• This repository has been archived on 04/Jun/2024
  • Stars
    star
    157
  • Rank 238,399 (Top 5 %)
  • Language
    Rust
  • License
    MIT License
  • Created about 5 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Differential Fuzzer for Ethereum 2.0

beacon-fuzz

Open-source fuzzing framework for Ethereum 2.0 (Eth2) Phase0 implementations. Maintained by Sigma Prime for the Ethereum Foundation.

Eth2fuzz Eth2diff

Community Fuzzing

For details on our community fuzzing initiative, please refer to the eth2fuzz README, along with this blog post.

If you would like to raise any crashes or disclose any bugs identified using this project, please contact us via email and use our PGP key to encrypt sensitive messages.

Overview

This project aims at identifying bugs and vulnerabilities on various Eth2 implementations, by leveraging three different fuzzing tools.

This is a continuation of Guido Vranken's eth2.0-fuzzing. This project and its inner workings are subject to change.

A note on terminology: "client" and "implementation" are used interchangeably here to mean a specific Eth2 implementation.

Architecture overview

The following diagram describes the current architecture of beacon-fuzz:

eth2fuzz - Coverage Guided Fuzzer

The purpose of this tool is to identify crashes (i.e. panics) in Eth2 implementations. It uses multiple different fuzzing engines (AFL++, HonggFuzz, libFuzzer, etc.). By leveraging explicit code coverage, eth2fuzz allows us to flag SSZ containers that are of interest, i.e. those that trigger new code paths.

eth2diff - Replaying Samples Across Implementations

This tool leverages various state transition execution utilities (ncli, zcli, lci, etc.) that replay all samples generated from eth2fuzz. We've created dedicated Docker containers for each implementation, and one central Docker container to orchestrate the execution of eth2diff. The goal of this tool is to detect crashes and differences across all supported implementations, for any given set of inputs (BeaconState + BeaconBlock).

beaconfuzz_v2 - Differential Fuzzing with FFI Bindings

A differential fuzzer of Eth2.0 implementations using libfuzzer and honggfuzz.

This tool is the successor of Guido Vranken's eth2.0-fuzzing C++ project. It is developed in Rust (for ease of maintainability) and leverages Foreign Function Interfaces (FFI) bindings.

By leveraging the latest update to the libfuzzer-sys and cargo_fuzz crates, this tool is able to write fuzz targets that take well-formed instances of custom types by deriving and implementing the Arbitrary trait, which allows us to create structured inputs from raw byte buffers.

Implementations

Operational Fuzz Targets

This project currently focuses on core state transition functions. All fuzzing targets currently use the "mainnet" config.

Corpora

See corpora for examples and explanation of structure.

Usage

Please refer to each tool's README for detailed instructions:

Progress and Roadmap

  • Development of eth2fuzz
  • Development of eth2diff
  • Development of beaconfuzz_v2
    • Integration of Prysm
    • Integration of Lighthouse
    • Integration of Nimbus
    • Integration of Teku
  • Improved onboarding, ease of adding new targets and implementations
  • Improved coverage measurements and visibility
  • Structure-aware fuzzing mutations in beaconfuzz_v2
  • Deploy on dedicated production fuzzing infrastructure

The Beacon Fuzz team regularly posts updates on the Sigma Prime blog. The latest update is available here.

Contributing

Use pre-commit

$ pre-commit install

(see also .pre-commit-config.yaml)

Trophies

The fuzzing tools developed as part of this project (eth2fuzz, eth2diff and beaconfuzz_v2) helped identify the following bugs inside eth2 clients.

Nimbus

Trinity

Teku

Lighthouse

Lodestar

Prysm

BLS

1: NOTE BeaconState objects are considered trusted inputs (for the moment), so client state transition functions are not expected to handle invalid BeaconState values, for now.

