Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

When Specifications Meet Reality: Uncovering API Inconsistencies in Ethereum Infrastructure

Jie Ma, Ningyu He, Jinwen Xi, Mingzhe Xing, Liangxin Liu, Jiushenzi Luo, Xiaopeng Fu, Chiachih Wu, Haoyu Wang, Ying Gao, Yinliang Yue

TL;DR

APIDiffer is the first specification-guided differential testing framework designed to automatically detect API inconsistencies across Ethereum's diverse client ecosystem and achieves up to 89.67% higher code coverage than existing tools and reduces false positive rates by 37.38%.

Abstract

The Ethereum ecosystem, which secures over $381 billion in assets, fundamentally relies on client APIs as the sole interface between users and the blockchain. However, these critical APIs suffer from widespread implementation inconsistencies, which can lead to financial discrepancies, degraded user experiences, and threats to network reliability. Despite this criticality, existing testing approaches remain manual and incomplete: they require extensive domain expertise, struggle to keep pace with Ethereum's rapid evolution, and fail to distinguish genuine bugs from acceptable implementation variations. We present APIDiffer, the first specification-guided differential testing framework designed to automatically detect API inconsistencies across Ethereum's diverse client ecosystem. APIDiffer transforms API specifications into comprehensive test suites through two key innovations: (1) specification-guided test input generation that creates both syntactically valid and invalid requests enriched with real-time blockchain data, and (2) specification-aware false positive filtering that leverages large language models to distinguish genuine bugs from acceptable variations. Our evaluation across all 11 major Ethereum clients reveals the pervasiveness of API bugs in production systems. APIDiffer uncovered 72 bugs, with 90.28% already confirmed or fixed by developers. Beyond these raw numbers, APIDiffer achieves up to 89.67% higher code coverage than existing tools and reduces false positive rates by 37.38%. The Ethereum community's response validates our impact: developers have integrated our test cases, expressed interest in adopting our methodology, and escalated one bug to the official Ethereum Project Management meeting.

When Specifications Meet Reality: Uncovering API Inconsistencies in Ethereum Infrastructure

TL;DR

APIDiffer is the first specification-guided differential testing framework designed to automatically detect API inconsistencies across Ethereum's diverse client ecosystem and achieves up to 89.67% higher code coverage than existing tools and reduces false positive rates by 37.38%.

Abstract

The Ethereum ecosystem, which secures over $381 billion in assets, fundamentally relies on client APIs as the sole interface between users and the blockchain. However, these critical APIs suffer from widespread implementation inconsistencies, which can lead to financial discrepancies, degraded user experiences, and threats to network reliability. Despite this criticality, existing testing approaches remain manual and incomplete: they require extensive domain expertise, struggle to keep pace with Ethereum's rapid evolution, and fail to distinguish genuine bugs from acceptable implementation variations. We present APIDiffer, the first specification-guided differential testing framework designed to automatically detect API inconsistencies across Ethereum's diverse client ecosystem. APIDiffer transforms API specifications into comprehensive test suites through two key innovations: (1) specification-guided test input generation that creates both syntactically valid and invalid requests enriched with real-time blockchain data, and (2) specification-aware false positive filtering that leverages large language models to distinguish genuine bugs from acceptable variations. Our evaluation across all 11 major Ethereum clients reveals the pervasiveness of API bugs in production systems. APIDiffer uncovered 72 bugs, with 90.28% already confirmed or fixed by developers. Beyond these raw numbers, APIDiffer achieves up to 89.67% higher code coverage than existing tools and reduces false positive rates by 37.38%. The Ethereum community's response validates our impact: developers have integrated our test cases, expressed interest in adopting our methodology, and escalated one bug to the official Ethereum Project Management meeting.
Paper Structure (29 sections, 8 figures, 8 tables)

This paper contains 29 sections, 8 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Ethereum Node
  4. Ethereum Client API
  5. Differential Testing
  6. Challenges & Solutions
  7. Motivating Example & Challenges
  8. Solutions
  9. Approach
  10. Overview
  11. Phase I: Specification-Guided Test Input Generation
  12. Syntax-oriented Request Generation.
  13. Fact-based Semantics-aware Request Generation.
  14. Phase II: Differential Testing
  15. Phase III: Specification-Aware False Positive Filtering
  16. ...and 14 more sections

Figures (8)

  • Figure 1: A motivating example of a real-world Ethereum client API bug on Etherscan. In this case, the transfer value displayed in the browser (0.1 ETH in Fig.\ref{['fig:example:0.1']}) is incorrectly shown as ten times the actual amount recorded on the blockchain (0.01 ETH in Fig.\ref{['fig:example:0.01']}). The root cause is that Etherscan uses a faulty Ethereum client API provided by Erigon erigon_bug.
  • Figure 2: The relationship among users, Ethereum nodes, Ethereum blockchain network, and EL/CL clients along with their exposed APIs.
  • Figure 3: The workflow overview of APIDiffer. The inputs include EL and CL client API specifications, and the output is the detailed bug report.
  • Figure 4: The specification of Ethereum client API eth_getBalance.
  • Figure 5: Test requests generated by APIDiffer, with orange highlights indicating syntactically or semantically invalid fields.
  • ...and 3 more figures