### ItyFuzz Offchain EVM Fuzzing Example (Single Contract) Source: https://docs.ityfuzz.rs/quickstart Simple example command for running an offchain fuzzing campaign on a compiled single EVM contract. It targets all build artifacts within the current directory's 'build' subdirectory, demonstrating the minimal setup required for local fuzzing. ItyFuzz automatically detects and deploys contracts found in the specified path. ```Shell ityfuzz evm -t './build/*' ``` -------------------------------- ### ItyFuzz Onchain EVM Fuzzing Example (WETH) Source: https://docs.ityfuzz.rs/quickstart Example command demonstrating an onchain fuzzing campaign targeting the WETH contract on the Ethereum mainnet (0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2). It forks the chain at block 0, specifies the ETH chain type, and includes an optional flashloan flag (-f) to allow attack scenarios involving flashloans. This showcases a practical application of ItyFuzz's onchain capabilities. ```Shell # -t [TARGET_ADDR]: specify the target contract # --onchain-block-number [BLOCK]: fork the chain at block number [BLOCK] # -c [CHAIN_TYPE]: specify the chain # -f: (Optional) allow attack to get flashloan ityfuzz evm\ -t 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2\ --onchain-block-number 0\ -c ETH\ --onchain-etherscan-api-key [Etherscan API Key]\ -f ``` -------------------------------- ### Install ItyFuzz using ityfuzzup script Source: https://docs.ityfuzz.rs/installation-and-building The recommended method to install ItyFuzz and its dependencies automatically. This script streamlines the setup process and can be re-run to update ItyFuzz to the latest version. ```Shell curl -L https://ity.fuzz.land/ | bash ityfuzzup ``` -------------------------------- ### ItyFuzz Offchain MoveVM Fuzzing (Build and Run) Source: https://docs.ityfuzz.rs/quickstart Sequence of commands to first build a Move contract using `sui move build` and then run an offchain fuzzing campaign with ItyFuzz on the compiled MoveVM contract. This workflow demonstrates how to prepare Move projects for fuzzing and initiate the ItyFuzz process on the built artifacts. It highlights the integration of ItyFuzz with the Move development ecosystem. ```Shell # build example contract that contains a bug cd ./tests/move/share_object sui move build # get back to ItyFuzz and run fuzzing on the built contract cd ../../../ ityfuzz move -t "./tests/move/share_object/build" ``` -------------------------------- ### ItyFuzz Offchain EVM Fuzzing Command (Generic) Source: https://docs.ityfuzz.rs/quickstart Command line interface for running a local (offchain) fuzzing campaign with ItyFuzz for EVM smart contracts. It targets a build directory containing contract bytecode and ABIs, allowing ItyFuzz to deploy and fuzz artifacts locally without a live chain. Optional flags such as `--concolic` and `--concolic-caller` enable advanced concolic execution features for deeper vulnerability discovery. ```Shell # -t [BUILD DIRECTORY GLOB]: specify the targets directory # -f: (Optional) allow attack to get flashloan # --concolic: (Optional) enable concolic execution # --concolic-caller: (Optional) enable concolic execution to change caller to anyone ityfuzz evm\ -t "[BUILD DIRECTORY GLOB]"\ -f\ --concolic --concolic-caller ``` -------------------------------- ### ItyFuzz Onchain EVM Fuzzing Command (Generic) Source: https://docs.ityfuzz.rs/quickstart Command line interface for running an onchain fuzzing campaign with ItyFuzz for EVM smart contracts. It requires specifying the target contract address, the block number for forking the chain, and the chain type. An optional Etherscan API key can be provided for ABI and slot retrieval, enhancing the fuzzer's ability to interact with unknown contracts. ```Shell # -t [TARGET_ADDR]: specify the target contract # --onchain-block-number [BLOCK]: fork the chain at block number [BLOCK] # -c [CHAIN_TYPE]: specify the chain ityfuzz