ityfuzz
ityfuzz copied to clipboard
fuzzland
feat: add incrementing and decrementing mutator
Ityfuzz uses these standard mutations from libafl
let mutations = tuple_list!(
BitFlipMutator::new(),
ByteInterestingMutator::new(),
WordInterestingMutator::new(),
DwordInterestingMutator::new(),
ConstantHintedMutator::new(),
);
But using a more evm-specific mutator for incrementing or decrementing inputs directly allows faster finding of control flow.
Take this contract
pragma solidity ^0.8.13;
contract debug {
function foo(uint256 x) public {
if (x > 2097151 && x < (uint(4194306) / uint(2)) ) {
// 2097151 is b 111111111111111111111
// 4194306 is b 10000000000000000000010
// 4194306/2 is b 1000000000000000000001
// solution is b 1000000000000000000000
// its really hard to find the answer by
// bitflipping the push values of 2097151 and 4194306 (since you need at least two precise bitflips)
// but its really easy if you just increment the 2097151 push value
assert(false);
}
}
}
The values of 2097151 and 4194306 and 2 are push values that will be used by ConstantHintedMutator. However, copying inputs to these values directly will fail to get past < and > flows. Since < and > are such common operations on push'd values, I think adding mutators to help pass that is helpful.
The BitFlipMutator after the ConstantHint is the best chance it has to get past the < and >, but it isn't as good as just trying to add or subtract one since the bitflips can be anywhere in the bit space, not just at the end.
IncDecMutator just takes the input and does a wrapping addition or subtraction
Results
I ran on this example with debug target mode. Without the pr it takes ~12s and 40k executions. With the pr it's basically instant
WITHOUT
ERROR [Stats #0] run time: 0h-0m-12s, clients: 1, corpus: 3, objectives: 0, executions: 43264, exec/sec: 3.508k
ERROR ============= New Corpus Item =============
ERROR Reverted? true
Txn:
[Sender] 0xe1A425f1AC34A8a441566f93c82dD730639c8510
├─[1] 0xB2F0DF70137530d491303f09AeD849765e4e9f8C.foo(2097152)
│ └─ ← 0x4e487b710000000000000000000000000000000000000000000000000000000000000001
WITH
ERROR test/debug2.sol:debug(0xb2f0df70137530d491303f09aed849765e4e9f8c): 60.53% Instruction Covered, 58.33% Branch Covered
ERROR [Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 3, objectives: 0, executions: 5, exec/sec: 0.000
ERROR ============= New Corpus Item =============
ERROR Reverted? true
Txn:
[Sender] 0xe1A425f1AC34A8a441566f93c82dD730639c8510
├─[1] 0xB2F0DF70137530d491303f09AeD849765e4e9f8C.foo(2097152)
│ └─ ← 0x4e487b710000000000000000000000000000000000000000000000000000000000000001
Found: 0
| Project Name | Vulnerability Found | Time Taken | Log |
|---|---|---|---|
| BIGFI_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Shadowfi_exp.txt | ❌‼️ Crashed | -1 | Log File |
| SEAMAN_exp.txt | ❌‼️ Crashed | -1 | Log File |
| BEGO_exp.txt | ❌‼️ Crashed | -1 | Log File |
| cftoken_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Carrot_exp.txt | ❌‼️ Crashed | -1 | Log File |
| MBC_ZZSH_exp.txt | ❌‼️ Crashed | -1 | Log File |
| AUR_exp.txt | ❌‼️ Crashed | -1 | Log File |
| SellToken_exp.txt | ❌‼️ Crashed | -1 | Log File |
| ROI_exp.txt | ❌‼️ Crashed | -1 | Log File |
| GPT_exp.txt | ❌‼️ Crashed | -1 | Log File |
| OLIFE_exp.txt | ❌‼️ Crashed | -1 | Log File |
| THB_exp.txt | ❌‼️ Crashed | -1 | Log File |
| VerilogCTF.txt | ❌‼️ Crashed | -1 | Log File |
| CS_exp.txt | ❌‼️ Crashed | -1 | Log File |
| MintoFinance_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Novo_exp.txt | ❌‼️ Crashed | -1 | Log File |
| SELLC03_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Yyds_exp.txt | ❌‼️ Crashed | -1 | Log File |
| DYNA_exp.txt | ❌‼️ Crashed | -1 | Log File |
| EAC_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Annex_exp.txt | ❌‼️ Crashed | -1 | Log File |
| PLTD_exp.txt | ❌‼️ Crashed | -1 | Log File |
| ApeDAO_exp.txt | ❌‼️ Crashed | -1 | Log File |
| GSS_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Axioma_exp.txt | ❌‼️ Crashed | -1 | Log File |
| RFB_exp.txt | ❌‼️ Crashed | -1 | Log File |
| HEALTH_exp.txt | ❌‼️ Crashed | -1 | Log File |
Found: 19
| Project Name | Vulnerability Found | Time Taken | Log |
|---|---|---|---|
| BIGFI_exp.txt | ✅ Price Manipulation | 0h-1m-26s | Log File |
| Shadowfi_exp.txt | ✅ Price Manipulation | 0h-3m-5s | Log File |
| SEAMAN_exp.txt | ✅ Fund Loss | 0h-2m-11s | Log File |
| BEGO_exp.txt | ✅ Fund Loss | 0h-0m-22s | Log File |
| cftoken_exp.txt | ✅ Price Manipulation | 0h-0m-25s | Log File |
| Carrot_exp.txt | ❌ | -1 | Log File |
| MBC_ZZSH_exp.txt | ✅ Fund Loss | 0h-2m-45s | Log File |
| AUR_exp.txt | ❌ | -1 | Log File |
| SellToken_exp.txt | ✅ Fund Loss | 0h-0m-30s | Log File |
| ROI_exp.txt | ✅ Fund Loss | 0h-0m-33s | Log File |
| GPT_exp.txt | ❌ | -1 | Log File |
| OLIFE_exp.txt | ❌ | -1 | Log File |
| THB_exp.txt | ❌ | -1 | Log File |
| VerilogCTF.txt | ❌‼️ Crashed | -1 | Log File |
| CS_exp.txt | ✅ Price Manipulation | 0h-0m-21s | Log File |
| MintoFinance_exp.txt | ✅ Fund Loss | 0h-0m-56s | Log File |
| Novo_exp.txt | ✅ Price Manipulation | 0h-2m-30s | Log File |
| SELLC03_exp.txt | ✅ Fund Loss | 0h-1m-27s | Log File |
| Yyds_exp.txt | ✅ Fund Loss | 0h-1m-15s | Log File |
| DYNA_exp.txt | ❌ | -1 | Log File |
| EAC_exp.txt | ❌ | -1 | Log File |
| Annex_exp.txt | ❌ | -1 | Log File |
| PLTD_exp.txt | ✅ Price Manipulation | 0h-0m-45s | Log File |
| ApeDAO_exp.txt | ✅ Price Manipulation | 0h-0m-46s | Log File |
| GSS_exp.txt | ✅ Fund Loss | 0h-1m-4s | Log File |
| Axioma_exp.txt | ✅ Fund Loss | 0h-0m-52s | Log File |
| RFB_exp.txt | ✅ Fund Loss | 0h-2m-18s | Log File |
| HEALTH_exp.txt | ✅ Price Manipulation | 0h-0m-16s | Log File |