Automated Attack Synthesis for Constant Product Market Makers

Decentralized Finance enables many novel applications that were impossible intraditional finances. However, it also introduces new types of vulnerabilities,such as composability bugs. The composability bugs refer to issues that lead toerroneous behaviors when multiple smart contracts operate together. One typicalexample of composability bugs is those between token contracts and ConstantProduct Market Makers (CPMM), the most widely used model for DecentralizedExchanges. Since 2022, 23 exploits of such kind have resulted in a total lossof 2.2M USD. BlockSec, a smart contract auditing company, once reported that138 exploits of such kind occurred just in February 2023. We proposeCPMM-Exploiter, which automatically detects and generates end-to-end exploitsfor CPMM composability bugs. Generating such end-to-end exploits is challengingdue to the large search space of multiple contracts and various fees involvedwith financial services. To tackle this, we investigated real-world exploitsregarding these vulnerabilities and identified that they arise due to violatingtwo safety invariants. Based on this observation, we implementedCPMM-Exploiter, a new grammar-based fuzzer targeting the detection of thesebugs. CPMM-Exploiter uses fuzzing to find transactions that break theinvariants. It then refines these transactions to make them profitable for theattacker. We evaluated CPMM-Exploiter on two real-world exploit datasets.CPMM-Exploiter obtained recalls of 0.91 and 0.89, respectively, while fivebaselines achieved maximum recalls of 0.36 and 0.58, respectively. We furtherevaluated CPMM-Exploiter by running it on the latest blocks of the Ethereum andBinance networks. It successfully generated 18 new exploits, which can resultin 12.9K USD profit in total.