fAmulet: Finding Finalization Failure Bugs in Polygon zkRollup

TL;DR

This work conducts the first systematic study on finalization failure bugs in zero-knowledge layer 2 protocols, and defines two kinds of such bugs, and designs fAmulet, the first tool to detect finalization failure bugs in Polygon zkRollup, a prominent zero-knowledge layer 2 protocol by leveraging fuzzing testing.

Abstract

Zero-knowledge layer 2 protocols emerge as a compelling approach to overcoming blockchain scalability issues by processing transactions through the transaction finalization process. During this process, transactions are efficiently processed off the main chain. Besides, both the transaction data and the zero-knowledge proofs of transaction executions are reserved on the main chain, ensuring the availability of transaction data as well as the correctness and verifiability of transaction executions. Hence, any bugs that cause the transaction finalization failure are crucial, as they impair the usability of these protocols and the scalability of blockchains. In this work, we conduct the first systematic study on finalization failure bugs in zero-knowledge layer 2 protocols, and define two kinds of such bugs. Besides, we design fAmulet, the first tool to detect finalization failure bugs in Polygon zkRollup, a prominent zero-knowledge layer 2 protocol, by leveraging fuzzing testing. To trigger finalization failure bugs effectively, we introduce a finalization behavior model to guide our transaction fuzzer to generate and mutate transactions for inducing diverse behaviors across each component (e.g., Sequencer) in the finalization process. Moreover, we define bug oracles according to the distinct bug definitions to accurately detect bugs. Through our evaluation, fAmulet can uncover twelve zero-day finalization failure bugs in Polygon zkRollup, and cover at least 20.8% more branches than baselines. Furthermore, through our preliminary study, fAmulet uncovers a zero-day finalization failure bug in Scroll zkRollup, highlighting the generality of fAmulet to be applied to other zero-knowledge layer 2 protocols. At the time of writing, all our uncovered bugs have been confirmed and fixed by Polygon zkRollup and Scroll zkRollup teams.

Figures (7)

• Figure 1: Architecture of Polygon zkRollup.
• Figure 2: An overview of fAmulet. ① In the transaction fuzzer, fAmulet first selects test transactions from seed pool and mutates their execution context. ② fAmulet then disguises the mutated transactions to bypass the pre-execution checks. ③ fAmulet submits test transactions to our Polygon zkRollup testnet for processing. ④ fAmulet collects runtime information to update the finalization behavior model for guiding future seed selection and transaction mutation. ⑤ Bug oracles monitor the testnet in real-time to detect finalization failure bugs, and fAmulet reproduces the identified bugs to facilitate the derivation of their root causes. fAmulet iterates through these five steps until its termination.
• Figure 3: Between the pre-execution phase and execution in batches, $tx_1$ is executed on different blockchain states, thereby resulting in different state transitions.
• Figure 4: Opcode sequence with control flow hijacking code.
• Figure 5: Code snippets from a hard finalization failure bug.