evm\ -t [TARGET_ADDR]\ --onchain-block-number [BLOCK]\ -c [CHAIN_TYPE]\ --onchain-etherscan-api-key [Etherscan API Key] # (Optional) specify your etherscan api key ``` -------------------------------- ### Install Server Dependencies for ItyFuzz Constructor Forwarding Source: https://docs.ityfuzz.rs/docs-evm-contract Instructions to navigate to the `/server` directory and install necessary Node.js packages using `npm`. ```bash cd /server npm install ``` -------------------------------- ### ItyFuzz Server: Install Dependencies Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Navigates to the `/server` directory and installs necessary Node.js packages using `npm` for the ItyFuzz server component. ```bash cd /server npm install ``` -------------------------------- ### Start ItyFuzz Constructor Forwarding Server (Default RPC) Source: https://docs.ityfuzz.rs/docs-evm-contract Command to start the ItyFuzz server, which by default forwards requests to `http://localhost:8545` (Ganache default). ```bash node app.js ``` -------------------------------- ### Install ItyFuzz system dependencies Source: https://docs.ityfuzz.rs/installation-and-building Install required system libraries such as OpenSSL, Z3, pkg-config, cmake, build-essential, and clang, which are necessary for compiling ItyFuzz from source. Specific commands are provided for both Ubuntu and macOS operating systems. ```Shell # Ubuntu: sudo apt install libssl-dev libz3-dev pkg-config cmake build-essential clang # macOS: brew install openssl z3 ``` -------------------------------- ### Start ItyFuzz Constructor Forwarding Server (Custom RPC) Source: https://docs.ityfuzz.rs/docs-evm-contract Command to start the ItyFuzz server, specifying a custom RPC address for forwarding requests. ```bash node app.js http://localhost:8546 ``` -------------------------------- ### Build ItyFuzz with debug features for development Source: https://docs.ityfuzz.rs/installation-and-building Create a debug build of ItyFuzz, which is slower but includes additional features like `flashloan_v2`, `debug`, and `flashloan_debug`. These features enable more detailed logs and assertions, useful for ItyFuzz development and debugging. ```Shell cargo build --features flashloan_v2,debug,flashloan_debug ``` -------------------------------- ### Build ItyFuzz from source for onchain fuzzing Source: https://docs.ityfuzz.rs/installation-and-building Compile ItyFuzz with the `flashloan_v2` feature enabled to support onchain fuzzing capabilities. This build allows ItyFuzz to interact with and fuzz smart contracts directly on a blockchain. ```Shell cargo build --release --features flashloan_v2 ``` -------------------------------- ### Deploy Contract via Foundry to ItyFuzz Forwarding Server Source: https://docs.ityfuzz.rs/docs-evm-contract Example of deploying a contract using Foundry to the ItyFuzz server's address (`http://127.0.0.1:5001`), including constructor arguments and a private key. ```bash forge create src/flashloan.sol:main2 --rpc-url http://127.0.0.1:5001 --private-key 0x0000000000000000000000000000000000000000000000000000000000000000 --constructor-args "1" "0x6100000000000000000000000000000000000000000000000000000000000000" ``` -------------------------------- ### ItyFuzz Server: Start with Default RPC Forwarding Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Starts the ItyFuzz server, which by default forwards requests to `http://localhost:8545` (Ganache's default RPC address). ```bash node app.js ``` -------------------------------- ### ItyFuzz CLI: Example Constructor Arguments for Multiple Contracts Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Provides a concrete example of passing constructor arguments for two contracts, `main` and `main2`, each with a `bytes32` and `uint256` argument, using the `--constructor-args` flag. ```bash ityfuzz evm -t 'build/*' --constructor-args "main:1,0x6100000000000000000000000000000000000000000000000000000000000000;main2:2,0x6200000000000000000000000000000000000000000000000000000000000000;" ``` -------------------------------- ### Build ItyFuzz from source for offchain fuzzing Source: https://docs.ityfuzz.rs/installation-and-building Clone the ItyFuzz repository, initialize and update its submodules, and then build the release version using Cargo. This process compiles the executable for offchain fuzzing, which does not require direct blockchain interaction. ```Shell git clone https://github.com/fuzzland/ityfuzz.git && cd ityfuzz git submodule update --recursive --init cargo build --release ``` -------------------------------- ### Example: Passing Multiple Constructor Arguments via ItyFuzz CLI Source: https://docs.ityfuzz.rs/docs-evm-contract Provides a concrete example of using the `--constructor-args` flag for two contracts, `main` and `main2`, each with `bytes32` and `uint256` arguments. ```bash ityfuzz evm -t 'build/*' --constructor-args "main:1,0x6100000000000000000000000000000000000000000000000000000000000000;main2:2,0x6200000000000000000000000000000000000000000000000000000000000000;" ``` -------------------------------- ### ItyFuzz Server: Start with Custom RPC Forwarding Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Starts the ItyFuzz server, specifying a custom RPC address (e.g., `http://localhost:8546`) for forwarding requests. ```bash node app.js http://localhost:8546 ``` -------------------------------- ### Define and Emit AAAA__fuzzland_move_bug Event in Move Source: https://docs.ityfuzz.rs/quickstart This snippet demonstrates how to define a custom event struct `AAAA__fuzzland_move_bug` with a `u64` info field and then emit an instance of this event from within a Move contract function to signal a bug condition. This mechanism is used for invariant reporting. ```Move // define the event struct use sui::event; struct AAAA__fuzzland_move_bug has drop, copy, store { info: u64 } ... // inside function event::emit(AAAA__fuzzland_move_bug { info: 1 }); ... ``` -------------------------------- ### Fuzzing EVM Contracts for Fund Loss with Ityfuzz (RFB) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Presents an example of using `ityfuzz` to find 'Fund Loss' vulnerabilities in EVM contracts on the BSC chain. This fuzzing run completed in 16 seconds, targeting specific contract addresses and an on-chain block number for its execution. ```bash ityfuzz evm -t 0x26f1457f067bF26881F311833391b52cA871a4b5,0x03184AAA6Ad4F7BE876423D9967d1467220a544e,0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c,0x0fe261aeE0d1C4DFdDee4102E82Dd425999065F4 -c bsc --onchain-block-number 23649423 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Echidna Invariant Function Example Source: https://docs.ityfuzz.rs/docs-evm-contract/writing-invariants Demonstrates a Solidity function `echidna_test` that ItyFuzz treats as an invariant. If this function returns `false`, ItyFuzz reports a bug. ```Solidity function echidna_test() public { assert(false); } ``` -------------------------------- ### Deploy Contract via ItyFuzz Server using Foundry Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Demonstrates how to deploy a Solidity contract (`flashloan.sol:main2`) using Foundry, routing the deployment through the ItyFuzz server running on `http://127.0.0.1:5001`. This command includes a private key and constructor arguments for the deployment. ```bash forge create src/flashloan.sol:main2 --rpc-url http://127.0.0.1:5001 --private-key 0x0000000000000000000000000000000000000000000000000000000000000000 --constructor-args "1" "0x6100000000000000000000000000000000000000000000000000000000000000" ``` -------------------------------- ### Compile Solidity Contracts with solc Source: https://docs.ityfuzz.rs/tutorials/ctf-verilog-ctf-offchain This command compiles all Solidity files (`.sol`) in the current directory using `solc`, generating binary (`.bin`) and ABI (`.abi`) outputs. The `--overwrite` flag ensures