Smart contracts, the cornerstone of decentralized applications, have become increasingly prominent in revolutionizing the digital landscape. However, vulnerabilities in smart contracts pose great risks to user assets and undermine overall trust in decentralized systems. But current smart contract fuzzers fall short of expectations in testing efficiency for two primary reasons. Firstly, smart contracts are stateful programs, and existing approaches, primarily coverage-guided, lack effective feedback from the contract state. Consequently, they struggle to effectively explore the contract state space. Secondly, coverage-guided fuzzers, aiming for comprehensive program coverage, may lead to a wastage of testing resources on benign code areas. This wastage worsens in smart contract testing, as the mix of code and state spaces further complicates comprehensive testing. To address these challenges, we propose Vulseye, a stateful directed graybox fuzzer for smart contracts guided by vulnerabilities. Different from prior works, Vulseye achieves stateful directed fuzzing by prioritizing testing resources to code areas and contract states that are more prone to vulnerabilities. We introduce Code Targets and State Targets into fuzzing loops as the testing targets of Vulseye. We use static analysis and pattern matching to pinpoint Code Targets, and propose a scalable backward analysis algorithm to specify State Targets. We design a novel fitness metric that leverages feedback from both the contract code space and state space, directing fuzzing toward these targets. With the guidance of code and state targets, Vulseye alleviates the wastage of testing resources on benign code areas and achieves effective stateful fuzzing. In comparison with state-of-the-art fuzzers, Vulseye demonstrated superior effectiveness and efficiency.

翻译：智能合约作为去中心化应用的基石，在数字领域的革新中日益凸显其重要性。然而，智能合约中的漏洞对用户资产构成重大风险，并削弱了对去中心化系统的整体信任。当前智能合约模糊测试工具在测试效率方面未能达到预期，主要基于两个原因：首先，智能合约是状态化程序，而现有方法（主要为覆盖率导向型）缺乏来自合约状态的有效反馈，因此难以有效探索合约状态空间；其次，覆盖率导向的模糊测试工具以全面覆盖程序代码为目标，可能导致测试资源在良性代码区域上的浪费。这种浪费在智能合约测试中更为严重，因为代码空间与状态空间的交织使得全面测试进一步复杂化。为应对这些挑战，我们提出Vulseye——一种基于漏洞导向的状态感知定向灰盒模糊测试工具。与先前工作不同，Vulseye通过将测试资源优先分配给更易存在漏洞的代码区域和合约状态，实现了状态感知定向模糊测试。我们在模糊测试循环中引入代码目标与状态目标作为Vulseye的测试对象：通过静态分析与模式匹配精确定位代码目标，并提出可扩展的后向分析算法以确定状态目标。我们设计了一种新颖的适应度度量方法，利用来自合约代码空间和状态空间的双重反馈，将模糊测试导向这些目标。在代码目标与状态目标的引导下，Vulseye缓解了测试资源在良性代码区域的浪费问题，实现了高效的状态感知模糊测试。与最先进的模糊测试工具相比，Vulseye展现出更优越的检测效能与测试效率。