The Ethereum Smart Contract Fuzzer for Security Vulnerability Detection
released under GPL v3 license.
Any questions with the tool, please contact Dr. Bo Jiang. [email protected]
We have manually verified a benchmark of vulnerable smart contracts detected by ContractFuzzer. Their source and bins are located at https://github.com/gongbell/ContractFuzzer/blob/master/examples
Please tell us if there is any false postives.
A container with the dependencies set up can be found here.(password:l2ww)
To open the container, install docker and run:
docker load<contractfuzzer.tar
docker run -i -t contractfuzzer/contractfuzzer:latest
To evaluate the example contracts inside the container, run:
cd /ContractFuzzer && ./run.sh --contracts_dir ./examples/exception_disorder
and finally you will see results records file in directory /ContractFuzzer/examples/exception_dirorder/list/reporter/!
docker build -t ContractFuzzer .
docker run -it -e "ContractFuzzer=/contractFuzzer/ContractFuzzer" ContractFuzzer:latest
- The contract's abi definition file provided.
- The contract's bin file provided
- The contract has been deployed to the Private Chain
How to deploy a contract to Private Chain can be found here.
Note that the deployment of the contract can be within the docker or on your local machine,as long as you have prepared the config, bin, and abi files. Within your local machine, after starting the geth client, you can run the ./deployer_run.sh shell script to deploy your smart contract.
After deploying the smart contracts within the private chain, you also need to prepre the directory for the smart contracts.
The tested contract's directory tree (i.e., /yourTested_contract used in the command) would be like below, similiar to that of the example contracts we provided.
tested_contract
verified_contract_abis
verified_contract_bins
verified_contract_abi_sig (function signature from contract's abi)
verified_contract_bin_sig (function signature pairs from contract's bin)
fuzzer
config
IntSeeds.json
UintSeeds.json
....
contracts.list
addr_map.csv
reporter
bug
- The names of contracts to test must be written into contracts.list
- The mapping of contract's name and address on chain must be written into addr_map.csv
docker run -it -v /YourGethEthereumPrivateChain:/Ethereum -v /yourTested_contract:/ContractFuzzer/tested_contract -e "ContractFuzzer=/contractFuzzer/ContractFuzzer" ContractFuzzer:latest
Note the /YourGethEthereumPrivateChain is the path of your Ethereum private chain on which you have deployed the smart contracts to test.
Now step into the container,run
cd /ContractFuzzer && ./run.sh --contracts_dir ./tested_contract
And finally you could see results records file in directory '/YourTested_contract/list/reporter/' in host file systems rather than container!
The accompanying paper explaining the fuzzer can be found here or here.
A collection of the utilities that were developed for the paper are in tools. Which are useful in some extents. Use them for your convenience.
get_function_signature_pair_from_bin.py- Contains a number of functions to get signature pair from contracts' bin.get_function_signature_from_abi.py- Contains a number of functions to get signature pair from contracts' bin.download_verified_contract_from_etherscanContains a number of functions to retrieve verified contract source(abi,bin,constructor param) from EtherScan
Some details about the repository structure as following.
Ethereumis the base private chain that we deployed the public contracts and our agent contracts. Do not to crash it. And please deploy your contract upon it;contract_deployeris the tool to deploy contract easily for us.contract_fuzzeris one part of ContractFuzzer, which generates contract call messages based on contract's ABI definition;contract_testeris one part of ContractFuzzer, which sends the contract call messages to our instrumented Geth client.go-ethereum-cfis one part of ContractFuzzer, which instrumented the evm of Go-etheruem. And most codes added could be found under relative directorycore/vmexampleshere provides some cases for us to make sense of the tool quickly.basehere provides some fundamental dockerfiles.golang, nodejs and their integreted enviroment.
Checkout out our contribution guide