existing output files are replaced. ```Shell solc *.sol -o . --bin --abi --overwrite ``` -------------------------------- ### Solidity `bug()` Function Usage Source: https://docs.ityfuzz.rs/docs-evm-contract/writing-invariants Example demonstrating how to use the `bug()` function within a Solidity contract to explicitly report a condition as a bug. In this case, it's triggered if `msg.sender` is not the `owner`. ```Solidity function buy_token() public { if (msg.sender != owner) { bug(); } } ``` -------------------------------- ### Run ityfuzz EVM test for WGPT Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Fund Loss vulnerability. The test took 0 hours, 0 minutes, and 40 seconds. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0xe1272a840F574b68dE861eC5009784e3411cb96c,0xaa07222e4c3295C4E881ac8640Fbe5fB921D6840,0x81917eb96b397dFb1C6000d28A5bc08c0f05fC1d,0x5336a15f27b74f62cc182388c005df419ffb58b8,0x4f3126d5DE26413AbDCF6948943FB9D0847d9818,0x5a596eAE0010E16ed3B021FC09BbF0b7f1B2d3cD,0x1f415255f7E2a8546559a553E962dE7BC60d7942,0x1f415255f7e2a8546559a553e962de7bc60d7942 -c bsc --onchain-block-number 29891709 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Run ityfuzz EVM test for MintoFinance Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Fund Loss vulnerability. The test took 0 hours, 0 minutes, and 1 second. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x0d116ed40831fef8e21ece57c8455ae3b1e4041b,0xdbf1c56b2ad121fe705f9b68225378aa6784f3e5,0xDbF1C56b2aD121Fe705f9b68225378aa6784f3e5,0x13f4EA83D0bd40E75C8222255bc855a974568Dd4,0x410a56541bD912F9B60943fcB344f1E3D6F09567,0xba91db0b31d60c45e0b03e6d515e45fcabc7b1cd -c bsc --onchain-block-number 30214253 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Run ityfuzz EVM test for Utopia Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Price Manipulation vulnerability. The test took 0 hours, 11 minutes, and 26 seconds. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0xfeEf619a56fCE9D003E20BF61393D18f62B0b2D5,0xb1da08c472567eb0ec19639b1822f578d39f3333,0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c,0x6191203510c2a6442faecdb6c7bb837a76f02d23,0xb1da08C472567eb0EC19639b1822F578d39F3333 -c bsc --onchain-block-number 30119396 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Detect Arbitrary Selfdestruct Vulnerability in Solidity Source: https://docs.ityfuzz.rs/docs-evm-contract/detecting-common-vulns This code demonstrates a critical vulnerability where a contract can be self-destructed by any arbitrary caller. The example shows a 'selfdestruct' call to 'msg.sender' within a public function, allowing anyone to destroy the contract and its funds. ```Solidity function buggy() public { selfdestruct(msg.sender); } ``` -------------------------------- ### Run ityfuzz EVM test for ROI Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Fund Loss vulnerability. The test took 0 hours, 0 minutes, and 1 second. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56,0xe48b75dc1b131fd3a8364b0580f76efd04cf6e9c,0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c,0x745D6Dd206906dd32b3f35E00533AD0963805124,0x216FC1D66677c9A778C60E6825189508b9619908,0xE48b75dc1b131fd3A8364b0580f76eFD04cF6e9c,0x158af3d23d96e3104bcc65b76d1a6f53d0f74ed0 -c bsc --onchain-block-number 21143795 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Identify Uniswap Pair Misuse in Solidity Source: https://docs.ityfuzz.rs/docs-evm-contract/detecting-common-vulns This snippet highlights a potential misuse of Uniswap pairs that could lead to price manipulation attacks. The example shows a 'burn' function being called on an IUniswapPair interface, which might be part of an exploit or an unintended interaction. ```Solidity function buggy() public { burn(IUniswapPair(pairAddr), 1000000); } ``` -------------------------------- ### Detect Balance Extraction Vulnerability in Solidity Source: https://docs.ityfuzz.rs/docs-evm-contract/detecting-common-vulns