ityfuzz icon indicating copy to clipboard operation
ityfuzz copied to clipboard

Published 20 hours ago verified publisher icon fuzzland

New code insertion is inconsistent with middlewares

Open plotchy opened this issue 1 year ago • 3 comments
trafficstars

I've been looking to add in a middleware that does contract analysis whenever new code is discovered. I looked for similar ideas that already are in the codebase, but many implementations are inconsistent. Want to note these down.

I think the best thing to do is use invoke_middleware!(..., on_insert) consistently everywhere possible.

Coverage middleware

✅ uses on_insert as middleware step. 👎 in evm_fuzzer(), it specifically calls out coverage.on_insert rather than invoking all middleware with invoke_middleware!(..., on_insert) https://github.com/fuzzland/ityfuzz/blob/98407247b8bb5c38d7e2713fa822123f72e25d4b/src/fuzzers/evm_fuzzer.rs#L303-L311

Flashloan middleware

👎 uses on_contract_insertion() rather than on_insert() for contract code 👎 uses handle_contract_insertion!() macro

invoke_middleware!()

👎 specifically references flashloan middleware rather than doing it in the middleware iteration https://github.com/fuzzland/ityfuzz/blob/98407247b8bb5c38d7e2713fa822123f72e25d4b/src/evm/host.rs#L984-L1008

bytecode_analyzers::add_analysis_result_to_state()

This is done to add ConstantHints to dictionary ✅ done on contracts ityfuzz inits with corpus_initializer.rs::initialize_contract() ✅ done on newly loaded onchain code in load_code() 👎 not done on newly deployed code through the CREATE and CREATE2 opcodes in runtime

Host set_code()

✅ done on contracts ityfuzz inits with corpus_initializer.rs::initialize_contract() ✅ done on newly loaded onchain code in load_code() ✅ done on newly deployed code through the CREATE and CREATE2 opcodes in runtime ✅ calls invoke_middleware!(..., on_insert) 👎 doesn't call bytecode_analyzers::add_analysis_result_to_state()

plotchy avatar May 21 '24 17:05 plotchy

Nice catches.

I think the best thing to do is use invoke_middleware!(..., on_insert) consistently everywhere possible.

I agree. @shouc Can you confirm if there's specific concerns not using invoke_middleware or just out of date code?

publicqi avatar May 22 '24 00:05 publicqi

Yeah I agree. The reason that flashloan middleware is left alone is because flashloan middleware is used in each fuzzing iteration to record the fund changes. Going through a loop every iteration just to find flashloan middleware is a bit costly.

👎 not done on newly deployed code through the CREATE and CREATE2 opcodes in runtime

This is ignored because we found adding created contracts during fuzzing can significantly impact the performance. For example, when fuzzing Uniswap Factory, it would deploy millions of pools (contracts), which would stall the fuzzer. Also, these contracts created on the fly are not added to the state but instead directly added to the shared code hashmap used by all states. So, ItyFuzz disallows creating contracts during fuzzing.

shouc avatar May 25 '24 03:05 shouc

Maybe add a flag to not ignore CREATE and CREATE2? In some situations you may want to sacrifice some performance to find a vulnerability or break an invariant which is possible only when a new contract is created dynamically.

Raz0r avatar Jun 10 '24 09:06 Raz0r