Skip to content

Instantly share code, notes, and snippets.

@shouc

shouc/README.md

Last active April 5, 2023 20:21
Show Gist options
  • Save shouc/3163600515bef5ff75fab3351a734673 to your computer and use it in GitHub Desktop.
Save shouc/3163600515bef5ff75fab3351a734673 to your computer and use it in GitHub Desktop.
Download ZIP
Offchain Testing Instructions
Raw
README.md

Demo

Install Docker from https://www.docker.com/ and run our docker image (x86 only, running on non-x86 platform significantly degrades performance):

docker run -p 8000:8000 fuzzland/dev-ityfuzz-2

Then, you can visit the interface at http://localhost:8000

Technical writeup and evaluation for the tool is available at https://scf.so/ityfuzz.pdf

Common Issues

  • Campaign crashes due to HTTP timeout: Check can you visit Etherscan and SubGraph. If there is CloudFlare warning, consider switching your IP. Otherwise, restarting the campaign again would likely work.
  • Campaign crashes due to No code: If you used flashloan, you should add Uniswap V2 router address to the targets.
  • Execution per second is low: The build is optimized for Intel Sapphire Rapids CPU. At peak, it should reach 1M+ execution per second.

Offchain

For offchain testing, you need to have Solidity file and deployment plan for the targets.

Inserting Invariants

The fuzzer attempts to find all invariant violations. You can code invariant directly in the Solidity file and insert bug() function when a violation occurs.

The bug() function code is

function bug() {
    bytes32 t2 = bytes32(uint256(uint160(msg.sender)));
    assembly {
        let p := add(msize(), 0x20)
        mstore(p, t2)
        log1(p, 0x20, 0x133337)
    }
}

An example (Verilog CTF):

function getBounty() payable public returns (bool) {
        uint256 delta = WMATICV2.totalSupply() >= WMATICV2.balance()
            ? WMATICV2.totalSupply() - WMATICV2.balance()
            : WMATICV2.balance() - WMATICV2.totalSupply();

        uint256 tolerance = WMATICV2.balance() / 10;
        if (delta > tolerance) {
            bug();  // invariant violated!
            isHacked = true;
        }
    }

Deploying

ItyFuzz would attempt to deploy all artifacts in the directory to a blockchain with no other smart contracts.

Specifically, the project directory should contain a few [X].abi and [X].bin files. For example, to fuzz a contract named main.sol, you should ensure main.abi and main.bin exist in the project directory. The fuzzer will automatically detect the contracts in directory, the correlation between them, and fuzz them.

Optionally, if ItyFuzz fails to infer the correlation between contracts, you can add a [X].address, where [X] is the contract name, to specify the address of the contract.

Caveats:

  • Keep in mind that ItyFuzz is fuzzing on a clean blockchain, so you should ensure all related contracts (e.g., ERC20 token, Uniswap, etc.) are deployed to the blockchain before fuzzing.

  • You also need to overwrite all constructor(...) in the smart contract to to make it have no function argument. ItyFuzz assumes constructors have no argument.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment