Smart contracts are critical financial instruments, and their security is of
utmost importance. However, smart contract programs are difficult to fuzz due
to the persistent blockchain state behind all transactions. Mutating sequences
of transactions are complex and often lead to a suboptimal exploration for both
input and program spaces. In this paper, we introduce a novel snapshot-based
fuzzer ItyFuzz for testing smart contracts. In ItyFuzz, instead of storing
sequences of transactions and mutating from them, we snapshot states and
singleton transactions. To explore interesting states, ItyFuzz introduces a
dataflow waypoint mechanism to identify states with more potential momentum.
ItyFuzz also incorporates comparison waypoints to prune the space of states. By
maintaining snapshots of the states, ItyFuzz can synthesize concrete exploits
like reentrancy attacks quickly. Because ItyFuzz has second-level response time
to test a smart contract, it can be used for on-chain testing, which has many
benefits compared to local development testing. Finally, we evaluate ItyFuzz on
real-world smart contracts and some hacked on-chain DeFi projects. ItyFuzz
outperforms existing fuzzers in terms of instructional coverage and can find
and generate realistic exploits for on-chain projects quickly.Comment: ISSTA 202