Decentralized Finance enables many novel applications that were impossible in traditional finances. However, it also introduces new types of vulnerabilities, such as composability bugs. The composability bugs refer to issues that lead to erroneous behaviors when multiple smart contracts operate together. One typical example of composability bugs is those between token contracts and Constant Product Market Makers (CPMM), the most widely used model for Decentralized Exchanges. Since 2022, 23 exploits of such kind have resulted in a total loss of 2.2M USD. BlockSec, a smart contract auditing company, once reported that 138 exploits of such kind occurred just in February 2023. We propose CPMM-Exploiter, which automatically detects and generates end-to-end exploits for CPMM composability bugs. Generating such end-to-end exploits is challenging due to the large search space of multiple contracts and various fees involved with financial services. To tackle this, we investigated real-world exploits regarding these vulnerabilities and identified that they arise due to violating two safety invariants. Based on this observation, we implemented CPMM-Exploiter, a new grammar-based fuzzer targeting the detection of these bugs. CPMM-Exploiter uses fuzzing to find transactions that break the invariants. It then refines these transactions to make them profitable for the attacker. We evaluated CPMM-Exploiter on two real-world exploit datasets. CPMM-Exploiter obtained recalls of 0.91 and 0.89, respectively, while five baselines achieved maximum recalls of 0.36 and 0.58, respectively. We further evaluated CPMM-Exploiter by running it on the latest blocks of the Ethereum and Binance networks. It successfully generated 18 new exploits, which can result in 12.9K USD profit in total.

翻译：去中心化金融（DeFi）催生了诸多传统金融中无法实现的新型应用，但也引入了全新类型的漏洞，例如可组合性缺陷。可组合性缺陷是指多个智能合约协同运行时导致错误行为的缺陷。典型的可组合性缺陷存在于代币合约与恒定乘积做市商（CPMM）之间——这是去中心化交易所最广泛使用的模型。自2022年以来，此类漏洞的23起攻击事件已造成总计220万美元的损失。智能合约审计公司BlockSec曾报告仅2023年2月就发生了138起此类攻击。我们提出CPMM-Exploiter系统，可自动检测并生成针对CPMM可组合性缺陷的端到端攻击利用代码。生成此类端到端攻击的挑战在于多合约的庞大搜索空间及金融服务中涉及的各种费用。为此，我们分析了针对这些漏洞的真实攻击案例，发现其根源在于违反了两条安全不变式。基于这一发现，我们实现了CPMM-Exploiter——一种新型的基于语法的模糊测试工具，专门用于检测这些漏洞。CPMM-Exploiter通过模糊测试发现打破不变式的交易，进而优化这些交易以使其能为攻击者创造收益。我们在两个真实攻击数据集上评估CPMM-Exploiter，其召回率分别达到0.91和0.89，而五个基线方法的最高召回率仅为0.36和0.58。我们进一步在以太坊和币安网络的最新区块上运行CPMM-Exploiter进行评估，成功生成了18个新攻击样本，总计可产生12,900美元的潜在收益。