Rob Behnke
September 10th, 2021
Fuzzing or fuzz testing is a type of vulnerability testing designed to detect poor input validation within an application. By sending an application incorrect or malformed data, fuzzing helps to identify cases where an application makes incorrect assumptions about the data provided by users.
Many applications are designed to accept and process data from untrusted users. This could be as simple as asking for a name or email address to something more complex like performing a transaction on the blockchain.
Often, these applications make certain assumptions about the data that is provided to them. For example, names are typically assumed to be composed of letters (potentially across multiple languages) and to have a certain maximum length.
While legitimate users of an application may “follow the rules” when entering input, this is not necessarily true of potential attackers or users that make a mistake. If an application makes assumptions about user-provided data without checking that user-provided data meets these assumptions, then bad input could break the application or undermine its security.
User input could break an application in a variety of different ways. An application may expect numeric user input and break if a user provides letters or special characters. A buffer overflow vulnerability in an app could cause unexpected behavior if the user’s input is longer than a certain length.
Fuzzing involves sending malformed user input to an application and monitoring its responses. The fuzzed input should cover the complete range of how user input could be malformed, such as incorrect character sets, length, etc.
When performing fuzzing, the fuzz tester monitors the application for anything unusual, such as crashes, execution of unusual code paths, etc. If these deviations are detected, it is potentially a sign of a vulnerability within the application. Fuzzing provides a means for detecting these vulnerabilities with little or no information about an application; and, if one is detected, further analysis can be performed to determine the exact nature of the potential vulnerability and its impact on the application’s performance and security.
Fuzz testing can be applied to any application that accepts user input. In the blockchain ecosystem, this means the software that implements the blockchain (wallets, nodes, etc.) and the smart contracts that run on top of blockchain platforms.
The use of fuzzing is prevalent in the blockchain space, and tools exist specifically for fuzzing blockchain smart contracts. For example, Echidna is a fuzzer released by Trail of Bits for testing Ethereum smart contracts for vulnerabilities. FuzzyVM is a guided fuzzing framework for the Ethereum Virtual Machine (EVM) that has identified multiple consensus issues on the Ethereum mainnet.
Fuzzing is a faster and cheaper method for detecting some types of vulnerabilities than exhaustive, line-by-line analysis of application code. In the blockchain space – and especially in DeFi – many projects are relatively immature and hacks exploiting unpatched vulnerabilities are common. The use of fuzz testing during security audits to identify and correct these issues before they are exploited by an attacker helps to reduce the risk of blockchain hacks and their costs to DeFi users.