Create inkscope-fuzzer.md #2155
Conversation
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read and hereby sign the Contributor License Agreement. |
semuelle
added
the
admin-review
There was a problem hiding this comment.
Thanks @feliam for your application, I have a couple of initial questions:
- Our payment options have recently changed, would you be willing receive USDC on Asset Hub instead? If so can you please update the address?
- How will you plan to maintain the project after the grant is finished? Would you go for alternative funding such as the treasury or the futures fund?
- I noticed that you have already done some work in the Octopus repo. Is this a separate project? Can you specify in the application what has already been built, and what would be built as part of the grant? Since we only fund software that doesn't exist yet.
keeganquigley
added
the
changes requested
|
Hello @keeganquigley:
Sure. No issues there. Here you have our address for USDC on Asset Hub: 13mMCgidf4fdevVBCENS4U3pdQKLzcFQiZEMjuGTVrTJg1tE
We envision the project to be useful in itself immediately after this grant is finished. We are happy to push it further with alternative fundings like the treasury or the futures funds.
The octopus fork was a simple showcase of our work. We plan to start the fuzzer from scratch as a fresh new repo, written in rust (it is already in the works). We plan though to seek inspiration from all the good sources like polkadot-sdk and ink. o/ |
There was a problem hiding this comment.
Thanks for the changes @feliam this proposal looks really good. To answer your question, yes could you please update the Polkadot address into the application as well? Thanks!
keeganquigley
added
ready for review
There was a problem hiding this comment.
Thanks for the updates! I'm happy to go forward with it and will also share it with the rest of the committee to take a look.
In the meantime, we also just started requiring KYC/KYB checks for all potential grantees. Could you please provide the information outlined under this link? Let me know if you have any questions or issues!
Hey @keeganquigley! We are happy to complete the KYC checks as required. When trying to complete the form, we realized there were questions asking for specifics about our company, legal structure, registration number, etc. As we are currently just a group of developers without an official business entity, we do not have this information to provide. Please let us know if we need to formally create a legal business entity before moving forward with the grant process. If so, we can certainly do that and provide the requested details. We just had not taken that step before applying as we were focused on the development work itself. |
|
Hi @0xLucca. You don't have to have a legal entity. However, that means that every beneficiary of the grant needs to perform KYC and the name and address of whoever issues the invoices in the end should be listed under "registered address" (feel free to email that to us if you prefer not to disclose it). |
|
@semuelle We have both completed the KYC. |
|
@feliam, just send an email with the project name, PR number, your name and address to [email protected]. Thanks! |
semuelle
removed
the
admin-review
|
@semuelle Mail sent! |
|
If there's anything else needed from our end or if you have any further questions, please don't hesitate to let us know. |
|
Thanks @0xLucca I will make sure to bring this application up with committee members during our grants sync next week. |
There was a problem hiding this comment.
Hi @feliam & @0xLucca, since I'm not too familiar with fuzzers, could you explain how testing a fuzzer works? Do write unit tests for specific issues that should be caught? In this case, would you create a library of known ink! issues that you would test against? Or how do you measure its effectiveness?
|
Fuzzing is a bug-finding technique where randomly generated or mutated input is provided to a program while it is monitored for unexpected behavior. When applied to normal binary computer programs, finding a bug is somewhat similar to finding inputs that make the process crash, like a memory safety error, etc. In the context of smart contracts the goal is to discover sequences of transactions that violate predefined properties rather than causing crashes. You do not write unittests for it but you need to write properties (or invariants) for it. We aim to build a functional fuzzer framework that could run most of the ink-examples contracts. An initial measurement of its effectiveness can be done via code coverage, like reaching >85% of code coverage automatically. We will provide some example contracts with injected errors and prepared properties that can be broken with the fuzzer. E.g. a psp22 with an integer overflow that could make the amount of tokens held by owners bigger than the defined total supply. |
There was a problem hiding this comment.
Hi @feliam, my question was more pointed towards how you test your project, not how an inkscope user would test their project. We usually ask for unit or integration tests for any software project, depending on what makes most sense, and I was curious whether your unit tests cover specific contract vulnerabilities or if it's something more general. If it's the latter, it would be great to have a collection of contracts (not just an example or two) to test against. Could you add that to the test spec or as a separate deliverable?