This snippet demonstrates a common vulnerability where an attacker can steal native tokens (ETH) from a contract. The example shows a public function that directly transfers 1 ether to the message sender, indicating a potential exploit. ```Solidity function buggy() public { payable(msg.sender).transfer(1 ether); } ``` -------------------------------- ### ItyFuzz CLI: Generic Constructor Arguments Format Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Demonstrates the general format for passing constructor arguments to multiple contracts using the `--constructor-args` flag with the `ityfuzz evm` command. Arguments for each contract are separated by semicolons, and individual arguments within a contract are comma-separated. ```bash ityfuzz evm -t 'build/*' --constructor-args "ContractName:arg1,arg2,...;AnotherContract:arg1,arg2,..;" ``` -------------------------------- ### Detect Token Extraction Vulnerability in Solidity Source: https://docs.ityfuzz.rs/docs-evm-contract/detecting-common-vulns This code illustrates a vulnerability allowing attackers to steal ERC20 or ERC721 tokens from a contract. The earning is calculated by liquidating tokens on related Uniswap V2 pairs. The example shows a function transferring tokens from and to the message sender, potentially exploiting price differences or logic flaws. ```Solidity function buggy() public { // the price of tokenAddr2 is higher than tokenAddr1 SomeToken(tokenAddr1).transferFrom(msg.sender, address(this), 1000); SomeToken(tokenAddr2).transfer(msg.sender, 1000); } ``` -------------------------------- ### Run ityfuzz EVM test for BabyDogeCoin02 Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Fund Loss vulnerability. The test took 0 hours, 20 minutes, and 22 seconds. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0xc748673057861a797275CD8A068AbB95A902e8de,0x55d398326f99059fF775485246999027B3197955,0x4f3126d5DE26413AbDCF6948943FB9D0847d9818,0xA07c5b74C9B40447a954e1466938b865b6BBea36,0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56,0xC9a0F685F39d05D835c369036251ee3aEaaF3c47,0x9a6b926281b0c7bc4f775e81f42b13eda9c1c98e,0x95c78222B3D6e262426483D42CfA53685A67Ab9D,0x9869674E80D632F93c338bd398408273D20a6C8e,0xd8B6dA2bfEC71D684D3E2a2FC9492dDad5C3787F,0xc736cA3d9b1E90Af4230BD8F9626528B3D4e0Ee0,0x0536c8b0c3685b6e3C62A7b5c4E8b83f938f12D1,0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c,0xfD36E2c2a6789Db23113685031d7F16329158384,0xfD5840Cd36d94D7229439859C0112a4185BC0255 -c bsc --onchain-block-number 29295010 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Detect Integer Overflow/Underflow Vulnerability in Solidity Source: https://docs.ityfuzz.rs/docs-evm-contract/detecting-common-vulns This snippet illustrates a common vulnerability related to integer overflow or underflow in Solidity contracts. It identifies if arithmetic operations (addition, multiplication, subtraction) can lead to values exceeding the maximum or minimum limits of their data types. The example shows a multiplication that would result in an overflow for a 'uint256'. ```Solidity function buggy() public { return type(uint256).max * 2; } ``` -------------------------------- ### Run ityfuzz EVM test for cftoken Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Price Manipulation vulnerability. The test took 0 hours, 0 minutes, and 54 seconds. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0x8B7218CF6Ac641382D7C723dE8aA173e98a80196,0x7FdC0D8857c6D90FD79E22511baf059c0c71BF8b -c bsc --onchain-block-number 16841980 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Fuzzing LaunchZone for Arbitrary Call Vulnerability (ityfuzz EVM) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks This `ityfuzz evm` command targets the LaunchZone contract and associated addresses on BSC to identify arbitrary call vulnerabilities. It uses a specific block number for on-chain data and requires an Etherscan API key. ```Shell ityfuzz evm -t 