Skip to content
Differential Fuzzer for Ethereum 2.0
Go C++ Rust Makefile Shell Python Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
files
.gitignore
.pre-commit-config.yaml
Dockerfile
LICENSE
README.md
pyproject.toml
runfuzzer.sh

README.md

beacon-fuzz

Open-source differential fuzzing of Ethereum 2.0 Phase 0 implementations. Maintained by Sigma Prime for the Ethereum Foundation.

Code style: black

Overview

A differential fuzzer of Eth2.0 implementations using libfuzzer. By default, fuzzing progresses indefinitely unless an implementation panics or differing output is identified.

This is a continuation of Guido Vranken's eth2.0-fuzzing

This project and its inner workings are subject to change.

Current Status

Currently fuzzes against Eth2 v0.8.3 python or Go executable specs (pyspec or zrnt)

Implementations

Operational Fuzz Targets:

(and their relevant spec function)

All currently use the "mainnet" config: https://github.com/ethereum/eth2.0-specs/blob/v0.8.3/configs/mainnet.yaml

See corpora repository for explanation of input structure.

Corpora

See corpora for examples and explanation of structure.

Usage

Quickstart:

$ git clone --depth 1 https://github.com/sigp/beacon-fuzz.git
$ git clone --depth 1 https://github.com/sigp/beacon-fuzz-corpora.git
$ cd beacon-fuzz
$ ./runfuzzer.sh block_header ../beacon-fuzz-corpora/0-8-3/mainnet/block_header/ ../beacon-fuzz-corpora/0-8-3/mainnet/beaconstate

Interactive usage:

$ git clone --depth 1 https://github.com/sigp/beacon-fuzz.git
$ cd beacon-fuzz
$ sudo docker build . -t beacon_fuzz
$ sudo docker run -it beacon_fuzz bash
$ git clone --depth 1 https://github.com/sigp/beacon-fuzz-corpora.git
$ export ETH2_FUZZER_STATE_CORPUS_PATH="/eth2/beacon-fuzz-corpora/0-8-3/mainnet/beaconstate"
$ /eth2/fuzzers/attestation/fuzzer /eth2/beacon-fuzz-corpora/0-8-3/mainnet/attestation

Use help=1 for more arguments (see also libfuzzer docs)

Contributing

Use pre-commit

$ pre-commit install

If build fails, comment the RUN /eth2/build.sh in Dockerfile, and run it manually from within the container. Can adjust Makefiles as needed.

Adding new implementations for a target

The following implementations will be added to the various fuzzing targets:

Roadmap

  • Add more implementations
  • Add more fuzz targets
  • Improved onboarding, ease of adding new targets and implementations
  • Improved coverage measurements and visibility
  • Deploy on dedicated production fuzzing infrastructure

License

MIT - see LICENSE

You can’t perform that action at this time.