<div>
<div>
<p>Smart contracts are Turing-complete programs that
are executed across a blockchain. Unlike traditional programs,
once deployed, they cannot be modified. As smart contracts carry
more value, they become more of an exciting target for attackers.
Over the last years, they suffered from exploits costing millions
of dollars due to simple programming mistakes. As a result, a
variety of tools for detecting bugs have been proposed. Most
of these tools rely on symbolic execution, which may yield false
positives due to over-approximation. Recently, many fuzzers have
been proposed to detect bugs in smart contracts. However, these
tend to be more effective in finding shallow bugs and less effective
in finding bugs that lie deep in the execution, therefore achieving
low code coverage and many false negatives. An alternative that
has proven to achieve good results in traditional programs is
hybrid fuzzing, a combination of symbolic execution and fuzzing. In this work, we study hybrid fuzzing on smart contracts
and present ConFuzzius, the first hybrid fuzzer for smart
contracts. ConFuzzius uses evolutionary fuzzing to exercise
shallow parts of a smart contract and constraint solving to
generate inputs that satisfy complex conditions that prevent
evolutionary fuzzing from exploring deeper parts. Moreover, ConFuzzius leverages dynamic data dependency analysis to
efficiently generate sequences of transactions that are more likely
to result in contract states in which bugs may be hidden. We
evaluate the effectiveness of ConFuzzius by comparing it with
state-of-the-art symbolic execution tools and fuzzers for smart
contracts. Our evaluation on a curated dataset of 128 contracts
and a dataset of 21K real-world contracts shows that our hybrid
approach detects more bugs than state-of-the-art tools (up to
23%) and that it outperforms existing tools in terms of code
coverage (up to 69%). We also demonstrate that data dependency
analysis can boost bug detection up to 18%.</p>
</div>
</div>