Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 67 tok/s
Gemini 2.5 Pro 48 tok/s Pro
GPT-5 Medium 25 tok/s Pro
GPT-5 High 18 tok/s Pro
GPT-4o 94 tok/s Pro
Kimi K2 173 tok/s Pro
GPT OSS 120B 444 tok/s Pro
Claude Sonnet 4.5 34 tok/s Pro
2000 character limit reached

Fuzz on the Beach: Fuzzing Solana Smart Contracts (2309.03006v3)

Published 6 Sep 2023 in cs.CR

Abstract: Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Machine. Unfortunately, the very stateless nature of Solana's execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract's binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol's bug oracles find bugs with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (61)
  1. Vector 35 “Binary Ninja”, 2016 URL: https://binary.ninja/
  2. National Security Agency “Ghidra”, 2019 URL: https://ghidra-sre.org/
  3. “REDQUEEN: Fuzzing with Input-to-State Correspondence” In NDSS Symp. react-h2020.eu, 2019
  4. “Making Smart Contracts Smarter” In 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 2021, pp. 1–3
  5. “Synthesizing program input grammars” In SIGPLAN Not. 52.6 New York, NY, USA: Association for Computing Machinery, 2017, pp. 95–110
  6. Marcel Böhme, Van-Thuan Pham and Abhik Roychoudhury “Coverage-based Greybox Fuzzing as Markov Chain” In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16 Vienna, Austria: Association for Computing Machinery, 2016, pp. 1032–1043
  7. “Directed Greybox Fuzzing” In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17 Dallas, Texas, USA: Association for Computing Machinery, 2017, pp. 2329–2344
  8. Budweiser “Budverse NFT” Accessed: 2023-4-22, https://nft.budweiser.com/, 2023
  9. “Angora: Efficient Fuzzing by Principled Search” In 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 711–725
  10. “SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing” In USENIX Security, 2022
  11. “VRust: Automated Vulnerability Detection for Solana Smart Contracts” In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022
  12. “HFContractFuzzer: Fuzzing Hyperledger Fabric Smart Contracts for Vulnerability Detection” In Evaluation and Assessment in Software Engineering, EASE 2021 Trondheim, Norway: Association for Computing Machinery, 2021, pp. 321–328
  13. “A study of android application security.” In USENIX security symposium 2.2, 2011
  14. Bo Feng, Alejandro Mera and Long Lu “P 2 IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling” Accessed: 2023-2-7 usenix.org, https://www.usenix.org/system/files/sec20-feng.pdf, 2020
  15. “AFL++: Combining Incremental Steps of Fuzzing Research” In 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2020
  16. “LibAFL: A Framework to Build Modular and Reusable Fuzzers” In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS ’22, 2022
  17. Ethereum Foundation “Ethereum” Accessed: 2023-4-12, https://ethereum.org/, 2023
  18. Solana Foundation “Solana” Accessed: 2023-4-12, https://solana.com/, 2023
  19. Solana Foundation “Solana Documentaion” Accessed: 2023-4-16, https://docs.solana.com/, 2023
  20. Solana Foundation “solana_rbpf” Accessed: 2023-4-16, https://github.com/solana-labs/rbpf, 2023
  21. Joel Frank, Cornelius Aschermann and Thorsten Holz “ETHBMC: A Bounded Model Checker for Smart Contracts” In 29th USENIX Security Symposium (USENIX Security 20) USENIX Association, 2020, pp. 2757–2774 URL: https://www.usenix.org/conference/usenixsecurity20/presentation/frank
  22. Patrice Godefroid, Adam Kiezun and Michael Y Levin “Grammar-based whitebox fuzzing” In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’08 Tucson, AZ, USA: Association for Computing Machinery, 2008, pp. 206–215
  23. Dan Goodin “How $323M in crypto was stolen from a blockchain bridge called Wormhole” Accessed: 2023-4-12 In Ars Technica, https://arstechnica.com/information-technology/2022/02/how-323-million-in-crypto-was-stolen-from-a-blockchain-bridge-called-wormhole/, 2022
  24. “Echidna: effective, usable, and fast fuzzing for smart contracts” In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2020 Virtual Event, USA: Association for Computing Machinery, 2020, pp. 557–560
  25. Samuel Groß “Fuzzil: Coverage guided fuzzing for javascript engines” In Department of Informatics, Karlsruhe Institute of Technology saelo.github.io, 2018
  26. “Dowsing for overflows: a guided fuzzer to find buffer boundary violations” In USENIX Security Symposium, 2013, pp. 49–64
  27. Hyungseok Han, Donghyeon Oh and Sang Kil Cha “CodeAlchemist: Semantics-aware code generation to find vulnerabilities in JavaScript engines” In Proceedings 2019 Network and Distributed System Security Symposium San Diego, CA: Internet Society, 2019
  28. “Learning to Fuzz from Symbolic Execution with Application to Smart Contracts” In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ACM, 2019 DOI: 10.1145/3319535.3363230
  29. IMMUNI SOFTWARE PTE. LTD “Immunefi Bug Bounties” Accessed: 2023-3-30 In Immunefi, https://immunefi.com/, 2020
