Smart contracts are critical financial instruments, and their security is of utmost importance. However, smart contract programs are difficult to fuzz due to the persistent blockchain state behind all transactions. Mutating sequences of transactions are complex and often lead to a suboptimal exploration for both input and program spaces. In this paper, we introduce a novel snapshot-based fuzzer ItyFuzz for testing smart contracts. In ItyFuzz, instead of storing sequences of transactions and mutating from them, we snapshot states and singleton transactions. To explore interesting states, ItyFuzz introduces a dataflow waypoint mechanism to identify states with more potential momentum. ItyFuzz also incorporates comparison waypoints to prune the space of states. By maintaining snapshots of the states, ItyFuzz can synthesize concrete exploits like reentrancy attacks quickly. Because ItyFuzz has second-level response time to test a smart contract, it can be used for on-chain testing, which has many benefits compared to local development testing. Finally, we evaluate ItyFuzz on real-world smart contracts and some hacked on-chain DeFi projects. ItyFuzz outperforms existing fuzzers in terms of instructional coverage and can find and generate realistic exploits for on-chain projects quickly.

翻译：智能合约是关键的金融工具，其安全性至关重要。然而，由于所有交易背后持续存在的区块链状态，智能合约程序难以进行模糊测试。交易序列的变异过程复杂且通常导致输入空间和程序空间探索不充分。本文提出了一种新颖的基于快照的模糊测试工具ItyFuzz，用于测试智能合约。在ItyFuzz中，我们不再存储交易序列并对其进行变异，而是对状态和单例交易进行快照。为了探索有意义的状态，ItyFuzz引入了数据流路径点机制，用于识别具有更大潜在动量的状态。同时，ItyFuzz还结合了比较路径点来剪枝状态空间。通过维护状态的快照，ItyFuzz能够快速合成具体的漏洞利用（如重入攻击）。由于ItyFuzz对智能合约测试具有秒级响应时间，因此可用于链上测试，这相比本地开发测试具有诸多优势。最后，我们在真实世界的智能合约以及一些遭受攻击的链上DeFi项目上评估了ItyFuzz。在指令覆盖率方面，ItyFuzz优于现有模糊测试工具，并能快速发现并生成针对链上项目的真实漏洞利用。