Sign in

In my previous bug report on parsing in the Steem blockchain, a user asked if custom JSON was also vulnerable which inspired me to take a closer look.

The JSON parsing code in the “FC” library used by Steem did have a check for nesting, but it was not adequate:

/** the purpose of this check is to verify that we will not get a stack overflow in the recursive descent parser */
void check_string_depth( const string& utf8_str )
int32_t open_object = 0;
int32_t open_array = 0;
for( auto c : utf8_str )…

I was interested in a first project for getting familiar with TLA+, “a high-level language for modelling programs and systems.” TLA+ has been used to find errors in the design of real-world distributed systems, so I was curious how it compared to model checkers I have previously used such as Alloy. A co-worker recently tracked down a concurrency bug that was causing some test failures. I was interested in seeing if I could model the system with TLA+, and reproduce the failure using its consistency checker, TLC.

The system where the failure occurs is a wrapper around memory allocation. It…

  • Two smart contract fragments were identified that cause panics in the NeoVM implementation in the Ontology blockchain code.


Ontology is a “distributed trust collaboration platform”, a blockchain that supports identity management and smart contracts. Ontology smart contracts can be written in a variety of languages using an online IDE. It currently supports two different virtual machine implementations — WASM (Web Assembly) and NeoVM, a virtual machine created for the NEO blockchain.

NeoVM is a stack-oriented virtual machine with single-byte opcodes. Unfortunately we could locate few details of its design, other than the opcode listing included in the source. The implementation…

  • Even quality code with good test coverage can benefit from fuzz testing!
  • The Ripple blockchain server (rippled) did not exhibit any security holes in its JSON implementation, or any invariant violations in its LedgerTrie class
  • However, the “stress” unit test of LedgerTrie omits a couple branches that were exercised by a fuzzed version of the same test.


Ripple, the blockchain underlying the XRP cryptocurrency, positions itself as a tool for banks and payment processors. The security requirements for such a use case are high, and we are pleased to see that Ripple’s open-source implementation follows many best practices and uses…

  • Using American Fuzzy Lop on the Snappy compression library found no new bugs, and reported only high memory usage related to preallocation of an output buffer.
  • Users of Snappy should be aware of this preallocation and check the uncompressed size before calling snappy::Uncompress
  • Non-C++ implementation of Snappy have had bugs reported by AFL-derived tools.


Snappy is a compression library ( that is optimized for speed rather than achieving the maximum compression. It’s used in a several NoSQL databases, and in the Ripple blockchain implementation.

Compression algorithms, like parsing libraries, are usually a good target for fuzzing. By their very nature…

  • Using American Fuzzy Lop on a message parsing library contained in the Steem blockchain implementation found unexpectedly large memory usage.
  • The memory allocation point identified by AFL can be successfully turned into an exploitable denial-of-service attack, on Steem and other Graphene-based blockchains.


In a previous article, we introduced fuzz testing with American Fuzzy Lop and showed how it could be applied to the JSON parsing library included in Steem, a “social blockchain.” The Steem backend is written in C++ and uses a separate introspection-driven marshalling and unmarshalling library for messages between peers in the Steem network.

This article will explain…

  • Using American Fuzzy Lop on the JSON parsing library contained in the Steem blockchain implementation found a latent bug.
  • Fortunately, this bug is not exploitable in practice, though it may cause Steem to incorrectly report end-of-file on nonconforming JSON input, or crash on a malformed configuration file.

What is Fuzz Testing?

Fuzz testing applies many different inputs to a program or function in order to explore its behavior, potentially inducing crashes or memory access violations. Some fuzz testers are coverage-driven and seek to maximize the number of paths through the code that they explore by instrumenting the code, and taking this coverage information into…


Modern security and correctness tools, made usable.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store