Open-source differential fuzzing of Ethereum 2.0 Phase 0 implementations. Maintained by Sigma Prime for the Ethereum Foundation.
A differential fuzzer of Eth2.0 implementations using libfuzzer. By default, fuzzing progresses indefinitely unless an implementation panics or differing output is identified.
This is a continuation of Guido Vranken's eth2.0-fuzzing.
This project and its inner workings are subject to change.
A note on terminology: "client" and "implementation" are used interchangeably here to mean a specific Eth2 implementation.
This README focuses on our differential fuzzing effort, please refer to eth2fuzz for panic/crashes detection.
For details on our community fuzzing initative, please refer to the eth2fuzz README, along with this blog post.
Currently fuzzes against Eth2 v0.10.1 python or Go executable specs
(pyspec or zrnt)
- Lighthouse (rust)
- Nimbus (nim)
- pyspec (python)
- Trinity (python)
- zrnt (go)
(and their relevant spec function)
All currently use the "mainnet" config: https://github.com/ethereum/eth2.0-specs/blob/v0.10.1/configs/mainnet.yaml
attestation-process_attestationattester_slashing-process_attester_slashingblock-state_transitionblock_header-process_block_headerdeposit-process_depositproposer_slashing-process_proposer_slashingshuffle-compute_shuffled_indexvoluntary_exit-process_voluntary_exit
See corpora repository for explanation of input structure.
See corpora for examples and explanation of structure.
Quickstart:
$ git clone --depth 1 --recurse-submodules https://github.com/sigp/beacon-fuzz.git
$ git clone --depth 1 https://github.com/sigp/beacon-fuzz-corpora.git
$ cd beacon-fuzz
$ sudo ./runfuzzer.sh block_header ../beacon-fuzz-corpora/0-9-1/mainnet/block_header/ ../beacon-fuzz-corpora/0-9-1/mainnet/beaconstateInteractive usage:
$ git clone --depth 1 --recurse-submodules https://github.com/sigp/beacon-fuzz.git
$ cd beacon-fuzz
$ sudo docker build . -t beacon_fuzz
$ sudo docker run -it beacon_fuzz bash
# git clone --depth 1 https://github.com/sigp/beacon-fuzz-corpora.git
# export ETH2_FUZZER_STATE_CORPUS_PATH="/eth2/beacon-fuzz-corpora/0-9-1/mainnet/beaconstate"
# /eth2/fuzzers/attestation/fuzzer /eth2/beacon-fuzz-corpora/0-9-1/mainnet/attestationUse jobs=N to run N simultaneous jobs (by default in num_cpu_cores/2 processes).
Use help=1 for more arguments (see also libfuzzer docs)
- Improved onboarding, ease of adding new targets and implementations
- Improved coverage measurements and visibility
- Deploy on dedicated production fuzzing infrastructure
- Structure-aware fuzzing mutations
Use pre-commit
$ pre-commit install(see also .pre-commit-config.yaml)
If build fails, comment the RUN /eth2/build.sh in Dockerfile, and run it manually from within the container.
Can adjust Makefiles as needed.
It is generally fine to run build.sh multiple times, and previously built components will be ignored.
This is quicker than re-running ./build.sh and is useful when troubleshooting specific build issues.
After running build.sh once, a file /eth2/exported_env.sh will be created.
Sourcing this will ensure you have all the environment variables required by the Makefiles.
NOTE: the fuzzer's Makefiles do not currently identify changes to dependent file outside of the fuzzers directory.
So, for example, a change to a dependent file in ./files/lib will require a make clean (or equivalent) for the modifications to be visible.
The following make variable flags are exposed (and are enabled by setting them to anything other than ''):
e.g. make BFUZZ_NO_DISABLE_BLS=1 all
BFUZZ_NO_DISABLE_BLS- don't disable bls verification
See pyspec harness.pys for a succinct, readable harness implementation example without much boilerplate.
For state transition functions, each client should expect to receive a correctly-encoded SSZ container containing a BeaconState,
and an input object relevant for the transition. (As described in https://github.com/sigp/beacon-fuzz-corpora/blob/master/0-8-3/README.md,
except state_id has been replaced with a corresponding BeaconState.)
