|
Fuzzland is a stealth-mode startup company that utilizes AI x (fuzz testing + formal verification) to assist builders, auditors, and traders in automatically and instantly analyzing smart contracts.
As one of the co-founders of Fuzzland, Chaofan Shou earned a bachelor's degree in computer science from the University of California, Santa Barbara in just two years. Between 2020 and 2021, when contract and blockchain security were not yet mature, Chaofan Shou participated in some bug bounty programs and earned $1.7 million in bounties, including some locked tokens. In 2022, Chaofan Shou entered the Ph.D. program at the University of California, Berkeley, joining the Sky Computing Lab under the guidance of Professor Koushik Sen, focusing on program analysis, distributed systems, and blockchain security. Prior to pursuing his Ph.D., Chaofan Shou briefly worked as a software engineer at Veridise, a blockchain security startup, where he led the development of several smart contract and blockchain automation testing tools. Before that, Chaofan Shou also worked as a security engineer at Salesforce, contributing to SAST solutions, internal network scanning services, and data pipelines.
Currently, the number of assets in the Web3.0 space targeted by hackers is increasing year by year, and the security status of DeFi is drawing significant attention from the industry, leading to the emergence of many security auditing products. On February 9th, FuzzLand announced the completion of a $3 million seed round of financing, led by 1kx, with participation from HashKey Capital, SNZ, and Panga Capital.
What makes Fuzzland special in security auditing? How will the future of contract security auditing evolve? With these questions in mind, BlockBeats interviewed one of the co-founders, Chaofan Shou. Here is the transcript of the interview:
"Audit is not the goal; providing on-chain real-time analysis is the focus."
Chaofan Shou co-founded Fuzzland with his friend Jeff and his Ph.D. advisor Koushik. In Fuzzland's technical team, one-third of the members are friends Chaofan Shou met during his university days when they participated in CTF competitions together, including DEFCON finals, and ranked highly in several global competitions, discovering significant vulnerabilities in Chromium, Linux, Windows, and others.
Fuzzland's security auditing process uses AI as an auxiliary tool. Blaz, currently launched by Fuzzland, is its main product, which includes three APIs: fund flow, static analysis, and dynamic analysis. Built upon Blaz, Blaz+ by Fuzzland can provide real-time and continuous formal verification for smart contracts. This product not only focuses on real-time dynamics on-chain but also monitors vulnerabilities and attacks mentioned on social media, particularly at the end of 2023, detecting a vulnerability mentioned by Twitter user @rabbit_2333.
After in-depth research, Fuzzland identified it as a high-risk vulnerability. This vulnerability allows hackers to gain full access to user accounts with just one click on a link. This means hackers can tweet, retweet, like, block, etc., but cannot change the user's password.
Combining fuzz testing and formal verification
BlockBeats: Crypto already has many security auditing products, teams, and companies. Why create Fuzzland?
Chaofan Shou: Fuzzland's focus is not on auditing but on providing automated software and services for on-chain real-time analysis. We empower traders and auditors through automation, formal verification, and fuzz testing to predict potential attacks after a transaction and defend against them.
BlockBeats: It seems we can tell from the company's name that the team values fuzz testing technology. What's the significance behind naming it "Fuzzland"?
Chaofan Shou: Fuzzland's initial product was a fuzz testing tool for smart contracts. Now the product range has expanded to include a comprehensive system of formal verification and static analysis, creating a unique suite of hybrid fuzz testing products in the market. Our ultimate vision is to develop Fuzzland into an infrastructure company where fuzz testing for all software can be done on our Fuzz+Land platform.
Fuzzland's initial product was a fuzz testing tool for smart contracts, hence the name Fuzzland, but now besides fuzz testing, we also have formal verification, static analysis, and other systems.
BlockBeats: In the current crypto field, fuzz testing and formal verification are also common auditing methods for most security companies. Is the main difference between Fuzzland's team and other auditing teams in the integration and application of AI?
Chaofan Shou: Fuzzland is a technology company that seamlessly combines fuzz testing and formal verification systems into hybrid fuzz testing. We provide this system to existing auditing companies to help them complete audits. We continuously innovate on fuzz testing and formal verification algorithms, integrating the latest achievements from academia, making it the fastest tool with the highest test coverage on the market. We also use large language models (LLMs) to lower the barriers to fuzz testing and formal verification, replacing tedious manual steps, making it easier to use.
BlockBeats: Can you briefly explain how the team uses AI to assist Fuzzland's security auditing process?
Chaofan Shou: The main barriers to fuzz testing and formal verification are configuring projects and developing invariants. We use LLMs to help users configure projects and define invariants through natural language interaction and documentation. At the same time, we have trained multiple machine learning models to accelerate and optimize the fuzz testing and formal verification process.
