DOI: 10.1145/3808157 ISSN: 2994-970X
ChainDelta: Automatic Patch-Based Exploit Generation for Ethereum with Fuzzing Agents
Mingxi Ye, Yuhong Nan, Zhijie Zhong, Jianzhong Su, Xingwei Lin, Peilin Zheng, Zibin Zheng Given the critical nature of Ethereum, exploiting 1-day vulnerabilities that are patched but not yet widely deployed is essential. Meanwhile, Automatic Patch-based Exploit Generation (APEG) is a promising technique for this, as it helps developers understand root causes, verify fixes in downstream forks, and detect incomplete patches. However, existing exploit generation tools can not work well for vulnerabilities on Ethereum due to three key unique challenges: (1) navigating complex and cross-language exploit paths hidden within patches, (2) synthesizing complicated and stateful environment configurations, and (3) handling non-deterministic inconsistencies between blockchain nodes that lead to false alarms.
To address these challenges, we introduce
ChainDelta
, a novel fuzzing agent framework driven by Large Language Models to automatically generate exploits based on Ethereum security patches.
ChainDelta
consists of three core modules: a directed fuzzer utilizes call graph analysis to guide testing towards vulnerable code based on the patch information; an agent-based environment fuzzer acts as an expert to automatically set up the necessary blockchain states to trigger vulnerabilities; and finally, a state-aware sanitizer performs differential analysis while monitoring the blockchain transient state to distinguish true inconsistencies from benign non-determinism.
We evaluate
ChainDelta
on a diverse benchmark with real-world patches, covering a wide range of types such as data racing and denial-of-service.
ChainDelta
successfully generated exploits with a 64% success rate and only a 15.8% false positive rate. An ablation study confirms the contribution of each module to the overall performance. To demonstrate its practical impacts, we conducted a real-world auditing campaign on top of
ChainDelta
, leading to the discovery of four previously undisclosed vulnerabilities with bug bounties.