search

fuzzland / ityfuzz

Blazing Fast Bytecode-Level Hybrid Fuzzer for Smart Contracts
https://docs.ityfuzz.rs
MIT License
734 stars 116 forks source link

feat: add incrementing and decrementing mutator #476

Closed plotchy closed 1 month ago

plotchy commented 1 month ago

Ityfuzz uses these standard mutations from libafl

let mutations = tuple_list!(
    BitFlipMutator::new(),
    ByteInterestingMutator::new(),
    WordInterestingMutator::new(),
    DwordInterestingMutator::new(),
    ConstantHintedMutator::new(),
);

But using a more evm-specific mutator for incrementing or decrementing inputs directly allows faster finding of control flow.

Take this contract

pragma solidity ^0.8.13;
contract debug {
    function foo(uint256 x) public {
        if (x > 2097151 && x < (uint(4194306) / uint(2)) ) {
            // 2097151     is b   111111111111111111111
            // 4194306     is b 10000000000000000000010 
            // 4194306/2   is b  1000000000000000000001
            // solution    is b  1000000000000000000000

            // its really hard to find the answer by
            // bitflipping the push values of 2097151 and 4194306 (since you need at least two precise bitflips)
            // but its really easy if you just increment the 2097151 push value

            assert(false);
        }
    }
}

The values of 2097151 and 4194306 and 2 are push values that will be used by ConstantHintedMutator. However, copying inputs to these values directly will fail to get past < and > flows. Since < and > are such common operations on push'd values, I think adding mutators to help pass that is helpful.

The BitFlipMutator after the ConstantHint is the best chance it has to get past the < and >, but it isn't as good as just trying to add or subtract one since the bitflips can be anywhere in the bit space, not just at the end.

IncDecMutator just takes the input and does a wrapping addition or subtraction

Results

I ran on this example with debug target mode. Without the pr it takes ~12s and 40k executions. With the pr it's basically instant

WITHOUT

ERROR [Stats #0] run time: 0h-0m-12s, clients: 1, corpus: 3, objectives: 0, executions: 43264, exec/sec: 3.508k
ERROR ============= New Corpus Item =============
ERROR Reverted? true 
 Txn:
[Sender] 0xe1A425f1AC34A8a441566f93c82dD730639c8510
   ├─[1] 0xB2F0DF70137530d491303f09AeD849765e4e9f8C.foo(2097152)
   │  └─ ← 0x4e487b710000000000000000000000000000000000000000000000000000000000000001

WITH

ERROR test/debug2.sol:debug(0xb2f0df70137530d491303f09aed849765e4e9f8c): 60.53% Instruction Covered, 58.33% Branch Covered
ERROR [Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 3, objectives: 0, executions: 5, exec/sec: 0.000
ERROR ============= New Corpus Item =============
ERROR Reverted? true 
 Txn:
[Sender] 0xe1A425f1AC34A8a441566f93c82dD730639c8510
   ├─[1] 0xB2F0DF70137530d491303f09AeD849765e4e9f8C.foo(2097152)
   │  └─ ← 0x4e487b710000000000000000000000000000000000000000000000000000000000000001
fuzzland-bot commented 1 month ago

Found: 0

Project Name Vulnerability Found Time Taken Log
BIGFI_exp.txt ❌‼️ Crashed -1 Log File
Shadowfi_exp.txt ❌‼️ Crashed -1 Log File
SEAMAN_exp.txt ❌‼️ Crashed -1 Log File
BEGO_exp.txt ❌‼️ Crashed -1 Log File
cftoken_exp.txt ❌‼️ Crashed -1 Log File
Carrot_exp.txt ❌‼️ Crashed -1 Log File
MBC_ZZSH_exp.txt ❌‼️ Crashed -1 Log File
AUR_exp.txt ❌‼️ Crashed -1 Log File
SellToken_exp.txt ❌‼️ Crashed -1 Log File
ROI_exp.txt ❌‼️ Crashed -1 Log File
GPT_exp.txt ❌‼️ Crashed -1 Log File
OLIFE_exp.txt ❌‼️ Crashed -1 Log File
THB_exp.txt ❌‼️ Crashed -1 Log File
VerilogCTF.txt ❌‼️ Crashed -1 Log File
CS_exp.txt ❌‼️ Crashed -1 Log File
MintoFinance_exp.txt ❌‼️ Crashed -1 Log File
Novo_exp.txt ❌‼️ Crashed -1 Log File
SELLC03_exp.txt ❌‼️ Crashed -1 Log File
Yyds_exp.txt ❌‼️ Crashed -1 Log File
DYNA_exp.txt ❌‼️ Crashed -1 Log File
EAC_exp.txt ❌‼️ Crashed -1 Log File
Annex_exp.txt ❌‼️ Crashed -1 Log File
PLTD_exp.txt ❌‼️ Crashed -1 Log File
ApeDAO_exp.txt ❌‼️ Crashed -1 Log File
GSS_exp.txt ❌‼️ Crashed -1 Log File
Axioma_exp.txt ❌‼️ Crashed -1 Log File
RFB_exp.txt ❌‼️ Crashed -1 Log File
HEALTH_exp.txt ❌‼️ Crashed -1 Log File
fuzzland-bot commented 1 month ago

Found: 19

Project Name Vulnerability Found Time Taken Log
BIGFI_exp.txt ✅ Price Manipulation 0h-1m-26s Log File
Shadowfi_exp.txt ✅ Price Manipulation 0h-3m-5s Log File
SEAMAN_exp.txt ✅ Fund Loss 0h-2m-11s Log File
BEGO_exp.txt ✅ Fund Loss 0h-0m-22s Log File
cftoken_exp.txt ✅ Price Manipulation 0h-0m-25s Log File
Carrot_exp.txt -1 Log File
MBC_ZZSH_exp.txt ✅ Fund Loss 0h-2m-45s Log File
AUR_exp.txt -1 Log File
SellToken_exp.txt ✅ Fund Loss 0h-0m-30s Log File
ROI_exp.txt ✅ Fund Loss 0h-0m-33s Log File
GPT_exp.txt -1 Log File
OLIFE_exp.txt -1 Log File
THB_exp.txt -1 Log File
VerilogCTF.txt ❌‼️ Crashed -1 Log File
CS_exp.txt ✅ Price Manipulation 0h-0m-21s Log File
MintoFinance_exp.txt ✅ Fund Loss 0h-0m-56s Log File
Novo_exp.txt ✅ Price Manipulation 0h-2m-30s Log File
SELLC03_exp.txt ✅ Fund Loss 0h-1m-27s Log File
Yyds_exp.txt ✅ Fund Loss 0h-1m-15s Log File
DYNA_exp.txt -1 Log File
EAC_exp.txt -1 Log File
Annex_exp.txt -1 Log File
PLTD_exp.txt ✅ Price Manipulation 0h-0m-45s Log File
ApeDAO_exp.txt ✅ Price Manipulation 0h-0m-46s Log File
GSS_exp.txt ✅ Fund Loss 0h-1m-4s Log File
Axioma_exp.txt ✅ Fund Loss 0h-0m-52s Log File
RFB_exp.txt ✅ Fund Loss 0h-2m-18s Log File
HEALTH_exp.txt ✅ Price Manipulation 0h-0m-16s Log File