  30. Bo Jiang, Ye Liu and W.K. Chan “ContractFuzzer: fuzzing smart contracts for vulnerability detection” In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE ACM, 2018 DOI: 10.1145/3238147.3238177
  31. Lacoste “Lacoste NFT” Accessed: 2023-4-22, https://www.lacoste.com/en/undw3.html, 2023
  32. Martin Lee “Solana: Scalability through speed” Accessed: 2023-4-12, https://www.nansen.ai/research/solana-scalability-through-speed, 2022
  33. “Fuzzing: State of the Art” In IEEE Trans. Reliab. 67.3 ieeexplore.ieee.org, 2018, pp. 1199–1218
  34. “PATA: Fuzzing with Path Aware Taint Analysis” In 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 1–17
  35. OtterSec LLC. “BN-eBPF-Solana” Accessed: 2023-8-9, 2022 URL: https://github.com/otter-sec/bn-ebpf-solana
  36. Dominik Maier, Lukas Seidel and Shinjo Park “BaseSAFE: baseband sanitized fuzzing through emulation” In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’20 Linz, Austria: Association for Computing Machinery, 2020, pp. 122–132
  37. Niko Matsakis “Rust RFC 1211: MIR” Accessed: 2023-8-9, https://rust-lang.github.io/rfcs/1211-mir.html, 2015
  38. “Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts” In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019, pp. 1186–1189
  39. NBA “NBA NFT” Accessed: 2023-4-20, https://nbatopshot.com/, 2023
  40. Neodyme “Introduction - Solana Security Workshop” Accessed: 2023-4-16, https://workshop.neodyme.io/, 2021
  41. Neodyme “Solana security.txt” Accessed: 2023-8-9, https://github.com/neodyme-labs/solana-security-txt, 2022
  42. “sFuzz: an efficient adaptive fuzzer for solidity smart contracts” In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, ICSE ’20 Seoul, South Korea: Association for Computing Machinery, 2020, pp. 778–788
  43. Nike “Nike NFT” Accessed: 2023-4-22, https://www.swoosh.nike/, 2023
  44. Richard Patel “ghidra-eBPF” Accessed: 2023-8-9, 2022 URL: https://github.com/terorie/ghidra-ebpf
  45. “USBFuzz: A framework for fuzzing USB drivers by device emulation” Accessed: 2023-2-7 usenix.org, https://www.usenix.org/system/files/sec20-peng_0.pdf, 2020
  46. “VUzzer: Application-aware evolutionary fuzzing” In Proceedings 2017 Network and Distributed System Security Symposium 17 San Diego, CA: Internet Society, 2017, pp. 1–14
  47. “EF/CF: High Performance Smart Contract Fuzzing for Exploit Generation”, 2023 arXiv:2304.06341 [cs.CR]
  48. “EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts” In USENIX Security Symposium, 2021, pp. 1289–1306
  49. “Sereum: Protecting existing smart contracts against re-entrancy attacks” In Proceedings 2019 Network and Distributed System Security Symposium San Diego, CA: Internet Society, 2019
  50. “Performance analysis of ethereum transactions in private blockchain” In 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), 2017, pp. 70–74
  51. “Fuzzware: Using precise {MMIO} modeling for effective firmware fuzzing” In 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1239–1256
  52. “eThor: Practical and Provably Sound Static Analysis of Ethereum Smart Contracts” In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS ’20 New York, NY, USA: Association for Computing Machinery, 2020, pp. 621–640
  53. “Nyx: Greybox hypervisor fuzzing using fast snapshots and affine types” In 30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 2597–2614
  54. Christof Ferreira Torres, Julian Schütte and Radu State “Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts” In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18 San Juan, PR, USA: Association for Computing Machinery, 2018, pp. 664–676
  55. “ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts” In IEEE European Symposium on Security and Privacy, EuroS&P IEEE, 2021 DOI: 10.1109/EuroSP51992.2021.00018
  56. “Securify: Practical Security Analysis of Smart Contracts” In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18 Toronto, Canada: Association for Computing Machinery, 2018, pp. 67–82
  57. Molly White “Mango Markets exploiter arrested despite claiming all his actions were legal” Accessed: 2023-4-12 In Web3 Is Going Just Great, https://web3isgoinggreat.com/?blockchain=solana&id=mango-markets-exploiter-arrested-despite-claiming-all-his-actions-were-legal, 2022
  58. Molly White “Oracle attack on Solend costs the project $1.26 million” Accessed: 2023-4-12 In Web3 Is Going Just Great, https://web3isgoinggreat.com/?blockchain=solana&id=oracle-attack-on-solend-costs-the-project-1-26-million, 2022
  59. “Harvey: a greybox fuzzer for smart contracts” In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2020 ACM, 2020 DOI: 10.1145/3368089.3417064
  60. “ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery” In 2019 IEEE Symposium on Security and Privacy (SP) ieeexplore.ieee.org, 2019, pp. 769–786
  61. Michal Zalewski “American Fuzzy Lop” URL: https://lcamtuf.coredump.cx/afl/
Citations (8)
View on Semantic Scholar

