< NULLCON 2025 - GOA />

About the Speaker

GO BACK
img
Kevin Valerio
Security Engineer Security Research Labs
img
Daniel Schmidt
Security Consultant Security Research Labs

< Talk Title />

Fuzzing Rust Smart Contracts: Writing A Bug Printer Engine From Scratch

< Talk Category />

Technical Speakers

< Talk Abstract />

Smart contracts written in Rust offer a promising balance of performance and safety due to Rust's strong memory safety guarantees. However, smart contracts in Rust are not immune to logic errors, concurrency issues, and other complex vulnerabilities, which can undermine their security. Therefore, ensuring their correctness and security remains a critical challenge. In this presentation, we dive deep into the world of fuzzing WebAssembly based smart contracts and unveil our tool, Phink — an open-source property-based and coverage guided fuzzing engine built on top of AFL++ to fuzz Rust smart contracts built with ink!.

Fuzzing smart contracts is distinct from traditional fuzzing due to the specific requirements and constraints of blockchain environments. We'll start by demystifying this fuzzing process, highlighting why traditional fuzzing methods require adaptation to address the unique characteristics of smart contract execution.

Our journey will cover the essential steps in creating a proper fuzzer engine — from effective bug detection to capturing coverage, smart-contract edges instrumentation and the generation of valid corpus inputs. 

We will conclude with a live demonstration of Phink, showcasing its capabilities in action and providing a real-world example of how our approach can be used to identify and exploit vulnerabilities in smart contracts.

< Speaker Bio />

Kevin's Bio

Kevin Valerio is a security researcher focusing on Web3 technologies, specifically blockchains built on the Polkadot SDK. With a background in pentesting, he has developed a keen interest in fuzzing. 

Daniel's Bio

Daniel Schmidt works as a Security Consultant for SRLabs in Berlin, where he focuses primarily on researching, auditing and fuzzing distributed protocols and virtual machines. In addition to hacking for fun in his free time, he also enjoys bouldering and windsurfing