RunDelSol: Binary Fuzzing for Solana

• RunDelSol is a runtime component that provides binary-level instrumentation for Solana smart contracts through control-flow and data-flow tracking.
• It extends the Solana eBPF runtime with features like edge coverage and taint tracking to enable precise, feedback-driven fuzzing without source code access.
• Empirical evaluations show high throughput and low false positives, validating its effectiveness in exposing vulnerabilities in stateless, binary-only contracts.

RunDelSol denotes the instrumented runtime component within the FuzzDelSol framework, a binary-only, coverage-guided fuzzing architecture designed for security analysis of Solana smart contracts (Smolka et al., 2023). Developed to address significant limitations inherent to the Solana ecosystem—including the dominance of closed-source contracts and unique stateless programming paradigms—RunDelSol facilitates precise vulnerability discovery at the binary level by extending the Solana eBPF runtime with control-flow and data-flow instrumentation. Its significance is underscored by large-scale empirical analysis, demonstrating both high throughput and precision in detecting contract vulnerabilities across over 6000 mainnet-deployed smart contracts.

1. Design Motivation and Context

Solana’s smart contract execution model departs fundamentally from platforms such as Ethereum due to three properties: the statelessness of program execution (with all mutability relegated to external “accounts”), a dominance of binary-only contracts (less than 2% are open-source), and the use of eBPF for program logic. These properties impose specific challenges on security analysis:

• No direct access to contract source code or high-level type information.
• Necessity to model program behavior, inter-account dependencies, and side effects—such as cross-program invocations (CPIs)—entirely at the bytecode level.
• Traditional fuzzers and static analyzers, optimized for Ethereum’s model, are inapplicable or inaccurate on Solana.

The RunDelSol runtime was thus engineered as the central execution and instrumentation engine for FuzzDelSol, enabling bytecode-level coverage tracking, taint analysis, and feedback-driven fuzzing without privileged semantic information. This allows for a generalizable, scalable solution to vulnerability discovery in existing and future Solana contracts.

2. Architecture and Execution Flow

The FuzzDelSol architecture is comprised of four principal modules: (1) Blockchain Emulator, (2) Transaction Generator, (3) RunDelSol (the instrumented runtime), and (4) Transaction Evaluator.

RunDelSol is implemented as an extension of the Solana eBPF runtime. It executes transactions against a simulated ledger state, providing:

• Edge Coverage Instrumentation: Control-flow transitions are tracked by inserting counters at all branch-related instructions (JMP, CALL, RET) in the eBPF bytecode. The branch index $i$ is calculated as $i \leftarrow (\text{src} + \text{dst}) \bmod s$, where $\text{src}$ and $\text{dst}$ are program counters and $s$ is the coverage array size. This supports feedback-driven corpus mutation.
• Integrated Taint Tracking Engine: All memory-to-register and register-to-memory data movements are tainted as they propagate through instructions, enabling dynamic tracking of security-relevant derivations and comparisons.
• Execution of Arbitrary Transaction Inputs: Crafted by the Transaction Generator, effectively random sequences of instructions and account arrangements can be interpreted, even in the absence of ABI or type/field metadata.

This instrumentation is inserted at runtime, requiring no source recompilation and maintaining compatibility with existing Solana eBPF binaries.

3. Stateless Model and Ledger Simulation

The stateless nature of Solana programs—that contract logic does not maintain internal state, but instead operates over externally-provided mutable accounts—requires accurate emulation of system state. The Blockchain Emulator:

• Constructs an initial ledger snapshot containing the target contract, user and attacker-controlled accounts, sysvar accounts for cluster configuration, and a program-derived address (PDA) generator.
• Models the intricate inter-account relationships necessary for authentic stateful program behavior (e.g., authority checks, transfer limits, sysvar queries).
• Facilitates rigorous checking of semantics such as correct signature verification ("signer check"), ownership verification ("owner check"), and PDA seed/derivation structure.

RunDelSol, as the runtime of the emulator, interprets the transaction with these simulated conditions, providing a fully isolated and replayable test environment.

4. Vulnerability Detection via Bug Oracles

Within RunDelSol, a system of bug oracles operates during instrumented execution to diagnose known and novel Solana-specific vulnerability classes, including:

Oracle	Vulnerability Type Detected	Detection Mechanism
Missing Signer Check	Account writes without signature verification	Taint analysis of account, pubkey
Missing Owner Check	Modification of non-owned accounts	Taint analysis, ownership lookup
Arbitrary Cross-Program	Unsafe cross-program invocations (CPI)	CALL instruction analysis
Missing Key Check	Absence of required sysvar/system account verification	Register comparison tracking
Integer Bugs	Overflow/underflow during lamport (SOL) transfers	Taint, register, value bounds
Lamports-based Oracle	Improper SOL (lamports) transfer to attacker	Account role + value tracking

RunDelSol leverages the taint tracking infrastructure to precisely relate security checks (or lack thereof) to subsequent state-altering instructions, e.g., observing whether a tainted "attacker-controlled" account is permitted to receive a transfer absent required validation.

5. Scaling and Evaluation

Extensive experiments validate RunDelSol’s scalability and precision:

• In controlled benchmarks (e.g., the Neodyme Breakpoint Workshop set), all artificially-injected bug types (MSC, MOC, ACPI, MKC, and integer bugs) were detected within seconds, with no false positives.
• Large-scale mainnet evaluation: 6049 closed-source smart contracts analyzed, yielding 92 plausible vulnerabilities across 52 programs; manual inspection of a subset indicated a low false alarm rate (~12.5%).
• High-throughput operation: exceeding 1500 transactions/s on average, peaking above 5200 transactions/s, critical for effective coverage-guided fuzzing over large contract and account state spaces.

Notably, RunDelSol uncovered the Wormhole missing key check vulnerability—one associated with a major real-world exploit—in under 40 seconds, demonstrating practical capability.

6. Broader Significance and Security Implications

RunDelSol’s binary-only, stateless-aware runtime model has several far-reaching implications:

• Establishes feasibility for security analysis—fuzzing, oracle-driven bug detection—of Solana programs at scale, without the need for privileged access to source code or ABI.
• Provides a modular foundation for further integration with advanced bug-finding techniques, e.g., symbolic execution or hybrid static-dynamic analysis, guided by empirical coverage profiles.
• Sets a precedent for security research into blockchains with externalized state semantics, potentially generalizable to other platforms using the account model.
• Encourages adoption of responsible disclosure and testing methodologies, as vulnerabilities found via RunDelSol can be deterministically replayed against test networks with identical account and transaction state.

7. Technical Specification: Coverage Formula

A central technical component is the deterministic calculation of control-flow edge coverage:

$i \leftarrow (\text{src} + \text{dst}) \bmod s$

where $\text{src}$ and $\text{dst}$ are the source and target instruction addresses (program counters) of a branch, and $s$ is the size of the global coverage array. This enables lightweight, high-throughput path feedback for the fuzzing loop without dependence on the structure or semantics of the program logic.

---

RunDelSol, as deployed within FuzzDelSol, exemplifies a blueprint for closed-source, feedback-driven security analysis of Solana contracts. By operating directly at the binary interface and facilitating modular, oracle-driven bug detection, it addresses the unique challenges imposed by stateless smart contract environments and provides a scalable, high-precision foundation for broader blockchain program security research and practice (Smolka et al., 2023).