Blockchain smart contracts have given rise to a variety of interesting and compelling applications and emerged as a revolutionary force for the Internet. Smart contracts from various fields now hold over one trillion dollars worth of virtual coins, attracting numerous attacks. Quite a few practitioners have devoted themselves to developing tools for detecting bugs in smart contracts. One line of efforts revolve around static analysis techniques, which heavily suffer from high false positive rates. Another line of works concentrate on fuzzing techniques. Unfortunately, current fuzzing approaches for smart contracts tend to conduct fuzzing starting from the initial state of the contract, which expends too much energy revolving around the initial state of the contract and thus is usually unable to unearth bugs triggered by other states. Moreover, most existing methods treat each branch equally, failing to take care of the branches that are rare or more likely to possess bugs. This might lead to resources wasted on normal branches. In this paper, we try to tackle these challenges from three aspects: 1) generating function invocation sequences, we explicitly consider data dependencies between functions to facilitate exploring richer states. We further prolong a function invocation sequence $\mathcal {S}_{1}$ by appending a new sequence $\mathcal {S}_{2}$ , so that the appended sequence $\mathcal {S}_{2}$ can start fuzzing from states that are different from the initial state; 2) we incorporate a branch distance-based measure to evolve test cases iteratively towards a target branch; 3) we engage a branch search algorithm to discover rare and vulnerable branches, and design an energy allocation mechanism to take care of exercising these crucial branches. We implement IR-Fuzz and extensively evaluate it over 12K real-world contracts. Empirical results show that: (i) IR-Fuzz achieves 28% higher branch coverage than state-of-the-art fuzzing approaches, (ii) IR-Fuzz detects more vulnerabilities and increases the average accuracy of vulnerability detection by 7% over current methods, and (iii) IR-Fuzz is fast, generating an average of 350 test cases per second. Our implementation and dataset are released at https://github.com/Messi-Q/IR-Fuzz, hoping to facilitate future research.

中文翻译：

---

重新思考智能合约模糊测试：通过调用顺序和重要分支重新访问进行模糊测试


区块链智能合约催生了各种有趣且引人注目的应用，并成为互联网的革命力量。目前，各领域的智能合约持有价值超过万亿美元的虚拟币，吸引了大量的攻击。不少从业者致力于开发检测智能合约缺陷的工具。其中一项工作围绕静态分析技术，但该技术严重受到高误报率的影响。另一系列工作集中于模糊测试技术。不幸的是，目前的智能合约模糊测试方法往往从合约的初始状态开始进行模糊测试，围绕合约的初始状态花费了太多的精力，因此通常无法发现其他状态触发的错误。此外，大多数现有方法平等地对待每个分支，未能照顾罕见或更有可能存在错误的分支。这可能会导致普通分支上的资源浪费。在本文中，我们尝试从三个方面解决这些挑战：1）生成函数调用序列，我们明确考虑函数之间的数据依赖关系，以方便探索更丰富的状态。我们通过附加一个新序列 $\mathcal {S}_{2}$ 来进一步延长函数调用序列 $\mathcal {S}_{1}$ ，使得附加序列 $\mathcal {S}_{2} $ 可以从与初始状态不同的状态开始模糊测试； 2）我们采用基于分支距离的度量来迭代地向目标分支发展测试用例； 3）我们采用分支搜索算法来发现稀有和脆弱的分支，并设计一种能量分配机制来照顾这些关键分支的行使。 我们实施 IR-Fuzz 并在 12K 个现实世界合约中对其进行广泛评估。实证结果表明：(i) IR-Fuzz 的分支覆盖率比最先进的模糊测试方法高 28%，(ii) IR-Fuzz 检测到更多漏洞，并将漏洞检测的平均准确度比当前方法提高 7% (iii) IR-Fuzz 速度很快，平均每秒生成 350 个测试用例。我们的实现和数据集发布在 https://github.com/Messi-Q/IR-Fuzz，希望能够促进未来的研究。