FuzzDelSol: Binary Fuzzing for Solana Contracts

• FuzzDelSol is a binary-only, coverage-guided fuzzer that targets Solana smart contracts by analyzing eBPF bytecode without source code.
• It integrates Solana runtime emulation and dynamic taint tracking to accurately simulate account states and detect vulnerabilities.
• Empirical evaluation on 6049 contracts demonstrates high bug-finding capacity, with reproducible exploit reporting and minimal false positives.

FuzzDelSol designates a binary-only, coverage-guided fuzzing architecture targeting Solana smart contracts, distinguishing itself by performing security analysis directly on Solana contract binaries (eBPF bytecode), with no dependence on source code. FuzzDelSol faithfully models Solana’s runtime, including account and ledger state emulation, program-derived address (PDA) manipulation, transaction structure constraints, and precise handling of cross-program invocations (CPIs). Its architecture comprises several coordinated components that enable high-precision fuzzing and bug discovery across the Solana ecosystem. Evaluation results on 6049 mainnet contracts demonstrate both high applicability—unencumbered by source access limitations—and strong bug-finding capacity, with tightly integrated, reproducible exploit reporting (Smolka et al., 2023).

1. Architectural Overview of FuzzDelSol

FuzzDelSol consists of four tightly integrated components:

• Blockchain Emulator: Constructs a valid Solana ledger snapshot, instantiating all necessary accounts (target program, wallets, sysvar accounts, non-executable accounts) to enable analyzed smart contracts to execute with authentic state. The emulator handles PDAs and ensures inclusion of relevant public keys and runtime-specific state.
• Transaction Generator: Converts fuzzer-generated byte sequences into protocol-conformant Solana transactions—specifying account lists, signatures, slot/blockhashes, and instruction formats. The generator incorporates feedback on account and PDA structures from the emulator, producing transactions that are both valid and reproducible.
• RunDelSol: An instrumented Solana runtime that executes eBPF smart contract binaries. RunDelSol provides:
  • Control-flow coverage instrumentation via edge indexing: $i \leftarrow (\text{src} + \text{dst}) \bmod s$, where src/dst are program counters, and $s$ is the coverage array length.
  • Taint tracking for data originating from account inputs and PDAs, allowing fine-grained mapping of data flow throughout binary execution.
  • Bug oracles invoked in situ for vulnerability detection.
  • Support for CPIs with proper inter-VM communication and native syscall emulation.
• Transaction Evaluator: Aggregates coverage feedback, taint data, and oracle outputs from RunDelSol; guides subsequent fuzzing iterations; and, upon detecting bugs, generates comprehensive vulnerability reports with full ledger and transaction replay details.

The explicit binary-only approach is necessitated by Solana’s prevalent closed-source contract deployment. FuzzDelSol achieves semantic insight via dynamic instrumentation and taint analysis without disassembly, source, or high-level symbol information.

2. Addressing Solana-Specific Security Analysis Challenges

Solana’s stateless contract model (on-chain code, off-chain state in external accounts) introduces unique fuzzing and vulnerability analysis obstacles:

• Ledger State and Statelessness: All relevant data for contract execution reside off-chain in accounts external to the code. The emulator must correctly simulate the entire account state to exercise all relevant code paths during fuzzing.
• Transaction Structure and Replay: Valid transaction construction (account order, PDA selection, sysvar account inclusion, required signatures) is stringently enforced on-chain. FuzzDelSol ensures all generated transactions remain valid and fully replayable.
• Cluster and Environmental Data: Programs frequently query sysvar accounts for dynamic parameters (e.g., lamport pricing, clock state). The emulator must provide consistent, realistic sysvar state to accurately mimic real network execution.
• PDAs and Cryptographic Paths: Many contracts use Solana’s PDA mechanism for internal account authentication. Taint tracking and PDA extraction logic in FuzzDelSol guarantees that attacker- and user-controlled PDAs can be robustly explored in fuzzing campaigns.
• Cross-Program Invocation Semantics: Proper handling of CPIs (calls between programs) is essential for surfacing vulnerabilities involving on-chain contract composition. RunDelSol provides inter-VM execution with taint propagation.

These capabilities enable FuzzDelSol to uncover bugs that manifest only in the presence of realistic account state and protocol-specific runtime interactions.

