Fuzztools

This crate implements a structure-aware fuzzing framework that we will be reusing in our fuzzers.

Modules

• blockchain - Implements the consensus and execution spec types and constants.
• builders - Handles the logic of creating VALID instances of to-be-fuzzed types.
• circuits - Implements the Noir IR as well as stuff to create random circuits.
• mutations - Implements the Mutable trait for various types.
• rpc - Implements a blazingly fast RpcClient to send batched JSON-RPC requests.
• transactions - Implements the Transaction and SignedTransaction types.

Mutable

This crate implements the Mutable derive macro, that implements Mutable automatically for arbitrary structs.

#[derive(Mutable)]
struct Payload {
    a: u64,
    b: u64
}

fn main() {
    let mut base = Payload {
        a: 3,
        b: 5
    };
    let mut random = SmallRng::seed_from_u64(0);

    loop {
        base.mutate(&mut random);

        // Check your target condition or send the payload
        if base.a + base.b == 5 {
            panic!("POC");
        }
    }
}

Noiruzz

Metamorphic fuzzer for the Noir compiler. What it does is creates an AST representing a circuit, apply equivalence operations on top (which by definition mean the program output does not change) and checks whether it returns something different or if it returns a non-expected error. It was inspired in circuzz, so kudos to the team :)

For anyone interested in the bugs it has found, you can check my submissions to the Noir repo.

Rakoon

A transaction fuzzer for the Ethereum Protocol. Huge thanks to Marius van der Wijden for building tx-fuzz, which I used as reference in many parts of this project, as well as to the alloy team, as I leveraged heavily on them to build this.

Hall of fame 🏆

• Crash in anvil -> PR link
• Crash in anvil -> PR link
• Crash in go-ethereum -> PR link
• Crash in reth -> pending...