[论文解读] Is My RPC Response Reliable? Detecting RPC Bugs in Ethereum Blockchain Client under Context
EthCRAFT 是一种具上下文感知的模糊测试工具,能够自动生成区块链上下文和 RPC 调用,以检测跨以太坊客户端的上下文相关 RPC 缺陷,优于此前检测器并发现新缺陷。
Blockchain clients are fundamental software for running blockchain nodes. They provide users with various RPC (Remote Procedure Call) interfaces to interact with the blockchain. These RPC methods are expected to follow the same specification across different blockchain nodes, providing users with seamless interaction. However, there have been continuous reports on various RPC bugs that can cause unexpected responses or even Denial of Service weakness. Existing studies on blockchain RPC bug detection mainly focus on generating the RPC method calls for testing blockchain clients. However, a wide range of the reported RPC bugs are triggered in various blockchain contexts. To the best of our knowledge, little attention is paid to generating proper contexts that can trigger these context-dependent RPC bugs. In this work, we propose EthCRAFT, a Context-aware RPC Analysis and Fuzzing Tool for client RPC bug detection. EthCRAFT first proposes to explore the state transition program space of blockchain clients and generate various transactions to construct the context. EthCRAFT then designs a context-aware RPC method call generation method to send RPC calls to the blockchain clients. The responses of 5 different client implementations are used as cross-referring oracles to detect the RPC bugs. We evaluate EthCRAFT on real-world RPC bugs collected from the GitHub issues of Ethereum client implementations. Experiment results show that EthCRAFT outperforms existing client RPC detectors by detecting more RPC bugs. Moreover, EthCRAFT has found six new bugs in major Ethereum clients and reported them to the developers. One of the bug fixes has been written into breaking changes in the client's updates. Three of our bug reports have been offered a vulnerability bounty by the Ethereum Foundation.
研究动机与目标
- Motivate the need to detect context-dependent RPC bugs in Ethereum blockchain clients.
- Propose a context-aware fuzzing framework to automatically generate triggering blockchain contexts.
- Develop off-chain context exploration and on-chain RPC testing to improve efficiency and coverage.
- Evaluate EthCRAFT on real-world RPC bugs and report new bugs to developers.
提出的方法
- Propose EthCRAFT with a decoupled off-chain context space exploration and on-chain RPC testing workflow.
- Generate contexts by selecting and mutating on-chain transactions to maximize EVM execution coverage.
- Use a runtime state-aware mutation strategy guided by code coverage feedback.
- Employ an off-chain Go-Ethereum state_transition-based simulator to evaluate transactions without full node deployment.
- Implement a context-aware RPC call generation DSL to produce valid and bug-revealing RPC inputs.
- Use cross-client responses as oracle signals to detect RPC bugs across five Ethereum clients.
实验结果
研究问题
- RQ1How to automatically generate blockchain contexts that trigger context-dependent RPC bugs?
- RQ2How to efficiently explore the RPC parameter space to reveal bugs across multiple Ethereum clients?
- RQ3Do context-aware RPC tests detect more RPC bugs than prior detectors?
- RQ4Can new RPC bugs be found and reported to developers using EthCRAFT?
- RQ5What is the impact of decoupled off-chain context exploration on testing efficiency?
主要发现
- EthCRAFT outperforms prior RPC detectors by identifying more bugs on a real-world dataset of 30 reported RPC bugs.
- The framework discovered six new RPC bugs across major Ethereum clients.
- Three of the new bugs earned vulnerability bounties from the Ethereum Foundation.
- One bug fix was incorporated as a breaking change in a client update.
- Three bug reports led to vulnerability bounties from the Ethereum Foundation.
- Bug fixes demonstrate practical impact on client reliability and security.
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。