TY - JOUR
AU - Medeiros, Ismael
AU - Carvalho, Fausto
AU - Ferreira, Alexandre
AU - Bonifácio, Rodrigo
AU - Fernandes, Fabiano Cavalcanti
PY - 2024
TI - DogeFuzz: A Simple Yet Efficient Grey-box Fuzzer for Ethereum Smart Contracts
JF - Anais do Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg); 2024: Anais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais
DO - 10.5753/sbseg.2024.241431
KW -
N2 - Ethereum is a distributed, peer-to-peer blockchain infrastructure that has attracted billions of dollars. Perhaps due to its success, Ethereum has become a target for various kinds of attacks, motivating researchers to explore different techniques to identify vulnerabilities in EVM bytecode (the language of the Ethereum Virtual Machine)—including formal verification, symbolic execution, and fuzz testing. Although recent studies empirically compare smart contract fuzzers, there is a lack of literature investigating how simpler grey-box fuzzers compare to more advanced ones. To fill this gap, in this paper, we present DogeFuzz, an extensible infrastructure for fuzzing Ethereum smart contracts, currently supporting black-box fuzzing and two grey-box fuzzing strategies: coverage-guided grey-box fuzzing (DogeFuzz-G) and directed grey-box fuzzing (DogeFuzz-DG). We conduct a series of experiments using benchmarks already available in the literature and compare the DogeFuzz strategies with state-of-the-art fuzzers for smart contracts. Surprisingly, although DogeFuzz does not leverage advanced techniques for improving input generation (such as symbolic execution or machine learning), DogeFuzz outperforms sFuzz and ILF, two state-of-the-art fuzzers. Nonetheless, the Smartian fuzzer shows higher code coverage and bug-finding capabilities than DogeFuzz.
UR - https://sol.sbc.org.br/index.php/sbseg/article/view/30033