Also, is the goal to have these changes merged into FuzzingLabs/octopus? Or are you planning to maintain your own fork?
|
@semuelle Thank you for the clarification. To test this project, we are taking a phased approach focused first on ensuring the core functionality is working properly first before expanding to additional integration and vulnerability testing. For this initial phase, our testing methodology includes both unit tests and coverage analysis: In a follow-on phase, not included in the scope of this project, we intend to expand testing to: We believe this incremental approach strikes the right balance between delivering core functionality quickly while prioritizing more advanced integration over time. Please let me know if you would like any additional details or have suggestions on the test plan. Regarding your second question, I want to clarify there is no direct relationship between this project and Octopus. We previously demonstrated modifications to Octopus to enable WASM contract analysis, but that was simply a proof of concept to try some ideas. This current project is entirely separate and it is started from scratch. It does not involve any forking or changes to the Octopus codebase itself. Apologies if that was unclear earlier - to confirm, we are developing a standalone fuzzer for wasm smart contracts without any dependence on Octopus. |
|
Thanks for the explanations @feliam, in addition to the Parity example contracts, you might want to check out ink! Dev Hub, they have a few examples of complex contracts such as cross-contract calls, an NFT marketplace, and a DEX. They also house the aWASoMe repo which has a ton more examples/tools/resources. ink!athon has some as well. If it is helpful, the CoinFabrik team has also published a number of ink! contract examples with known vulnerabilities, categorized by vulnerability class. |
There was a problem hiding this comment.
Hi @feliam sorry for the delay. I spoke with one of Parity's security experts and have the following additional questions:
- Will the tool depend on the concrete version of pallet-contracts? Who will maintain the fuzzer in the future?
- Does the fuzzer need the source code of a contract to define properties, or can it extract them from wasm blobs? Since typically ink! contracts are distributed without source code.
- What will be the methodologies behind handling the state of the fuzzer? For example, the snapshot-based fuzzing proposed by ityfuzz.
- What are some of the challenges/limitations you might see? For example, what do you mean by saying that the fuzzer will work with most of the ink-examples contracts?
Thanks for any insights you can provide!
|
Hello @keeganquigley,
We plan to create a fuzzer execution engine that is back compatible with all previous versions of pallet-contract up until 9e6298e7f773c61d384677e6eebfa8d7eee9d2ac The fuzzer will implement all different host function versions(seals) that can coexist across pallet-contract versions. Note that, for example, there are currently 3 different versions of the call() host function (call, call_v1, call_v2). The fuzzer will implement all versions and link calls to the appropriate underlying host function implementation based on the contract being tested. As the primary developers, we take responsibility for maintaining the fuzzer going forward. This will involve keeping it up-to-date, fixing issues, and adding new features. We hope to fund this maintenance through Polkadot treasury proposals that benefit the community. An actively maintained, open source fuzzer can improve smart contract security for multiple chains built on Substrate. We welcome collaboration from other developers as well. Over time, we envision this becoming a community-driven project supported by multiple contributors.
TL;DR Contract authors can encode properties during development for more targeted testing. Also users can still fuzz opaque WASM to a limited degree for due diligence. While we do not like the idea of trusting an opaque wasm blob without the associated and verified source code, the fuzzer will not strictly need the target contract source code to run. The fuzzer can operate directly on WASM contract blobs without needing access to source code. However, encoding meaningful properties to check would be challenging without an understanding of the contract's intended behavior and almost impossible without an ABI. If you are compelled to fuzz a third party contract where source is unavailable you will need to either reverse engineer it or otherwise obtain the ABI that the contract implements. Then write a shell contract that uses it and test the inner opaque contract.
For the first iteration, we will try to focus on correctness and keep it as simple as possible.
In this phase, we will focus on core host functionality required for general contract operation. Precise gas tracking and more exotic interfaces like chain extensions and call runtime will be deferred. This scoped approach allows faster initial development, but limits compatibility with contracts that expect full-fidelity emulation. Code paths depending on precise gas usage or runtime APIs will likely behave differently than on a live chain. We recognize this prevents fuzzing certain targets effectively. But it is a reasonable compromise for an initial working release. Let us know if you need further clarifications |
|
Congratulations and welcome to the Web3 Foundation Grants Program! Please refer to our Milestone Delivery repository for instructions on how to submit milestones and invoices, our FAQ for frequently asked questions and the support section of our README for more ways to find answers to your questions. |
Project Abstract
Even though smart contracts in Polkadot are not currently securing substantial value relative to other chains, it is prudent to establish robust security frameworks proactively before significant funds are put at risk.
To address these challenges, we propose developing a custom WebAssembly fuzzer for smart contracts. Fuzzing is an effective way to find security bugs in software, it finds vulnerabilities often missed by static program analysis and manual code inspection. By testing bytecode builds at the pre-deployment stage, contract vulnerabilities can be discovered and patched earlier in the cycle. Language-agnostic fuzzing will cover all smart contract languages compilable to WASM, including ink!, with extensibility for any languages added in future.
Grant level
Application Checklist
project_name.md).@_______:matrix.org(change the homeserver if you use a different one)