Abstract
Smart contracts are Turing-complete programs that are executed across a
blockchain. Unlike traditional programs, once deployed, they cannot be
modified. As smart contracts carry more value, they become more of an
exciting target for attackers. Over the last years, they suffered from
exploits costing millions of dollars due to simple programming mistakes.
As a result, a variety of tools for detecting bugs have been proposed.
Most of these tools rely on symbolic execution, which may yield false
positives due to over-approximation. Recently, many fuzzers have been
proposed to detect bugs in smart contracts. However, these tend to be
more effective in finding shallow bugs and less effective in finding
bugs that lie deep in the execution, therefore achieving low code
coverage and many false negatives. An alternative that has proven to
achieve good results in traditional programs is hybrid fuzzing, a
combination of symbolic execution and fuzzing. In this work, we study
hybrid fuzzing on smart contracts and present ConFuzzius, the first
hybrid fuzzer for smart contracts. ConFuzzius uses evolutionary fuzzing
to exercise shallow parts of a smart contract and constraint solving to
generate inputs that satisfy complex conditions that prevent
evolutionary fuzzing from exploring deeper parts. Moreover, ConFuzzius
leverages dynamic data dependency analysis to efficiently generate
sequences of transactions that are more likely to result in contract
states in which bugs may be hidden. We evaluate the effectiveness of
ConFuzzius by comparing it with state-of-the-art symbolic execution
tools and fuzzers for smart contracts. Our evaluation on a curated
dataset of 128 contracts and a dataset of 21K real-world contracts shows
that our hybrid approach detects more bugs than state-of-the-art tools
(up to 23%) and that it outperforms existing tools in terms of code
coverage (up to 69%). We also demonstrate that data dependency analysis
can boost bug detection up to 18%.