A Guided Mutation Strategy for Smart Contract Fuzzing

Smart contracts manage a large number of digital assets which is attractive to attackers. There have been many attacks that have caused huge financial losses. Therefore, it is of great importance to detect vulnerabilities in smart contracts. Fuzzing is considered a promising approach to test smart contracts. However, the complexity of changing state variables and the handling of external parameters during mutation pose critical technical challenges for current smart contract fuzzers, hindering their ability to cover branches under complex constraints and leaving potential vulnerabilities for attackers to exploit. To tackle these problems, we design a guided mutation strategy combined with two novel techniques: Dynamic Dependency Learning (DDL) and Dynamic Variables Analysis (DVA). DDL learns the dependencies of sequences to provide guided transaction sequence generation for handling state variables in complex constraints, while DVA leverages variable-level dynamic taint analysis to process the external parameters and guide the mutation. We implement the proposed strategy on a fuzzer, called SeqFuzz. The experimental results show that SeqFuzz could cover more branches and detect more bugs in real-world smart contracts compared with state-of-the-art tools.