About the Speaker

Smart contracts written in Rust offer a promising balance of performance and safety due to Rust's strong memory safety guarantees. However, smart contracts in Rust are not immune to logic errors, concurrency issues, and other complex vulnerabilities, which can undermine their security. Therefore, ensuring their correctness and security remains a critical challenge. In this presentation, we dive deep into the world of fuzzing WebAssembly based smart contracts and unveil our tool, Phink — an open-source property-based and coverage guided fuzzing engine built on top of AFL++ to fuzz Rust smart contracts built with ink!.

Fuzzing smart contracts is distinct from traditional fuzzing due to the specific requirements and constraints of blockchain environments. We'll start by demystifying this fuzzing process, highlighting why traditional fuzzing methods require adaptation to address the unique characteristics of smart contract execution.

Our journey will cover the essential steps in creating a proper fuzzer engine — from effective bug detection to capturing coverage, smart-contract edges instrumentation and the generation of valid corpus inputs. 

We will conclude with a live demonstration of Phink, showcasing its capabilities in action and providing a real-world example of how our approach can be used to identify and exploit vulnerabilities in smart contracts.

Kevin is a security researcher focusing on Web3 technologies, specifically blockchains built on the Polkadot SDK. With a background in pentesting, I have developed a keen interest in fuzzing.