Knowledge Gaps

Knowledge gaps, limitations, and open questions

Below is a concise, actionable list of what remains missing, uncertain, or unexplored in the paper and its current implementation of FuzzDelSol.

  • Quantify false negatives at scale: only 16 of 92 reports were manually validated (2 false alarms), leaving the true-positive rate and false-negative rate across the full 6,049-contract corpus unknown; design a protocol to systematically validate a representative, statistically powered sample and estimate recall.
  • Ground-truth benchmarking: beyond the Neodyme dataset and VRust comparison, assemble and use a larger, labeled benchmark of Solana vulnerabilities (including confirmed mainnet bugs) to measure precision/recall per bug class and compare against static/dynamic baselines.
  • Oracle coverage gaps: extend bug oracles beyond the five classes (MSC, MOC, ACPI, MKC, integer bugs) to cover Solana-specific issues such as:
    • misuse of PDA seeds (e.g., weak or attacker-influenced seeds),
    • privilege delegation flaws in CPI (over-delegation, signer spoofing via PDAs),
    • denial-of-service via compute-unit exhaustion or stack-depth limits,
    • unauthorized state writes that do not alter lamports,
    • misconfigured rent/space allocation and account lifecycle issues,
    • logic errors in sysvar usage (slot/clock-dependent safety assumptions),
    • SPL Token–specific vulnerabilities (e.g., mint/authority misuse) and non-lamport asset theft,
    • C-program memory safety or unsafe syscalls (for the ~3% non-Rust programs).
  • Modeling multi-transaction exploits: clarify and extend support for long transaction sequences and stateful exploit chains (beyond single/short sequences), including ordering constraints, account locks, and realistic ledger evolution across many steps.
  • PDA seed extraction limits: document and address cases where seeds are derived via hashes, serialized structs, or off-chain data (guardian sets, oracles), which may prevent accurate PDA derivation; explore hybrid taint+symbolic approaches or grammar/constraint solving for seeds.
  • CPI interaction depth and breadth: evaluate detection effectiveness across deeper CPI chains, complex privilege propagation, and nested PDAs; quantify how the VM’s depth limits affect finding ACPI-like bugs.
  • Ledger snapshot fidelity: assess how the emulated snapshot diverges from realistic mainnet states (e.g., rent epochs, data layouts, token accounts, program versions), and define methods to import or synthesize realistic, domain-specific snapshots for popular program families.
  • Transaction generation expressiveness: the byte-to-transaction mapping may struggle to satisfy program-specific invariants; investigate grammar-based fuzzing, constraint-solving of instruction data, and coverage-guided struct mutators for Solana’s common serialization formats (e.g., Borsh).
  • Coverage instrumentation details: specify how coverage is measured at the eBPF level (basic blocks/edges?), its accuracy in JIT vs interpreter mode, and potential blind spots introduced by runtime-only instrumentation; evaluate impact on path discovery.
  • Taint tracking soundness and performance: formalize the taint model (sources/sinks, propagation rules) for Solana/eBPF, quantify overhead, and analyze cases of taint explosion or under-tainting that could cause missed oracles or false alarms.
  • State-space control and fuzzing budgets: report resource usage, time-to-first-bug, and scaling behavior across 6,049 programs; propose heuristics (e.g., adaptive budgets, path prioritization) to improve efficiency on complex, CPI-heavy programs.
  • Reproducibility beyond testnets: while transactions are replayable on a test network, clarify reproducibility on mainnet (recent blockhash, fees, account locks, and cluster configuration); provide tooling to auto-generate minimal PoCs and replay scripts for standard test clusters.
  • Token-centric assets vs lamports: the “lamport gains” oracle may miss theft involving SPL Tokens or program-specific assets (NFT metadata, custodial vaults); add asset-aware detectors that track token authorities, minting, burning, and transfers across CPI.
  • Multi-signature and authority models: extend modeling of signer checks to cover multi-sig, derived authorities, and program-controlled authorities commonly used in DeFi and custody programs.
  • Ethereum-to-Solana differences not fully leveraged: identify Solana-only attack surfaces (parallel execution, account locking, sysvar-driven logic) that fuzzing can exploit, and explicitly incorporate them in input generation and oracles.
  • Ethical triage and disclosure workflow: outline processes for responsibly validating and disclosing found bugs on closed-source programs, including non-invasive state recreation and contact via security.txt, to enable safe adoption.
  • Tooling and dataset openness: clarify availability of FuzzDelSol, instrumented runtime (RunDelSol), and curated datasets to enable independent replication; if closed, provide detailed implementation/parameterization to support reproducibility.
  • Future-proofing across Solana updates: evaluate how runtime/API changes (sysvars, compute-unit accounting, CPI rules, loader versions) affect the fuzzer and define compatibility tests or adaptation layers.
  • Comparative evaluation with hybrid methods: explore integrating symbolic execution, concolic testing, or decompilation/lifting to enhance semantics recovery (e.g., PDA seeds, data layouts) and empirically compare the gains against pure fuzzing.
  • Non-monetary integrity checks: add oracles for unauthorized data modifications (e.g., changing authorities, configuration flags) that do not immediately reflect in lamport changes but enable long-term exploitability.
Ai Sparkles Streamline Icon: https://streamlinehq.com View Paper Prompt List Streamline Icon: https://streamlinehq.com View All Prompts
Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

This paper has been mentioned in 4 tweets and received 8 likes.

Upgrade to Pro to view all of the tweets about this paper:

Start a free 7-day Pro trial