0x6D8981847Eb3cc2234179d0F0e72F6b6b2421a01,0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56,0xDb821BB482cfDae5D3B1A48EeaD8d2F74678D593,0x3a6d8cA21D1CF76F653A67577FA0D27453350dD8,0x0ccee62efec983f3ec4bad3247153009fb483551,0x3B78458981eB7260d1f781cb8be2CaAC7027DbE2 -c bsc --onchain-block-number 26024419 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Fetch Constructor Arguments from RPC using ItyFuzz Source: https://docs.ityfuzz.rs/docs-evm-contract Command to instruct ItyFuzz to fetch constructor arguments from transactions forwarded to the RPC using the `--fetch-tx-data` flag. ```bash ityfuzz evm -t 'tests/evm/multi-contract/*' --fetch-tx-data ``` -------------------------------- ### Run ityfuzz EVM test for MBC_ZZSH Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Fund Loss vulnerability. The test took 0 hours, 0 minutes, and 34 seconds. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x4E87880A72f6896E7e0a635A5838fFc89b13bd17,0x2170Ed0880ac9A755fd29B2688956BD959F933F8,0x5b1Bf836fba1836Ca7ffCE26f155c75dBFa4aDF1,0x33CCA0E0CFf617a2aef1397113E779E42a06a74A,0xeE04a3f9795897fd74b7F04Bb299Ba25521606e6 -c bsc --onchain-block-number 23474460 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Fuzzing EVM Contracts for Fund Loss with Ityfuzz (MetaPoint) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Demonstrates using `ityfuzz` to detect 'Fund Loss' vulnerabilities in EVM smart contracts on the BSC chain. The fuzzing process took approximately 20 minutes and 18 seconds. It targets multiple contract addresses and uses a specific on-chain block number for context. ```bash ityfuzz evm -t 0x5923375f1a732FD919D320800eAeCC25910bEdA3,0x55d398326f99059fF775485246999027B3197955,0x807d99bfF0bad97e839df3529466BFF09c09E706,0x8acb88F90D1f1D67c03379e54d24045D4F6dfDdB,0x435444d086649B846E9C912D21E1Bc651033A623,0x724DbEA8A0ec7070de448ef4AF3b95210BDC8DF6,0xA56622BB16F18AF5B6D6e484a1C716893D0b36DF,0xe8d6502E9601D1a5fAa3855de4a25b5b92690623,0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c,0x68531F3d3A20027ed3A428e90Ddf8e32a9F35DC8,0x9117df9aA33B23c0A9C2C913aD0739273c3930b3,0x52AeD741B5007B4fb66860b5B31dD4c542D65785,0xE5cBd18Db5C1930c0A07696eC908f20626a55E3C,0x3B5E381130673F794a5CF67FBbA48688386BEa86,0xC254741776A13f0C3eFF755a740A4B2aAe14a136 -c bsc --onchain-block-number 27264383 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Fuzzing EVM Contracts for Arbitrary Call Vulnerabilities with Ityfuzz (Carrot) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Illustrates the use of `ityfuzz` to identify 'Arbitrary Call' vulnerabilities in EVM contracts on the BSC chain. This specific fuzzing run completed in 1 second, targeting a set of contract addresses and using a defined on-chain block number for analysis. ```bash ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x6863b549bf730863157318df4496eD111aDFA64f,0xcFF086EaD392CcB39C49eCda8C974ad5238452aC,0x5575406ef6b15eec1986c412b9fbe144522c45ae,0x6863b549bf730863157318df4496ed111adfa64f -c bsc --onchain-block-number 22055611 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Run ityfuzz EVM test for AES Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Price Manipulation vulnerability. The test took 0 hours, 0 minutes, and 1 second. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x40eD17221b3B2D8455F4F1a05CAc6b77c5f707e3,0xdDc0CFF76bcC0ee14c3e73aF630C029fe020F907 -c bsc --onchain-block-number 23695904 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Specify Constructor Arguments via ItyFuzz CLI Source: https://docs.ityfuzz.rs/docs-evm-contract Demonstrates the general format for passing constructor arguments to ItyFuzz using the `--constructor-args` flag. Arguments are specified as a string with `ContractName:arg1,arg2,...;` syntax. ```bash ityfuzz evm -t 'build/*' --constructor-args "ContractName:arg1,arg2,...;AnotherContract:arg1,arg2,..;" ``` -------------------------------- ### Intended Solution for WMATICv2 Reentrancy Exploit Source: https://docs.ityfuzz.rs/tutorials/ctf-verilog-ctf-onchain Outlines the step-by-step process to exploit the WMATICv2 reentrancy vulnerability and claim the bounty using flash loans and strategic contract interactions. ```Pseudocode 0. Borrow k MATIC such that k > balance() / 10 1. depositMATIC() with k MATIC 2. redeem(k * 1e18) -- reentrancy contract --> getBounty() 3. Return k MATIC ``` -------------------------------- ### ItyFuzz CLI: Fetch Constructor Arguments from Transactions Source: https://docs.ityfuzz.rs/docs-evm-contract/constructor-for-offchain-fuzzing Uses the `ityfuzz evm` command with the `--fetch-tx-data` flag to instruct ItyFuzz to retrieve constructor arguments from transactions forwarded through the running server. ```bash ityfuzz evm -t 'tests/evm/multi-contract/*' --fetch-tx-data ``` -------------------------------- ### Flash Loan and Reentrancy Attack Strategy Source: https://docs.ityfuzz.rs/tutorials/ctf-verilog-ctf-offchain This outlines the intended solution for the Verilog CTF challenge, combining a flash loan with a reentrancy attack to exploit the WMATICv2 contract and trigger the `getBounty` function. ```APIDOC 0. Borrow k MATIC such that k > balance() / 10 1. depositMATIC() with k MATIC 2. redeem(k * 1e18) -- reentrancy contract --> getBounty() 3. Return k MATIC ``` -------------------------------- ### Run ityfuzz EVM test for HEALTH Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Tests for Price Manipulation vulnerability. The test took 0 hours, 0 minutes, and 3 seconds. This command executes ityfuzz on the BSC chain, targeting specific contract addresses with a given block number and Etherscan API key. ```bash ityfuzz evm - ``` -------------------------------- ### Compile and Run ItyFuzz with Scribble Output Source: https://docs.ityfuzz.rs/docs-evm-contract/writing-invariants Sequence of commands to compile the Scribble-processed Solidity contract with `solc` and then run ItyFuzz against the compiled artifacts. This demonstrates the full workflow for using Scribble annotations with ItyFuzz. ```Shell solc compiled.sol --bin --abi --overwrite -o build ityfuzz evm -t "build/*" [More Arguments] ``` -------------------------------- ### Fuzzing CS for Price Manipulation Vulnerability (ityfuzz EVM) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks This `ityfuzz evm` command is used to fuzz the CS contract and its dependencies on BSC, aiming to find price manipulation vulnerabilities. It includes a specific block number for on-chain data and requires an Etherscan API key. ```Shell ityfuzz evm -t 0x382e9652AC6854B56FD41DaBcFd7A9E633f1Edd5,0x55d398326f99059fF775485246999027B3197955,0x7EFaEf62fDdCCa950418312c6C91Aef321375A00,0x8BC6Ce23E5e2c4f0A96429E3C9d482d74171215e -c bsc --onchain-block-number 28466976 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### ItyFuzz BSC Scan for BEGO Fund Loss Vulnerability Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Detects a 'Fund Loss' vulnerability in the BEGO contract on the Binance Smart Chain (BSC). This scan typically completes in 18 seconds. To run, ensure your `BSC_ETHERSCAN_API_KEY` environment variable is set, and for optimal performance, consider setting `ETH_RPC_URL` to a local archive node RPC or private RPC. ```Shell ityfuzz evm -t 0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c,0x88503F48e437a377f1aC2892cBB3a5b09949faDd,0xc342774492b54ce5F8ac662113ED702Fc1b34972 -c bsc --onchain-block-number 22315679 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Run ItyFuzz Campaign for BEGO Exploit Source: https://docs.ityfuzz.rs/tutorials This command initiates an ItyFuzz campaign to find an exploit in the BEGO contract. It targets the specified contract address on the Binance Smart Chain, forks the chain at a particular block number, and optionally uses an Etherscan API key for on-chain data. ```Shell ityfuzz evm\ -t 0xc342774492b54ce5F8ac662113ED702Fc1b34972\ -f -c BSC\ --onchain-block-number 