License

MIT - see LICENSE

More Repositories

1

lighthouse

Ethereum consensus client in Rust
Rust
2,916
star
2

solidity-security-blog

Comprehensive list of known attack vectors and common anti-patterns
1,369
star
3

discv5

Rust implementation of Discovery v5
Rust
159
star
4

lighthouse-metrics

A docker-compose with Grafana + Prometheus for monitoring Lighthouse
Dockerfile
141
star
5

public-audits

Collection of public security reviews
130
star
6

blockprint

Block fingerprinting for the beacon chain, for client diversity metrics
Python
89
star
7

superstruct

Rust library for versioned data types
Rust
65
star
8

enr

Ethereum Node Record
Rust
59
star
9

eleel

Execution layer multiplexer
Rust
50
star
10

siren

User interface for Lighthouse
TypeScript
48
star
11

lighthouse-docker

A docker-compose environment for running the Lighthouse Eth2 client
Shell
34
star
12

positions-vacant

Vacant Positions at Sigma Prime
30
star
13

milagro_bls

BLS12-381 cryptography using Apache Milagro
Rust
27
star
14

cbc-casper-js

JS implementation of Vlad Zamfir's CBC Casper TFG
JavaScript
26
star
15

multiproof

Generating Inputs for OZ's Multiproof
Solidity
26
star
16

milhouse

Persistent binary merkle tree
Rust
18
star
17

presentations

Collection of presentations given by Sigma Prime
18
star
18

ecies-parity

JavaScript Elliptic Curve Integrated Encryption Scheme (ECIES) Library - Based off Parity's implementation
JavaScript
17
star
19

tree_hash

SSZ-compatible tree hash implementation optimised for speed and security
Rust
16
star
20

opcode-purity

A document describing purity detection in EVM opcode
15
star
21

metastruct

Abstractions for iterating and mapping over struct fields
Rust
15
star
22

ethereum_ssz

SimpleSerialize (SSZ) implementation optimised for speed and security
Rust
13
star
23

ethereum_hashing

Hashing primitives used in Ethereum
Rust
11
star
24

rust-bls-remote-signer

Remote Signer API for BLS12-381
9
star
25

ethereum_serde_utils

Serialization and deserialization utilities for JSON representations of Ethereum types
Rust
8
star
26

gossipsub-testground

Testground plans for gossipsub
Rust
7
star
27

serde_array_query

Serde deserialization format for HTTP query string arrays
Rust
5
star
28

serialization_sandbox

Sandbox for testing different serialization mechanisms
Python
5
star
29

verified-consensus

Formalisation of Ethereum consensus in Isabelle/HOL
Isabelle
3
star
30

eth-npg

National Portrait Gallery generates ethereum network profiles for testing
Rust
3
star
31

lighthouse-tg-bot

A Telegram bot for pushing notifications about Lighthouse validator performance
Python
3
star
32

beacon-fuzz-corpora

Corpora for the beacon-fuzz repository (Differential fuzzer for Ethereum 2.0)
3
star
33

serenity-benches

Results from benchmarking Serenity state processing with Lighthouse.
3
star
34

unsafe-eth2-deposit-contract

An UNSAFE deposit contract for testing Lighthouse. DO NOT USE.
Python
3
star
35

shuffling_sandbox

A sandbox for testing shuffling functions
Python
3
star
36

eth2.0-resources

A collection of informal resources generated during the development of sigp/lightouse
Python
3
star
37

E2E

Ethereum 2 Ethereum - Encrypted Ethereum Messaging Dapp
JavaScript
2
star
38

sha2_fixed_64

Optimised SHA256 for 64 byte messages
Rust
2
star
39

havven-audit

Security review of the Havven contracts (not including token-sale contracts)
Python
2
star
40

ethereum-pubkey-collector

Collects Ethereum public keys from signed transactions on the chain.
JavaScript
2
star
41

audit-horizon-state-token-sale

Public audit of the Horizon State token sale smart contracts
JavaScript
1
star
42

crate_template

Rust crate template for SigP code published on crates.io
1
star
43

lighthouse-merge-f2f

Resources used during the October 2021 merge interop
Shell
1
star
44

lighthouse-kintsugi

Tracks the progress of Lighthouse on the Kintsugi interop effort
Shell
1
star
45

polkafuzz

Fuzzing Framework for Polkadot
Rust
1
star
46

ssz_types

List, vector and bitfield types for SSZ
Rust
1
star
47

lighthouse-pm

Lighthouse Project Management
1
star
48

reduced_tree_fork_choice

LMD GHOST fork choice implementation, conceptualized by Nate Rush
Rust
1
star
49

aave-public-tests

Public testing artifacts for Aave reviews
Solidity
1
star