-
Fuzz on the Beach: Fuzzing Solana Smart Contracts
Authors:
Sven Smolka,
Jens-Rene Giesen,
Pascal Winkler,
Oussama Draissi,
Lucas Davi,
Ghassan Karame,
Klaus Pohl
Abstract:
Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current so…
▽ More
Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Machine. Unfortunately, the very stateless nature of Solana's execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods.
In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract's binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol's bug oracles find bugs with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.
△ Less
Submitted 4 October, 2023; v1 submitted 6 September, 2023;
originally announced September 2023.
-
Mixing Time for Some Adjacent Transposition Markov Chains
Authors:
Shahrzad Haddadan,
Peter Winkler
Abstract:
We prove rapid mixing for certain Markov chains on the set $S_n$ of permutations on $1,2,\dots,n$ in which adjacent transpositions are made with probabilities that depend on the items being transposed. Typically, when in state $σ$, a position $i<n$ is chosen uniformly at random, and $σ(i)$ and $σ(i{+}1)$ are swapped with probability depending on $σ(i)$ and $σ(i{+}1)$. The stationary distributions…
▽ More
We prove rapid mixing for certain Markov chains on the set $S_n$ of permutations on $1,2,\dots,n$ in which adjacent transpositions are made with probabilities that depend on the items being transposed. Typically, when in state $σ$, a position $i<n$ is chosen uniformly at random, and $σ(i)$ and $σ(i{+}1)$ are swapped with probability depending on $σ(i)$ and $σ(i{+}1)$. The stationary distributions of such chains appear in various fields of theoretical computer science, and rapid mixing established in the uniform case.
Recently, there has been progress in cases with biased stationary distributions, but there are wide classes of such chains whose mixing time is unknown. One case of particular interest is what we call the "gladiator chain," in which each number $g$ is assigned a "strength" $s_g$ and when $g$ and $g'$ are adjacent and chosen for possible swap**, $g$ comes out on top with probability $s_g/(s_g + s_{g'})$. We obtain a polynomial-time upper bound on mixing time when the gladiators fall into only three strength classes.
A preliminary version of this paper appeared as "Mixing of Permutations by Biased Transposition" in STACS 2017.
△ Less
Submitted 11 January, 2018; v1 submitted 4 April, 2016;
originally announced April 2016.
-
Abelian logic gates
Authors:
Alexander E. Holroyd,
Lionel Levine,
Peter Winkler
Abstract:
An abelian processor is an automaton whose output is independent of the order of its inputs. Bond and Levine have proved that a network of abelian processors performs the same computation regardless of processing order (subject only to a halting condition). We prove that any finite abelian processor can be emulated by a network of certain very simple abelian processors, which we call gates. The mo…
▽ More
An abelian processor is an automaton whose output is independent of the order of its inputs. Bond and Levine have proved that a network of abelian processors performs the same computation regardless of processing order (subject only to a halting condition). We prove that any finite abelian processor can be emulated by a network of certain very simple abelian processors, which we call gates. The most fundamental gate is a "toppler", which absorbs input particles until their number exceeds some given threshold, at which point it topples, emitting one particle and returning to its initial state. With the exception of an adder gate, which simply combines two streams of particles, each of our gates has only one input wire. Our results can be reformulated in terms of the functions computed by processors, and one consequence is that any increasing function from N^k to N^l that is the sum of a linear function and a periodic function can be expressed in terms of (possibly nested) sums of floors of quotients by integers.
△ Less
Submitted 9 April, 2018; v1 submitted 2 November, 2015;
originally announced November 2015.
-
Cops vs. Gambler
Authors:
Natasha Komarov,
Peter Winkler
Abstract:
We consider a variation of cop vs.\ robber on graph in which the robber is not restricted by the graph edges; instead, he picks a time-independent probability distribution on $V(G)$ and moves according to this fixed distribution. The cop moves from vertex to adjacent vertex with the goal of minimizing expected capture time. Players move simultaneously. We show that when the gambler's distribution…
▽ More
We consider a variation of cop vs.\ robber on graph in which the robber is not restricted by the graph edges; instead, he picks a time-independent probability distribution on $V(G)$ and moves according to this fixed distribution. The cop moves from vertex to adjacent vertex with the goal of minimizing expected capture time. Players move simultaneously. We show that when the gambler's distribution is known, the expected capture time (with best play) on any connected $n$-vertex graph is exactly $n$. We also give bounds on the (generally greater) expected capture time when the gambler's distribution is unknown to the cop.
△ Less
Submitted 21 August, 2013;
originally announced August 2013.
-
Two-Color Babylon
Authors:
Agelos Georgakopoulos,
Peter Winkler
Abstract:
We solve the game of Babylon when played with chips of two colors, giving a winning strategy for the second player in all previously unsolved cases.
We solve the game of Babylon when played with chips of two colors, giving a winning strategy for the second player in all previously unsolved cases.
△ Less
Submitted 17 November, 2011;
originally announced November 2011.
-
New Bounds for Edge-Cover by Random Walk
Authors:
Agelos Georgakopoulos,
Peter Winkler
Abstract:
We show that the expected time for a random walk on a (multi-)graph $G$ to traverse all $m$ edges of $G$, and return to its starting point, is at most $2m^2$; if each edge must be traversed in both directions, the bound is $3m^2$. Both bounds are tight and may be applied to graphs with arbitrary edge lengths, with implications for Brownian motion on a finite or infinite network of total edge-lengt…
▽ More
We show that the expected time for a random walk on a (multi-)graph $G$ to traverse all $m$ edges of $G$, and return to its starting point, is at most $2m^2$; if each edge must be traversed in both directions, the bound is $3m^2$. Both bounds are tight and may be applied to graphs with arbitrary edge lengths, with implications for Brownian motion on a finite or infinite network of total edge-length $m$.
△ Less
Submitted 29 September, 2011;
originally announced September 2011.
-
Sorting by Placement and Shift
Authors:
Sergi Elizalde,
Peter Winkler
Abstract:
In sorting situations where the final destination of each item is known, it is natural to repeatedly choose items and place them where they belong, allowing the intervening items to shift by one to make room. (In fact, a special case of this algorithm is commonly used to hand-sort files.) However, it is not obvious that this algorithm necessarily terminates.
We show that in fact the algorithm…
▽ More
In sorting situations where the final destination of each item is known, it is natural to repeatedly choose items and place them where they belong, allowing the intervening items to shift by one to make room. (In fact, a special case of this algorithm is commonly used to hand-sort files.) However, it is not obvious that this algorithm necessarily terminates.
We show that in fact the algorithm terminates after at most $2^{n-1}-1$ steps in the worst case (confirming a conjecture of L. Larson), and that there are super-exponentially many permutations for which this exact bound can be achieved. The proof involves a curious symmetrical binary representation.
△ Less
Submitted 17 September, 2008;
originally announced September 2008.
-
Note on Counting Eulerian Circuits
Authors:
Graham R. Brightwell,
Peter Winkler
Abstract:
We show that the problem of counting the number of Eulerian circuits in an undirected graph is complete for the class #P.
We show that the problem of counting the number of Eulerian circuits in an undirected graph is complete for the class #P.
△ Less
Submitted 18 May, 2004;
originally announced May 2004.