Effectively Generating Vulnerable Transaction Sequences in Smart Contracts with Reinforcement Learning-guided Fuzzing

Jianzhong Su, Hong Ning Dai, Lingjun Zhao, Zibin Zheng*, Xiapu Luo

*Corresponding author for this work

Research output: Chapter in book/report/conference proceedingConference proceedingpeer-review

19 Citations (Scopus)

Abstract

As computer programs run on top of blockchain, smart contracts have proliferated a myriad of decentralized applications while bringing security vulnerabilities, which may cause huge financial losses. Thus, it is crucial and urgent to detect the vulnerabilities of smart contracts. However, existing fuzzers for smart contracts are still inefficient to detect sophisticated vulnerabilities that require specific vulnerable transaction sequences to trigger. To address this challenge, we propose a novel vulnerability-guided fuzzer based on reinforcement learning, namely RLF, for generating vulnerable transaction sequences to detect such sophisticated vulnerabilities in smart contracts. In particular, we firstly model the process of fuzzing smart contracts as a Markov decision process to construct our reinforcement learning framework. We then creatively design an appropriate reward with consideration of both vulnerability and code coverage so that it can effectively guide our fuzzer to generate specific transaction sequences to reveal vulnerabilities, especially for the vulnerabilities related to multiple functions. We conduct extensive experiments to evaluate RLF's performance. The experimental results demonstrate that our RLF outperforms state-of-the-art vulnerability-detection tools (e.g., detecting 8%-69% more vulnerabilities within 30 minutes).

Original languageEnglish
Title of host publicationASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering
PublisherAssociation for Computing Machinery (ACM)
Number of pages12
ISBN (Print)9781450394758
DOIs
Publication statusPublished - Oct 2022
Event37th IEEE/ACM International Conference on Automated Software Engineering - Rochester, United States
Duration: 10 Oct 202214 Oct 2022
https://dl.acm.org/doi/proceedings/10.1145/3551349

Publication series

NameACM International Conference Proceeding Series

Conference

Conference37th IEEE/ACM International Conference on Automated Software Engineering
Country/TerritoryUnited States
CityRochester
Period10/10/2214/10/22
Internet address

Scopus Subject Areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

User-Defined Keywords

  • Fuzzing
  • Reinforcement learning
  • Smart contract

Fingerprint

Dive into the research topics of 'Effectively Generating Vulnerable Transaction Sequences in Smart Contracts with Reinforcement Learning-guided Fuzzing'. Together they form a unique fingerprint.

Cite this