Human Side of Smart Contract Fuzzing: An Empirical Study

TL;DR

This paper investigates the challenges faced by practitioners in adopting smart contract fuzzing tools through an analysis of GitHub issues and a user study, revealing domain-specific usability issues and providing insights for tool improvement.

Contribution

It offers a systematic taxonomy of challenges in smart contract fuzzing adoption, based on empirical analysis of issues and user experiences, highlighting human and technical barriers.

Findings

Domain-specific usability challenges identified

Technical issues with blockchain emulation highlighted

Lack of documentation and automation as human barriers

Abstract

Smart contract (SC) fuzzing is a critical technique for detecting vulnerabilities in blockchain applications. However, its adoption remains challenging for practitioners due to fundamental differences between SCs and traditional software systems. In this study, we investigate the challenges practitioners face when adopting SC fuzzing tools by conducting an inductive content analysis of 381 GitHub issues from two widely used SC fuzzers: Echidna and Foundry. Furthermore, we conducted a user study to examine how these challenges affect different practitioner groups, SC developers, and traditional software security professionals, and identify strategies practitioners use to overcome them. We systematically categorize these challenges into a taxonomy based on their nature and occurrence within the SC fuzzing workflow. Our findings reveal domain-specific ease-of-use and usefulness challenges, including technical issues with blockchain emulation, and human issues with a lack of accessible documentation and process automation. Our results provide actionable insights for tool developers and researchers, guiding future improvements in SC fuzzer tool design.