3. Binary Instrumentation, Semantic Extraction, and Taint Analysis

The absence of source code or ABI descriptors in ~98% of Solana contracts necessitates low-level binary analysis strategies:

• Coverage Instrumentation: Edge coverage is tracked using an index $i \leftarrow (\text{src} + \text{dst}) \bmod s$. All basic blocks and control flow transitions are monitored, enabling coverage-guided input selection.
• Dynamic Taint Tracking: Every access to memory/registers containing account data, return values from PDA syscalls, or potentially attacker-controlled input is traced. Taint information propagates through registers and arithmetic, exposing the full dataflow from external input into contract logic.
• Program Semantic Extractors:
  • PDA Seed Extraction: Taint analysis reveals how seed material (public keys, static data) enters PDA derivation, enabling the transaction generator to construct valid, fuzzable PDAs.
  • Account Structure Extraction: The system determines fields and layout of account data by following how and where public keys and related structures are accessed in memory, supporting attacker-controlled input synthesis.
• Oracle Integration: All bug oracles operate directly on traces of eBPF instructions, guided by taint information, discovering vulnerabilities even in the absence of symbol or type metadata.

4. Integrated Bug Oracles for Solana Vulnerability Classes

FuzzDelSol provides a suite of bug oracles, each implemented as a trace-level detector inside RunDelSol, to address Solana-specific security classes:

• Missing Signer Check Oracle: Flags code paths where critical operations (lamport/state changes) are performed based on inputs for which proper 'signer' verification is absent.
• Missing Owner Check Oracle: Detects insecure account modifications where the 'owner' property of an account is not validated against the executing program's address.
• Arbitrary CPI Oracle: Alerts on cases where user-controlled data is used as a target for cross-program invocation, without proper authorization checks.
• Missing Key Check Oracle: Identifies code that fails to compare critical account public keys before executing sensitive functionality (as in the historic Wormhole bug).
• Integer Bugs Oracle: Triggers on integer overflow/underflow in arithmetic instructions, especially in the context of lamport (asset) transfers, via taint analysis.
• Lamports-Based Oracle: Specifically tracks lamport transfer flows between user/attacker-labeled accounts in contract state transitions, flagging improper asset handling.

Each oracle operates with knowledge of account type (user, attacker, PDA) and provides actionable diagnostics for targeted contract vulnerabilities.

5. Empirical Evaluation and Technical Results

FuzzDelSol was evaluated on 6049 mainnet Solana contracts:

• Discovery Output: 92 bugs were reported across 52 contracts. 14 vulnerabilities were validated as exploitable, with only two false positives in direct, targeted follow-up studies.
• Comparison with Source-Dependent Tools: VRust, which requires source code, was unable to scale to all contracts and exhibited a far higher false alarm rate compared to FuzzDelSol. Notably, FuzzDelSol is the only systematic tool applicable to closed-source binaries at scale.
• Performance: FuzzDelSol achieved sustained throughputs exceeding 1500 transactions per second (with peaks over 5200 tx/s), while maintaining dynamic CFG coverage and guiding input selection accordingly.
• Reporting and Reproducibility: Each bug report comprises a replayable ledger snapshot, full transaction data, and a detailed trace of runtime context, ensuring that vulnerabilities can be independently validated and used for remediation.

6. Broader Impact and Security Landscape for Solana

FuzzDelSol establishes a robust methodology and tooling baseline for security evaluation of Solana smart contracts under realistic deployment contexts:

• First Binary-Only Coverage-Guided Fuzzer: Direct analysis of eBPF/ELF binaries closes a critical gap given the near-universal lack of source code in the Solana ecosystem.
• Precise Handling of Ledger Semantics: Full ledger and runtime emulation allow the exercise of complex, multi-account contracts and the discovery of vulnerabilities not feasible to uncover with Ethereum- or EVM-focused approaches.
• Impact on Ecosystem Security: The scale of the evaluation and reproducibility of findings facilitates practical bug remediation, academic analysis, and the development of best practices for future contract development.
• Foundation for Future Research: The code instrumentation, runtime taint tracking, and oracle-driven architecture provide a template for extension to new Solana vulnerability classes and for adaption to other stateless or account-driven blockchain platforms.

FuzzDelSol thereby both characterizes and advances the state of the art in binary-only security testing for Solana and serves as a definitive reference for high-assurance contract security in next-generation decentralized ecosystems (Smolka et al., 2023).