lzhou1110 / ityfuzz

Blazing Fast Bytecode-Level Hybrid Fuzzer for Smart Contracts

Home Page:https://docs.ityfuzz.rs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

🍦 ItyFuzz

Demo

[Docs] / [Research Paper] / [Twitter] / [Discord] / [Telegram]

ItyFuzz is a blazing-fast EVM and MoveVM smart contract hybrid fuzzer that combines symbolic execution and fuzzing to find bugs in smart contracts offchain and onchain.

Example

Generating full exploit to steal funds from a contract with flashloan + read-only reentrancy vulnerability on Polygon.

# Install ItyFuzz
curl -L https://ity.fuzz.land/ | bash
ityfuzzup

# Fork Polygon at block 35718198 and fuzz the contract
ETH_RPC_URL=https://polygon-rpc.com ityfuzz evm\
    -t 0xbcf6e9d27bf95f3f5eddb93c38656d684317d5b4,0x5d6c48f05ad0fde3f64bab50628637d73b1eb0bb\
    -c polygon\
    --flashloan\
    --onchain-block-number 35718198\
    --onchain-etherscan-api-key TR24XDQF35QCNK9PZBV8XEH2XRSWTPWFWT # <-- Get your own API key at https://polygonscan.com/apis if this one is rate limited 

For other examples and usages, check out the docs.

Performance

On large real-world smart contract projects, ItyFuzz finds 126 vulnerabilities while Echidna finds 0 and Mythril finds 9. For details, refer to backtesting, research paper, and new bugs discovered.

On small real-world smart contracts (ERC20, lottery, etc.), ItyFuzz gains 10% more test coverage than academia state-of-the-art fuzzer SMARTIAN using 1/30 of the time.

On Consensys's Daedaluzz benchmark, ItyFuzz without symbolic execution finds 44% more bugs than Echidna and 31% more bugs than Foundry. ItyFuzz is also 2.5x faster than Echidna and 1.5x faster than Foundry.

Features

  • Chain forking to fuzz contracts on any chain at any block number.
  • Accurate exploit generation for precision loss, integer overflow, fund stealing, Uniswap pair misuse etc.
  • Reentrancy support to concretely leverage potential reentrancy opportunities for exploring more code paths.
  • Blazing fast power scheduling to prioritize fuzzing on code that is more likely to have bugs.
  • Symbolic execution to generate test cases that cover more code paths than fuzzing alone.
  • Flashloan support assuming attackers have infinite funds to exploit flashloan vulnerabilities.
  • Liquidation support to simulate buying and selling any token from liquidity pools during fuzzing.
  • Decompilation support for fuzzing contracts without source code.
  • Supports complex contracts initialization using Foundry setup script, forking Anvil RPC, or providing a JSON config file.
  • Backed by SOTA Web2 fuzzing engine LibAFL.

Bugs Found

Selected new vulnerabilities found:

Project Vulnerability Assets at Risks
BSC $rats NFT Integer overflow leading to unlimited minting $79k
9419 Token Incorrect logic leading to price manipulation $35k
BSC Mevbot Unguarded DPPFlashLoanCall $19k
FreeCash Incorrect logic leading to price manipulation $12k
0xnoob Token Incorrect logic leading to price manipulation $7k
Baby Wojak Token Incorrect logic leading to price manipulation $4k
Arrow Incorrect posiition logic leading to fund loss Found During Audit

ItyFuzz can automatically generate exploits for >80% of previous hacks without any knowledge of the hack. Refer to backtesting for running previously hacked protocols.

About

Blazing Fast Bytecode-Level Hybrid Fuzzer for Smart Contracts

https://docs.ityfuzz.rs

License:MIT License


Languages

Language:Rust 93.4%Language:Solidity 3.2%Language:Python 1.9%Language:Shell 0.8%Language:Handlebars 0.3%Language:Move 0.1%Language:JavaScript 0.1%Language:Dockerfile 0.1%Language:HTML 0.0%