Blockchain mempools—responsible for transaction management prior to consensus—exhibit asymmetric denial-of-service (DoS) vulnerabilities that jeopardize network health and security, yet existing approaches struggle to automate their discovery. This paper introduces MPFUZZ, the first symbolic, state-aware fuzzing framework for mempools, which synergistically integrates symbolic execution with state-guided fuzzing. It incorporates state-space heuristic pruning and optimistic reachability estimation to systematically uncover stealthy eviction and mempool-locking vulnerabilities. Applied to six major Ethereum clients, MPFUZZ discovers multiple previously unreported vulnerabilities. It detects the known DETER attack over 100× faster than prior methods. Furthermore, it proposes deployable, rule-based mitigation strategies, thereby advancing both client-side hardening and protocol-level defense mechanisms.

In blockchains, mempool controls transaction flow before consensus, denial of whose service hurts the health and security of blockchain networks. This paper presents MPFUZZ, the first mempool fuzzer to find asymmetric DoS bugs by symbolically exploring mempool state space and optimistically estimating the promisingness an intermediate state is in reaching bug oracles. Compared to the baseline blockchain fuzzers, MPFUZZ achieves a>100x speedup in finding known DETER exploits. Running MPFUZZ on six major Ethereum clients leads to the discovering of new mempool vulnerabilities, which exhibit a wide variety of sophisticated patterns including stealthy mempool eviction and mempool locking. Rule-based mitigation schemes are proposed against newly discovered vulnerabilities.