Summary

  • The paper presents FuzzDelSol, a tool that uses binary-only, coverage-guided fuzzing to detect vulnerabilities in Solana smart contracts.
  • It integrates a blockchain emulator, transaction generator, and instrumented execution environment to simulate realistic on-chain interactions.
  • The evaluation shows FuzzDelSol detected significant vulnerabilities in 52 of 6049 contracts, processing over 1500 transactions per second.

Essay: "Fuzz on the Beach: Fuzzing Solana Smart Contracts"

Introduction

"Fuzz on the Beach: Fuzzing Solana Smart Contracts" introduces FuzzDelSol, a novel tool designed to address the unique security challenges of Solana smart contracts. Solana's stateless execution environment necessitates new approaches to vulnerability analysis, given current tools largely cater to the Ethereum Virtual Machine. FuzzDelSol employs a binary-only, coverage-guided fuzzing methodology to detect vulnerabilities specific to Solana, such as missing signer checks, arbitrary cross-program invocations, missing owner checks, and integer bugs.

Solana's Execution Environment

Solana separates executable code from raw data in its account model, providing a unique challenge in smart contract execution. Its stateless nature allows for high transaction throughput but introduces vulnerabilities that require careful verification of program interactions. The execution of on-chain programs via the eBPF VM and native programs included in the Solana runtime highlights the need for tailored analysis tools that can handle Solana-specific runtime semantics. Figure 1

Figure 1: Serialization of an instruction as input of the eBPF VM.

Challenges of Security Analysis

Fuzzing Solana smart contracts is challenging due to the constraints imposed by the blockchain's stateless environment and its reliance on valid ledger snapshots. Modeling such complex interactions, ensuring reproducibility, and handling sysvar accounts are essential to simulate genuine blockchain states accurately. Moreover, detecting Solana-specific vulnerabilities requires advanced taint tracking techniques to trace data flows and identify attack vectors such as unauthorized cross-program invocations.

FuzzDelSol Design and Implementation

FuzzDelSol is an integration of several components designed to provide comprehensive analysis:

  1. Blockchain Emulator: Creates valid ledger snapshots comprising program-related and additional accounts to simulate realistic blockchain interactions.
  2. Transaction Generator: Translates fuzzing data into valid transactions, ensuring reproducibility and facilitating vulnerability detection.
  3. RunDelSol: Executes transactions within an instrumented Solana environment, providing coverage data and a taint tracking engine for detailed vulnerability analysis.
  4. Transaction Evaluator: Cross-checks execution outcomes, advising ledger updates, and vulnerability report generation. Figure 2

    Figure 2: FuzzDelSol Design.

Evaluation

  • Neodyme Breakpoint Workshop Dataset: Validates detection capabilities across known vulnerabilities, showcasing FuzzDelSol's precision without false alarms compared to VRust's considerable false alarm rate.
  • Mainnet Analysis: Out of 6049 contracts analyzed, 52 revealed significant vulnerabilities. Detection of bugs like missing signer checks and integer bugs demonstrates FuzzDelSol’s applicability to real-world conditions. Figure 3

    Figure 3: Process to transform randomly generated bytes into a valid transaction.

Performance Metrics

Utilizing high transaction throughput, FuzzDelSol maintains an average processing speed exceeding 1500 transactions per second, validating its efficiency in handling large datasets and complex Solana contracts. The tool's capacity to generate substantial code coverage confirms its effectiveness in uncovering deep-seated vulnerabilities.

Conclusion

FuzzDelSol represents a robust solution to the pressing need for tailored smart contract analysis tools in Solana's ecosystem. By combining runtime modeling, coverage-guided fuzzing, and targeted bug detection oracles, FuzzDelSol sets a new standard in blockchain security analysis. This broad applicability and precision mark it as an essential tool for developers and researchers aiming to ensure the security of decentralized applications on the Solana blockchain.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

This paper has been mentioned in 4 tweets and received 8 likes.

Upgrade to Pro to view all of the tweets about this paper:

Start a free 7-day Pro trial

Don't miss out on important new AI/ML research

See which papers are being discussed right now on X, Reddit, and more:

Explore Trending Papers

“Emergent Mind helps me see which AI papers have caught fire online.”

Philip

Philip

Creator, AI Explained on YouTube