Codex
/
Defend
Tool
Fuzzing
Last updated:
May 7, 2022

Fuzzing is a code analysis technique that attempts to discover issues by creating random sequences of transactions. Security properties are defined using invariants, assertions or a general list of vulnerabilities.

Example tools

  • Echidna
  • Dapptools dapp "invariant testing"
  • Foundry fuzzer
  • Harvey, created by ConsenSys but not independently available

Trade-offs

Pros

  • Fuzzing tools are a useful way to discover issues that are triggered on long sequences of transactions or abnormal inputs, such as numerical errors, illegal pointer access, etc.
  • Fuzzing also works well on relatively complex contracts where formal verification may be too slow (for example contracts involving a lot of multiplications, divisions or array manipulation and loops)
  • Fuzz tests can be run in continuous integration once properties are identified
  • Fuzzers can be configured to run off of predefined states or to only consider certain actions

Cons

  • Fuzzers do not always find all possible state transitions, for example, something as simple as a statement require(x == 836984609) is very hard for a fuzzer to satisfy by randomly guessing values of x

Advanced features

Shrinking is an advanced feature that allows fuzzers to simplify their outputs for humans. The shrinking step runs after a fuzzer has successfully completed the search for a series of transactions that violate a security property. It attempts to trim down the transaction sequence and find a shorter sequence that still triggers the invariant.

Some fuzzers (called Greybox fuzzers) are able to scan the code and select values more intelligently. For example, they can study branch conditions and select values that trigger the if and else condition of each branch to maximize line coverage during a fuzzing campaign.

When to use fuzzers

Fuzzers are useful in several kinds of security reviews such as Access Control Review and Flow of Value Analysis where desired properties are easy to define. In general, where it's possible to define meaningful security properties and invariants, it's worth considering a fuzz campaign given the ease of setting up fuzzing.

See Also:
Risk Communication
Potential Integrations Review
Oracle Review
How to Do a Security Review
Formal Verification
Test Quality Review
Echidna
Assembly Code Review
How to Prepare for a Security Audit
Code Quality Review
Storage Analysis
Numerical Review
External Interactions Review
ERC Standards Review
Upgradeability Review
Visual Inspection Tool
Flow of Value Analysis
Solidity Visual Developer
Line-by-line Code Review
Vulnerability Scanning
Use Both Internal and External Security Reviews
State Transition Review
Access Control Review
Surya
How to Assess Security Risk?
What is the Defend Phase?
Slither
Static Analysis
Twitter
Medium
Terms
Privacy
Cookies
© 2021 Auditless Limited