WASAI: uncovering vulnerabilities in Wasm smart contracts

Weimin Chen, Zihan Sun, Haoyu Wang, Xiapu Luo, Haipeng Cai, Lei Wu

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review


WebAssembly (Wasm) smart contracts have shown growing popularity across blockchains (e.g., EOSIO) recently. Similar to Ethereum smart contracts, Wasm smart contracts suffer from various attacks exploiting their vulnerabilities. Even worse, few developers released the source code of their Wasm smart contracts for security review, raising the bar for uncovering vulnerable contracts. Although a few approaches have been proposed to detect vulnerable Wasm smart contracts, they have several major limitations, e.g., low code coverage, low accuracy and lack of scalability, unable to produce exploit payloads, etc. To fill the gap, in this paper, we design and develop WASAI, a new concolic fuzzer for uncovering vulnerabilities in Wasm smart contract after tackling several challenging issues. We conduct extensive experiments to evaluate WASAI, and the results show that it outperforms the state-of-the-art methods. For example, it achieves 2x code coverage than the baselines and surpasses them in detection accuracy, with an F1-measure of 99.2%. Moreover, WASAI can handle complicated contracts (e.g., contracts with obfuscation and sophisticated verification). Applying WASAI to 991 deployed smart contracts in the wild, we find that over 70% of smart contracts are vulnerable. By the time of this study, over 300 vulnerable contracts have not been patched and are still operating on the EOSIO Mainnet. One fake EOS vulnerability reported to the EOSIO ecosystem was recently assigned a CVE identifier (CVE-2022-27134).
Original languageEnglish
Title of host publicationProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)
PublisherAssociation for Computing Machinery (ACM)
Number of pages808
ISBN (Electronic)10.1145/3533767
ISBN (Print)9781450393799
Publication statusPublished - 18 Jul 2022
Event31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'22) - Virtual
Duration: 18 Jul 202222 Jul 2022


Competition31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'22)
Abbreviated titleISSTA
Internet address


Dive into the research topics of 'WASAI: uncovering vulnerabilities in Wasm smart contracts'. Together they form a unique fingerprint.

Cite this