Please panic/abort if SSZ decoding fails, as this indicates an error in preprocessing or the SSZ libraries.
e.g. even though a client implementing the Attestation fuzz target can expect to receive any arbitrary Attestation object,
it should be in the form of a validly-encoded SSZ blob.
Currently clients will only receive known, valid BeaconStates (from ETH2_FUZZER_STATE_CORPUS_PATH) so the actual fuzzing/mutation is performed with the other part of the input.
This is because clients generally maintain their own BeaconStates, so don't expect to receive arbitrary states from untrusted sources.
(It is also highly unlikely that current mutation will ever produce a valid BeaconState)
There are 3 types of results/outputs that a client is expected to return to the fuzzer:
- A bytestring/bytearray/blob (usually a SSZ-encoding of the
BeaconStatepost-transition). - An error result (usually a
nullptr,NoneorFalseequivalent).
- To be returned when the operation failed but the client is in a consistent state (e.g. supplied Attestation data does not refer to an appropriate epoch).
- The c++ module returns this as a
std::nullopt. - This is necessary to differentiate from the few cases where an empty bytestring is a valid and successful result e.g. shuffling an empty list.
- Abort/panic.
- To occur when a client is in an inconsistent state and indicates a bug is present.
- Python editable installs in Venvs aren't detected.
The fuzzing tools developed as part of this project (eth2fuzz, eth2diff and beacon) helps to find the following bugs inside eth2 clients.
- Nimbus:
process_attestationmissing index validation fixed - Nimbus:
process_depositnot validating merkle proofs fixed - Nimbus:
ncli_prettyDepositSSZ parsingAssertionErrorfixed - Nimbus:
ncli_prettyBytes ReaderIndexErrordecodingBeaconStatewith empty container fixed - Nimbus:
ncli_prettyBytes ReaderIndexErrordecodingBeaconStatewith variable list reporting 0 length fixed - Nimbus:
ncli_transitionout of memory segfault duringprocess_final_updatesfixed - Nimbus:
ncli_transitionAssertionErrordue to inconsistent aggregation bits and committee length when passed invalidBeaconStateandBeaconBlock(See 1) fixed - Nimbus:
ncliIndexErrordecoding 0-byte SSZ BitList fixed - Nimbus:
IndexErrorduringAttesterSlashingprocessing fixed
- Teku: infinite loop when decoding SSZ
BitListwithout "end-of-list" marker bit fixed - Teku: transition subcommand raising
IllegalArgumentExceptioninstead of logging when passed invalid SSZ fixed - Teku: transition subcommand raising
IllegalArgumentExceptioninstead of logging when passed invalid SSZ fixed - Teku:
IndexOutOfBoundsExceptionwhen SSZ decoding 0-byteBitListfixed - Teku:
IndexOutOfBoundsExceptionwhen passed invalidBeaconStateand committee size is inconsistent with attestation aggregation bits. (See 1) fixed - Teku:
ArrayIndexOutOfBoundsExceptioninAttesterSlashingprocessing
- Lighthouse: out-of-bounds offset in variable list SSZ decoding fixed
- Lighthouse: multiplication overflow in
compute_proposer_index(See 1) fixed - Lighthouse: ENR panic fixed
- Lighthouse: Underflow in Snappy (external dependency) fixed
- Lodestar:
TypeErrorwhen SSZ decoding aBlockwith invalidBigIntparent scope fixed - Lodestar:
RangeErrorwhen SSZ decoding an emptyBlockcontainer - Lodestar:
TypeErrorwhen decoding invalidENRstring fixed - Lodestar:
TypeError: public key must be a Bufferwhen decoding invalidENRstring fixed - Lodestar: memory exhaustion / OOM when parsing invalid
ENRstring
- Prysm:
panic: runtime error: slice bounds out of rangewhen parsing SSZ container fixed - Prysm:
panic: runtime error: nil pointer dereferencewhen processing ProposerSlashing fixed
1: NOTE BeaconState objects are considered trusted inputs (for the moment), so client state transition functions are not expected to handle invalid BeaconState values, for now.
MIT - see LICENSE