Smart Contract Fuzzing Towards Profitable Vulnerabilities
Ziqiao Kong, Cen Zhang, Maoyi Xie, Ming Hu, Yue Xue, Ye Liu, Haijun Wang, Yang Liu
TL;DR
The paper tackles the problem of identifying and exploiting profitable smart-contract vulnerabilities in DeFi. It introduces VERITE, a profit-centric fuzzing framework built on three pillars: DeFi action-based mutators to explore meaningful fund flows, profitability recognition to flag promising seeds, and a gradient-descent-based optimizer to maximize profits, all backed by an on-chain profit accounting oracle. Empirical results on a dataset of 61 exploited projects show VERITE achieving over $18$ million in exploited profits across 29 targets and outperforming ItyFuzz with higher detection and profit extraction, including scenarios where profits exceed real-world exploits by up to $11.45\times$. Additionally, VERITE demonstrates practical value for auditors by finding six zero-day vulnerabilities with bounties, illustrating its potential to strengthen on-chain security and defense strategies.
Abstract
Billions of dollars are transacted through smart contracts, making vulnerabilities a major financial risk. One focus in the security arms race is on profitable vulnerabilities that attackers can exploit. Fuzzing is a key method for identifying these vulnerabilities. However, current solutions face two main limitations: a lack of profit-centric techniques for expediting detection, and insufficient automation in maximizing the profitability of discovered vulnerabilities, leaving the analysis to human experts. To address these gaps, we have developed VERITE, a profit-centric smart contract fuzzing framework that not only effectively detects those profitable vulnerabilities but also maximizes the exploited profits. VERITE has three key features: 1) DeFi action-based mutators for boosting the exploration of transactions with different fund flows; 2) potentially profitable candidates identification criteria, which checks whether the input has caused abnormal fund flow properties during testing; 3) a gradient descent-based profit maximization strategy for these identified candidates. VERITE is fully developed from scratch and evaluated on a dataset consisting of 61 exploited real-world DeFi projects with an average of over 1.1 million dollars loss. The results show that VERITE can automatically extract more than 18 million dollars in total and is significantly better than state-of-the-art fuzzer ITYFUZZ in both detection (29/10) and exploitation (134 times more profits gained on average). Remarkably, in 12 targets, it gains more profits than real-world attacking exploits (1.01 to 11.45 times more). VERITE is also applied by auditors in contract auditing, where 6 (5 high severity) zero-day vulnerabilities are found with over $2,500 bounty rewards.