Smart Contract Fuzzing for Enterprises: The Language Agnostic Way

Pani, Siddhasagar; Nallagonda, Harshita Vani; Prakash, Saumya; Vigneswaran, Rahul; Medicherla, Raveendra Kumar; Rajan, M. A.

doi:10.1109/comsnets53615.2022.9668512

Cited by 7 publications

(8 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Transaction arguments generation. When generating transaction arguments, fuzzers [66,76,96] built on general fuzzers (e.g., AFL [1]) treat each argument as a byte stream and generate random bytes as inputs. Hence, they often require additional time to hit argument types (e.g., string).…”

Section: Seed Generationmentioning

confidence: 99%

“…• Fitness by Coverage. Code coverage has long been a cornerstone metric in traditional fuzzing, and many smart contract fuzzers [40,66,74,76,88,93,95,96,102] have adopted it to prioritize seeds that can potentially uncover new code paths. Typically, these fuzzers calculate code coverage based on executed instructions and covered basic blocks, while some [40,91] adopt a more fine-grained approach by calculating the covered branches.…”

Section: Seed Schedulingmentioning

confidence: 99%

“…Generation-based fuzzers [2, 48,55,65,85,89,109] have no seed mutation process as they do not use feedback to improve their seeds. Some fuzzers [22,74,76,93,95,108] utilize mutation operators found in general fuzzers (e.g., AFL), such as bit flips and additions, to generate new test inputs (For variable-length arguments, these fuzzers mutate them by pruning or padding bits). However, many fuzzers mutate all arguments in each mutation, which may lose previously satisfied conditions [68,81,101].…”

Section: Seed Mutationmentioning

confidence: 99%

“…Another optimization is the shift towards offline program analysis or vulnerability detection, e.g., sFuzz [74], which conducts vulnerability detection offline once every 500 test cases. Finally, some fuzzers employ more efficient programming languages like C/C++ to improve their execution speed [54,74,76,102].…”

Section: Engineering Optimizationmentioning

confidence: 99%

See 3 more Smart Citations

Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers

Wu,

Li,

Yan

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

Given the growing importance of smart contracts in various applications, ensuring their security and reliability is critical. Fuzzing, an effective vulnerability detection technique, has recently been widely applied to smart contracts. Despite numerous studies, a systematic investigation of smart contract fuzzing techniques remains lacking. In this paper, we fill this gap by: 1) providing a comprehensive review of current research in contract fuzzing, and 2) conducting an in-depth empirical study to evaluate state-of-the-art contract fuzzers' usability. To guarantee a fair evaluation, we employ a carefully-labeled benchmark and introduce a set of pragmatic performance metrics, evaluating fuzzers from five complementary perspectives. Based on our findings, we provide direction for the future research and development of contract fuzzers.

show abstract

Section: Seed Generationmentioning

confidence: 99%

Section: Seed Schedulingmentioning

confidence: 99%

Section: Seed Mutationmentioning

confidence: 99%

Section: Engineering Optimizationmentioning

confidence: 99%

See 2 more Smart Citations

Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers

Wu,

Li,

Yan

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Fuzzy testing is a technology that can automatically and quickly generate test inputs and run them against the target program to find security vulnerabilities. Because of its simplicity and practicality, fuzzy testing has become one of the main methods of software testing [17]. Fuzzy testing of smart contract is an automatic testing technology, which uses random, unexpected, or invalid data as the input of the contract [18].…”

Section: Introductionmentioning

confidence: 99%

EtherFuzz: Mutation Fuzzing Smart Contracts for TOD Vulnerability Detection

Wang

Sun

et al. 2022

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

With the development of Internet of Things technology, the use of Internet of Things is expanding, and its security risk will become an important factor restricting the development of Internet of Things technology. The application of blockchain technology in the security field of the Internet of Things can improve security problems, and the blockchain has immutable characteristics. Therefore, it is particularly important to ensure the security of blockchain smart contracts. However, the order of transaction in smart contracts is easy to be operated by miners, and there is a relative lack of tools to detect TOD (transaction-ordering dependent) vulnerabilities. The current smart contract vulnerability detection methods have the problems of low efficiency and low accuracy. Therefore, based on the study of TOD vulnerability principle, this paper creatively highlights a mutation fuzzy testing method EtherFuzz to specifically detect TOD vulnerability in smart contracts. Use the intelligent contract ABI (application binary interface) to generate test cases, test the byte code of the intelligent contract, use TOD to test oracle to detect TOD vulnerabilities, and then, mutate the tested data to generate new test cases. Finally, the behavior of smart contract operation is recorded, and the fuzzy test process is controlled until the vulnerability is detected. The experimental results show that when 987 token contracts are selected as Ethereum test objects, the false-positive rate, detection time overhead, and detection storage overhead of EtherFuzz are reduced by 74.4%, 30.1%, and 28.1%, respectively. Therefore, EtherFuzz has high speed, efficiency, and accuracy in detecting TOD vulnerabilities and has excellent application value.

show abstract

Analysis between different types of smart contract fuzzing

Guo

2022

2022 3rd International Conference on Computer Vision, Image and Deep Learning &Amp; International Conference on Computer Engine

View full text Add to dashboard Cite

Smart Contract Fuzzing for Enterprises: The Language Agnostic Way

Cited by 7 publications

References 14 publications

Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers

Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers

EtherFuzz: Mutation Fuzzing Smart Contracts for TOD Vulnerability Detection

Analysis between different types of smart contract fuzzing

Contact Info

Product

Resources

About