Towards Automated Discovery of Asymmetric Mempool DoS in Blockchains
Yibo Wang, Yuzhe Tang, Kai Li, Wanning Ding, Zhihua Yang
TL;DR
This work introduces MPFUZZ, the first symbolized-stateful mempool fuzzer designed to automatically discover asymmetric DoS vulnerabilities (ADAMS) in Ethereum clients. By symbolically representing mempool-admission behavior and estimating state-promisingness, MPFUZZ achieves substantial speedups and uncovers both known and novel mempool DoS patterns, including stealthy eviction and locking attacks. Extensive evaluations on major Ethereum clients and Ethereum-like networks show high attack success rates (often >$84.6\%$) with modest attacker costs (often <$1.2$ ETH per block), and the authors report 24 new ADAMS bugs with several fixes post-disclosure. The work also provides mitigation guidance and an open-source path for broader vulnerability discovery, highlighting practical mempool security implications and future automation avenues.
Abstract
In blockchains, mempool controls transaction flow before consensus, denial of whose service hurts the health and security of blockchain networks. This paper presents MPFUZZ, the first mempool fuzzer to find asymmetric DoS bugs by exploring the space of symbolized mempool states and optimistically estimating the promisingness of an intermediate state in reaching bug oracles. Compared to the baseline blockchain fuzzers, MPFUZZ achieves a > 100x speedup in finding known DETER exploits. Running MPFUZZ on major Ethereum clients leads to discovering new mempool vulnerabilities, which exhibit a wide variety of sophisticated patterns, including stealthy mempool eviction and mempool locking. Rule-based mitigation schemes are proposed against all newly discovered vulnerabilities.