22315678\ --onchain-etherscan-api-key # (Optional) specify your BSC etherscan api key ``` -------------------------------- ### Fuzzing EVM Contracts for Price Manipulation with Ityfuzz (RES) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Shows how `ityfuzz` can be employed to detect 'Price Manipulation' vulnerabilities in EVM contracts on the BSC chain. The fuzzing operation took 3 seconds, focusing on specific contract addresses and an on-chain block number for its execution context. ```bash ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x05ba2c512788bd95cd6D61D3109c53a14b01c82A,0x1B214e38C5e861c56e12a69b6BAA0B45eFe5C8Eb,0xff333de02129af88aae101ab777d3f5d709fec6f,0xeccd8b08ac3b587b7175d40fb9c60a20990f8d21,0x04C0f31C0f59496cf195d2d7F1dA908152722DE7,0x16b9a82891338f9bA80E2D6970FddA79D1eb0daE,0xecCD8B08Ac3B587B7175D40Fb9C60a20990F8D21 -c bsc --onchain-block-number 21948016 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### Run ItyFuzz Campaign for AES Exploit Source: https://docs.ityfuzz.rs/tutorials/exp-hacking-aes This command initiates an ItyFuzz campaign to find an exploit for the vulnerable AES LP contract on Binance Smart Chain. It specifies the target contract address, forks the chain at a particular block number, and optionally uses an Etherscan API key for on-chain data. ```Shell ityfuzz evm\ -t 0x40eD17221b3B2D8455F4F1a05CAc6b77c5f707e3\ -f -c BSC\ --onchain-block-number 23695904\ --onchain-etherscan-api-key # (Optional) specify your BSC etherscan api key ``` -------------------------------- ### Fuzzing Melo for Fund Loss Vulnerability (ityfuzz EVM) Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks This `ityfuzz evm` command targets the Melo contract and associated addresses on BSC to identify fund loss vulnerabilities. It uses a specific block number for on-chain data and requires an Etherscan API key. ```Shell ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x9A1aEF8C9ADA4224aD774aFdaC07C24955C92a54,0x6a8C4448763C08aDEb80ADEbF7A29b9477Fa0628 -c bsc --onchain-block-number 27960445 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### ItyFuzz BSC Scan for EGD-Finance Fund Loss Vulnerability Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Detects a 'Fund Loss' vulnerability in the EGD-Finance contract on the Binance Smart Chain (BSC). This scan typically completes in 2 seconds. To run, ensure your `BSC_ETHERSCAN_API_KEY` environment variable is set, and for optimal performance, consider setting `ETH_RPC_URL` to a local archive node RPC or private RPC. ```Shell ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0x202b233735bF743FA31abb8f71e641970161bF98,0xa361433E409Adac1f87CDF133127585F8a93c67d,0x16b9a82891338f9bA80E2D6970FddA79D1eb0daE,0x34Bd6Dba456Bc31c2b3393e499fa10bED32a9370,0xc30808d9373093fbfcec9e026457c6a9dab706a7,0x34bd6dba456bc31c2b3393e499fa10bed32a9370,0x93c175439726797dcee24d08e4ac9164e88e7aee -c bsc --onchain-block-number 20245522 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ``` -------------------------------- ### ItyFuzz BSC Scan for RES02 Price Manipulation Vulnerability Source: https://docs.ityfuzz.rs/tutorials/exp-known-working-hacks Detects a 'Price Manipulation' vulnerability in the RES02 contract on the Binance Smart Chain (BSC). This scan typically completes in 2 seconds. To run, ensure your `BSC_ETHERSCAN_API_KEY` environment variable is set, and for optimal performance, consider setting `ETH_RPC_URL` to a local archive node RPC or private RPC. ```Shell ityfuzz evm -t 0x55d398326f99059fF775485246999027B3197955,0xD7B7218D778338Ea05f5Ecce82f86D365E25dBCE,0x05ba2c512788bd95cd6D61D3109c53a14b01c82A,0x1B214e38C5e861c56e12a69b6BAA0B45eFe5C8Eb,0xecCD8B08Ac3B587B7175D40Fb9C60a20990F8D21,0xeccd8b08ac3b587b7175d40fb9c60a20990f8d21,0x04C0f31C0f59496cf195d2d7F1dA908152722DE7,0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c -c bsc --onchain-block-number 21948016 -f --onchain-etherscan-api-key $BSC_ETHERSCAN_API_KEY ```