MuFuzz: A Fuzz Testing Tool for Blockchain Smart Contracts

Recently, Goplus’ latest research on Ethereum smart contract vulnerability detection was officially accepted as a full paper at ICDE 2024!

In the rapidly evolving world of blockchain technology, the security of smart contracts stands as a critical concern. These automated and self-executing contractual agreements, integral to the blockchain framework, have revolutionized digital transactions but not without their share of vulnerabilities. In light of this, the advent of innovative solutions to enhance smart contract security is not just welcome but essential. This article delves into ‘MuFuzz,’ a pioneering fuzz testing tool developed by Goplus, aimed at fortifying the security of blockchain smart contracts. As we explore this breakthrough, recently recognized at the prestigious IEEE ICDE 2024, we uncover the intricacies and challenges of smart contract security and how MuFuzz is set to make a significant impact in this domain.

The IEEE ICDE, one of the top three conferences in the field of computer databases and recognized by the China Computer Federation (CCF) as a Class-A international academic conference in the fields of databases, data mining, and content retrieval, focuses on showcasing the latest advancements from global research institutions and tech companies in these areas.

Profound impact of smart contract vulnerabilities

Smart contracts, are essentially computer program codes that run on blockchain networks. In recent years, there has been an explosive adoption of smart contracts. According to data from the Dune website, over 60 million smart contracts have been deployed on Ethereum, completing over a million transactions daily. As smart contracts become increasingly popular and hold more digital assets, attackers try to exploit various contract vulnerabilities to steal benefits. Currently, smart contract vulnerabilities have caused massive losses, with recent attacks on Ethereum smart contracts like FoMo3D, Uniswap, and Cream Finance resulting in economic damages exceeding $1 billion. Worse, due to the immutability of the blockchain, updating on-chain smart contracts is extremely challenging unless one can manipulate 51% of the blockchain’s computing power, which is nearly impossible. Thus, proposing effective methods for detecting vulnerabilities in blockchain smart contracts is crucial for maintaining blockchain security.

Challenges in fuzz testing of smart contracts

a) Unlike traditional software, smart contracts are stateful programs requiring a series of transactions as input to maintain a persistent state. Current fuzzers for smart contracts still struggle to effectively identify transaction sequences that can trigger changes in a persistent state.

b) As fuzz testing shifts towards generating inputs for transaction sequences, the input space can become very broad. However, existing fuzzers often arbitrarily change input bytes, ignoring critical parts of the input that should not change, thus reducing the likelihood of hitting branches that require strict conditions.

c) The energy allocated to each branch in fuzz testing is often imbalanced. Fuzzers may waste considerable resources fuzzing common branches while providing insufficient energy to deeply nested branches, making it challenging to explore deeper states.

MuFuzz: A Sequence-Aware and Mask-Guided Fuzz Testing Tool for Smart Contracts

Addressing the challenges in fuzz testing of smart contracts, we designed MuFuzz, a fuzz testing tool for smart contracts based on sequence-aware mutation and seed mask guidance.

MuFuzz first preprocesses the input smart contract, compiling the source code into bytecode, AST, and ABI forms. Then, MuFuzz’s sequence-aware mutation module generates a transaction call sequence based on the read-write dependency relationships of state variables in the smart contract and executes extended mutation. Next, MuFuzz uses branch distance feedback to select high-quality test seeds and generates higher quality seeds through mask-guided mutation. During the fuzzing process, MuFuzz configures a dynamic energy adjustment mechanism, allowing fuzz testing resources to be more evenly distributed across each branch. Finally, MuFuzz outputs the vulnerability detection results and corresponding branch coverage rates.

MuFuzz is more than an innovative product; it is a critical component of our broader mission to revolutionize Web3 security. It reinforces our commitment to decentralizing protection, reducing reliance on single entities, and building a more resilient, user-focused security ecosystem. As we continue to innovate and collaborate, MuFuzz will play a pivotal role in shaping a more secure and trustworthy Web3 future.

About GoPlus:

GoPlus is constructing a Web3 User Security Network that prioritizes openness and user empowerment by providing a permissionless Security Data and end-user service Center known as SecwareX.

Currently, GoPlus stands out as the preeminent Web3 User Security Data platform. It has successfully developed a state-of-the-art, real-time, dynamic, and automated security detection platform. This comprehensive platform encompasses Token detection, NFT detection, identification of malicious addresses, Approval Security API, and dApp contract security. Impressively, GoPlus handles over 15 million data calls daily, establishing its robust presence in the field.

Moreover, GoPlus has introduced the groundbreaking security engine “Secscan” and the Secware Middleware. It plans to unveil the user-centric security personal center, SecwareX, in the beginning of 2024. The commitment to innovation and user-focused security solutions positions GoPlus as a leading force in the evolving landscape of Web3 security.