Network-Layer Differential Fuzzing for Ethereum

In Ethereum, DevP2P is the fundamental network-layer protocol set that supports consensus mechanisms, transaction propagation and smart contract execution. Due to the importance of DevP2P, its bugs can be exploited by the attacker to cause security problems like denial of service, leading to property loss on Ethereum. However, existing blockchain testing approaches focus on the bug detection of consensus and application layers, causing many serious DevP2P bugs to be missed. In fact, detecting DevP2P bugs has some key challenges, including how to generate effective inputs and how to detect complex bugs. This paper designs D2PFuzz, the first network-layer differential fuzzing approach of bug detection for Ethereum. It consists of two key techniques: (1) a query-based fuzzing strategy that dynamically generates valid DevP2P messages according to network, chain and node state changes; and (2) a multi-node differential checking method that identifies important differences of DevP2P response messages from multiple nodes in the same blockchain to detect semantic bugs. We have evaluated D2PFuzz on five open-source and popular Ethereum node implementations, including Geth, Erigon, Reth, Besu and Nethermind. D2PFuzz in total finds 15 unique bugs, 12 of which are previously unknown. Compared to two state-of-the-art blockchain testing approaches including LOKI and Hive, D2PFuzz improves testing coverage by 3.7x and 21.6x, respectively, and finds 13 bugs missed by these approaches.