ETHPLOIT: From Fuzzing To Efficient Exploit Generation .

E TH P LOIT: From Fuzzing to Efficient ExploitGeneration against Smart ContractsQingzhao Zhang ‡ , Yizhuo Wang ‡ , Juanru Li , Siqi Ma† () ShanghaiJiao Tong University, China{fszqz001, mr.wang-yz}@sjtu.edu.cn, roman@sjtusec.com† Data 61, CSIRO, Australiasiqi.ma@csiro.auAbstract—Smart contracts, programs running on blockchainsystems, leverage diverse decentralized applications (DApps).Unfortunately, well-known smart contract platforms, Ethereumfor example, face serious security problems. Exploits to contractsmay cause enormous financial losses, which emphasize theimportance of smart contract testing. However, current exploitgeneration tools have difficulty to solve hard constraints inexecution paths and cannot simulate the blockchain behaviorsvery well. These problems cause a loss of coverage and accuracyof exploit generation.To overcome the problems, we design and implement E TH P LOIT, a smart contract exploit generator based on fuzzing.E TH P LOIT adopts static taint analysis to generate exploittargeted transaction sequences, a dynamic seed strategy to passhard constraints and an instrumented Ethereum Virtual Machineto simulate blockchain behaviors. We evaluate E TH P LOIT on45,308 smart contracts and discovered 554 exploitable contracts.E TH P LOIT automatically generated 644 exploits without anyfalse positive and 306 of them cannot be generated by previousexploit generation tools.Index Terms—smart contract, fuzzing, exploitationI. I NTRODUCTIONBlockchain-based cryptocurrency systems gain great popularity in the past several years, standing at an overall market capitalization of 170 billion dollars in April 2019 [1].Ethereum [2], for example, is the second-largest blockchainsystem and cryptocurrency after Bitcoin [3] by overall market value [1]. Ethereum develops Bitcoin’s scripts, a pieceof stack-based code performing some simple checks beforecurrency transfer, to a Turing-complete on-chain programminglanguage called smart contract. As a result, more than cryptocurrency, Ethereum serves as a platform for decentralizedapplications (i.e., DApps) based on smart contracts, suchas tokens, gambling, auction, etc. The website State of theDApps [4] records over 2,200 active DApps, over 85% ofwhich come from Ethereum. In fact, Ethereum had hosted overone million smart contracts by the end of 2018 [5].As the smart contract develops, security vulnerabilities ofEthereum smart contracts become a serious problem. TheTuring-complete language makes smart contracts more errorprone than Bitcoin’s scripts and several vulnerabilities havebeen discovered [6]. Because of the nature of cryptocurrency,smart contracts usually involve flows of ETH, the virtual‡ These authors equally contribute to the paper.currency in Ethereum which is also valuable in the real world.Therefore, when attackers make use of vulnerabilities, thecurrency is illegally manipulated. In fact, real-world attackssuch as DAO [7] and Parity Multisig Wallet [8] have causeda tremendous crisis for Ethereum. What is worse, smartcontracts are unmodifiable after on-chain deployment and thedamage of attacks is almost irretrievable.One major research goal for smart contracts vulnerabilityis how to fulfill an accurate vulnerability detection. Existingdetection techniques [9]–[12] often suffer from both falsenegative and false positive. To verify a detected vulnerability,a typical method is to generate an exploit to test whetherthe vulnerability can be actually triggered. Current exploitgeneration for smart contracts generally applies symbolicexecution method [13], [14]. Teether [13], for instance, locatespotential dangerous operations and solves an execution pathtriggering the operation using SMT solvers. However, such aworkflow of symbolic execution faces two challenges. The firstone is Unsolvable Constraints, which indicates the executionof sensitive operations (e.g., currency transfer, self-destruction)is restricted by conditions that are difficult for existing tools topass. Unsolvable Constraints is a major obstacle for symbolicexecution. A prominent case is the validity check of hashvalue before currency transfer. For instance, teether tries tojump over a hash instruction but cannot present value relationbetween hash pre-image and hash value, which does nothelp to pass cryptographic checks in many scenarios. Ourobservation on 49,522 contracts collected from etherscan [5]demonstrates that these complicated conditions are commonas 20% (9,694) contracts contain cryptographic functions. Inthis situation, the corresponding exploit is not able to begenerated. Another challenge for current techniques is how tohandle Blockchain Effects. Blockchain properties (e.g., timestamp and block number) are variables used in the contracts,which represent information about objects (e.g., block) in theblockchain system. Current exploit generation tools regardblockchain properties as normal global variables. However,these properties have their meaning in the blockchain systemand their value has a specific range. If not handled properly,it is also infeasible to generate an exploit successfully.To respond to the above challenges, in this paper, weutilize fuzzing to generate exploits. Compared with symbolicexecution, fuzzing does not need to mathematically solve

the exploit generation technique against smart contracts and developers could leverage our tool to build more secure code. In summary, we make the following contributions: 1)We summarized two major challenges, Unsolvable Con-straints and Blockchain Effects, in smart contract exploit