Fund flow + static analysis + dynamic analysis
BlockBeats: Blaz, currently launched by Fuzzland, includes three APIs: fund flow, static analysis, and dynamic analysis. What is the core logic behind the team's design, and can users separately use these three APIs?
Chaofan Shou: These three APIs, or their combinations, can be used in different scenarios. For example, for traders, analyzing fund flows from token creators and statically analyzing token contracts can help traders quickly determine whether a newly created token is worth buying. For MEV bots, dynamic analysis can help them find uncommon arbitrage opportunities and provide specific transactions to exploit these opportunities.
BlockBeats: An interesting point is that we can see from the introduction that the dynamic analysis API also has the function of discovering profitable transactions. Additionally, in the introductions of the fund flow and static analysis APIs, many functions are aimed at traders and investors. Does this mean that Blaz is more of a To C product rather than To B?
Chaofan Shou: Yes, Blaz will be more of a To C product, serving auditors, traders, investors, and others.
BlockBeats: Compared to Blaz, Blaz+ can provide real-time and continuous formal verification for smart contracts. Did Blaz+ play a helpful role in the Fuzzland team's successful detection of Twitter's security vulnerabilities?
Chaofan Shou: Blaz+ not only performs real-time formal verification and fuzz testing on-chain but also analyzes sentiment information in real-time on social media such as Twitter. Blaz+ helped us detect a high-risk vulnerability mentioned by Twitter user @rabbit_2333 in their tweet, which Twitter did not address. Subsequently, through our research, we turned this discovery into a high-risk vulnerability.
BlockBeats: Readers are very curious about how the Fuzzland team discovered the X vulnerability. Can
you describe the process of the event?
Chaofan Shou: At the end of last year, after seeing the vulnerability mentioned by @rabbit_2333 in their tweet, we found that this vulnerability could only pop up on a subdomain of Twitter and, besides phishing, did not have a significant impact. Later, after work, I and some colleagues who originally worked on web2 security dug deeper and found several other low-risk vulnerabilities in Twitter. However, by exploiting these vulnerabilities in combination, we could construct an attack. If the victim clicked on the link in a browser logged into Twitter or visited a website with this link inserted, we could fully control the victim's account, including reading their email, phone number, etc., or tweeting, liking, following, authorizing other websites.
AI-based contract auditing remains a "blue ocean"
Currently, auditing companies still face challenges using human auditors. As software systems become increasingly complex and the volume of data to be analyzed grows, manual auditing becomes more time-consuming and error-prone, and the cost of recruiting and training qualified personnel also increases.
Although automated auditing solutions can provide completeness and reasonableness of analysis, many traditional automated auditing tools sacrifice automation advantages for faster response times due to high computational power and runtime costs. However, Chaofan Shou believes that automated contract security services and on-chain attack firewalls are still in their early stages. Fuzzland is making some new attempts, such as introducing distributed computing methods and combining formal verification, static analysis, and fuzz testing tools to solve the problems of computing power and automation. Furthermore, adjusting parameters based on AI's natural language is employed to lower the technical barriers for users of the product.
In addition, Ethereum co-founder Vitalik Buterin also expressed excitement on social media about a technology that applies artificial intelligence, namely AI-assisted code formal verification and vulnerability discovery. He stated, "The biggest technical risk for Ethereum at the moment is probably code bugs, and anything that significantly changes that is a big deal."
BlockBeats: Apart from Blaz, what other products and features does Fuzzland consider launching in the future? Are there plans to enter recently popular areas such as MEV protection or privacy RPC?
Chaofan Shou: We will soon launch an AI-based Web2 fuzz testing platform to help projects find vulnerabilities in frontend and backend code. We currently do not consider entering MEV protection or privacy RPC.
BlockBeats: Nowadays, there are increasingly more security auditing tools in the crypto industry, covering a wider range of technologies and security scopes. In your and Fuzzland's view, has contract security become a "red ocean" race? What blanks are left for entrepreneurs in this field?
Chaofan Shou: Human-based contract auditing has indeed become a red ocean race, but human auditing usually cannot find all vulnerabilities and requires the project to wait for a long time. Currently, automated contract security services and on-chain attack firewalls are still in their early stages, leaving gaps for entrepreneurs. Fuzzland is making some new attempts in this field and has launched two products, Blaz and Blaz+, which have shown very good results so far.
BlockBeats: The cryptocurrency market has recently experienced a new bull market, with many newcomers in the industry. If you could give three security pieces of advice to users who have just entered Crypto, what would they be?
Chaofan Shou: If you are completely unfamiliar with Web3, you can take a look at Cosine's blockchain Dark Forest Self-help Manual.
Do not blindly trust audits from a single company. If you plan to invest a large amount of funds in a DeFi project, make sure the contract has been audited by multiple well-known audit companies and has deployed real-time on-chain defense measures.
Try to use hardware wallets and install wallet security tools such as Webacy, Wallet Guard, Fire, etc. |
|