ItyFuzz: Snapshot-Based Fuzzer for Smart Contract

TL;DR

ItyFuzz is a snapshot-based smart contract fuzzer that efficiently explores blockchain states, quickly finds vulnerabilities, and enables on-chain testing, outperforming existing fuzzers in coverage and exploit generation.

Contribution

It introduces a novel snapshot-based approach with dataflow and comparison waypoints for effective smart contract fuzzing and on-chain vulnerability detection.

Findings

Outperforms existing fuzzers in coverage.

Rapidly finds and generates realistic exploits.

Effective on real-world and hacked DeFi contracts.

Abstract

Smart contracts are critical financial instruments, and their security is of utmost importance. However, smart contract programs are difficult to fuzz due to the persistent blockchain state behind all transactions. Mutating sequences of transactions are complex and often lead to a suboptimal exploration for both input and program spaces. In this paper, we introduce a novel snapshot-based fuzzer ItyFuzz for testing smart contracts. In ItyFuzz, instead of storing sequences of transactions and mutating from them, we snapshot states and singleton transactions. To explore interesting states, ItyFuzz introduces a dataflow waypoint mechanism to identify states with more potential momentum. ItyFuzz also incorporates comparison waypoints to prune the space of states. By maintaining snapshots of the states, ItyFuzz can synthesize concrete exploits like reentrancy attacks quickly. Because ItyFuzz has second-level response time to test a smart contract, it can be used for on-chain testing, which has many benefits compared to local development testing. Finally, we evaluate ItyFuzz on real-world smart contracts and some hacked on-chain DeFi projects. ItyFuzz outperforms existing fuzzers in terms of instructional coverage and can find and generate realistic exploits for on-chain projects quickly.