Interview: Jack, BlockBeats

Edited & collated by: Lucy, BlockBeats

Fuzzland is a stealth mode startup that uses AI x (fuzz testing + formal verification) to help builders, auditors, and traders automatically and instantly analyze smart contracts.

As one of the co-founders of Fuzzland, Chaofan Shou only spent two years at UC Santa Barbara to get a bachelor's degree in computer science. Between 2020 and 2021, when contract and blockchain security were not mature, Chaofan Shou participated in some bug bounty programs and received a $1.7 million bounty, including some locked tokens. In 2022, Chaofan Shou entered the UC Berkeley as a doctoral student and joined the Sky Computing Lab under Professor Koushik Sen. His research directions are program analysis, distributed systems, and blockchain security. Before his doctoral studies, Chaofan Shou worked as a software engineer at Veridise, a blockchain security startup, for a short period of time, leading the development of several smart contract and blockchain automated testing tools. Prior to this, Chaofan Shou also worked as a security engineer at Salesforce, contributing to SAST solutions, internal network scanning services, and data pipelines.

At present, the number of assets hacked in the Web3.0 field has increased year by year, and the security status of DeFi has attracted much attention from the industry, which has led to the birth of many security audit products. On February 9, FuzzLand announced the completion of a $3 million seed round of financing, led by 1kx, with participation from HashKey Capital, SNZ, and Panga Capital.

What is special about Fuzzland in security auditing? How will the future of contract security auditing develop? With these questions, BlockBeats interviewed one of the co-founders, Chaofan Shou. The following is the original interview:

"Auditing is not the goal, providing real-time analysis on the chain is the key"

Chaofan Shou founded Fuzzland with his friend Jeff and his doctoral advisor Koushik. One-third of the technical team members of Fuzzland are friends that Chaofan Shou met when he participated in CTF together in college. They have participated in the finals of competitions such as DEFCON and ranked among the top in many global competitions. Moreover, each of them has found heavyweight vulnerabilities in Chromium, Linux, Windows, etc.

Fuzzland's security audit process uses AI as an auxiliary tool. Blaz is Fuzzland's main product, which includes three APIs: capital flow, static analysis, and dynamic analysis. Based on Blaz, Fuzzland's Blaz+ can provide real-time and continuous formal verification for smart contracts. This product not only pays attention to real-time dynamics on the chain, but also monitors vulnerabilities and attack public opinion on social media, especially at the end of 2023, it monitored the vulnerability mentioned by Twitter user @rabbit_2333.

After in-depth research, Fuzzland identified it as a high-risk vulnerability that allows hackers to gain full access to user accounts by just clicking on a link. This means that hackers can tweet, retweet, like, block, etc., but cannot change user passwords.

Combination of fuzz testing and formal verification

BlockBeats: Crypto already has many security audit products, teams and companies, why create Fuzzland?

Chaofan Shou: Fuzzland's focus is not on auditing, but on providing automated software and services for real-time analysis on the chain. We empower traders and auditors through automation, formal verification and fuzz testing, as well as predict whether an attack may occur after a transaction and defend against it.

BlockBeats: We seem to be able to see from the company's name that the team attaches great importance to fuzz testing technology. What is the meaning of the name "Fuzzland"?

Chaofan Shou:Fuzzland's initial product was a fuzz testing tool for smart contracts, and now the product range has expanded to include a comprehensive system of formal verification and static analysis, creating a unique hybrid fuzz testing product suite on the market. Our ultimate vision is to build Fuzzland into an infrastructure company so that all software fuzz testing can be performed on our platform Fuzz+Land.

Fuzzland's initial product was a fuzz testing tool for smart contracts, so it was named Fuzzland, but now in addition to fuzz testing, we have also made formal verification, static analysis and other systems.

BlockBeats: In the current encryption field, fuzz testing and formal verification are also common audit methods for most security companies. In the process of using these two technologies, is the difference between the Fuzzland team and other audit teams mainly the combination and application of AI?

Chaofan Shou: Fuzzland is a hybrid fuzz testing technology company that seamlessly combines fuzz testing and formal verification systems. We have provided this system to existing audit companies to help them complete their audits. We continue to innovate in fuzz testing and formal verification algorithms, integrating the latest achievements in academia to provide the tools with the highest test coverage and fastest speed on the market. We also use the large language model LLM to lower the threshold of fuzz testing and formal verification, replacing cumbersome manual steps and making it easier to use.

BlockBeats: Can you briefly explain to us how the team uses AI to assist Fuzzland's security audit process?

Chaofan Shou:The threshold of fuzz testing and formal verification is mainly in configuring projects and developing Invariants. We use LLM to help users configure projects and define Invariants through natural language interaction and documents. At the same time, we have also trained multiple machine learning models to accelerate and optimize the fuzz testing and formal verification processes.

Fund flow + static analysis + dynamic analysis

BlockBeats: Blaz is the main product currently launched by Fuzzland, which includes three APIs: fund flow, static analysis, and dynamic analysis. What is the core logic behind the team's design? And can users split the three APIs and use them separately?

Chaofan Shou:These three APIs, or their combination, can be applied to different scenarios. For example, for traders, the fund flow of token creators and the static analysis of token contracts can help traders quickly determine whether a newly created token is worth buying. For MEV bots, dynamic analysis can help them find uncommon arbitrage opportunities and provide specific transactions to exploit the opportunities.

BlockBeats: An interesting point is that we can see in the introduction that the dynamic analysis API also has the function of discovering profitable transactions. In addition, we can also see in the introduction of fund flow and static analysis API that there are many functions for traders and investors. Does this mean that Blaz is a product that is more To C rather than To B?

Chaofan Shou：Yes, Blaz will be a product that is more oriented towards To C, serving auditors, traders, investors, etc.

BlockBeats：Compared with Blaz, Blaz+ can provide real-time and continuous formal verification for smart contracts. In the process of the Fuzzland team successfully detecting the security vulnerability of Twitter, did the related functions/techniques of Blaz+ play a certain role in helping?

Chaofan Shou：Blaz+ not only performs real-time formal verification and fuzz testing on the chain, but also analyzes public opinion information in social media such as Twitter in real time. Blaz+ helped us monitor the vulnerability that Twitter user @rabbit_2333 mentioned in a tweet that Twitter did not fix. After our research, we turned this discovery into a high-risk vulnerability.

BlockBeats: Readers are very curious about how the Fuzzland team discovered vulnerability X. Can you describe the incident to us?

Chaofan Shou: At the end of last year, after we saw the vulnerability mentioned in @rabbit_2333's tweet, we found that this vulnerability could only pop up a window on a subdomain of Twitter, and it could not cause much impact except for phishing. Later, I and several colleagues who used to work on web2 security dug deeper after get off work and found several other low-risk vulnerabilities in Twitter. However, after these vulnerabilities were used in series, an attack could be constructed. As long as the victim clicks a link in a browser logged in to Twitter, or visits a website with this link inserted, we can completely control the victim's account, read the email and mobile phone number, etc., or post tweets, like, follow, and authorize other websites.

AI-based contract auditing is still a "blue ocean"

At present, it is still challenging for audit companies to use manual auditors. With the increasing complexity of software systems and the increasing amount of data that needs to be analyzed, manual audits are becoming more and more time-consuming and error-prone, and the cost of recruiting and training qualified personnel is gradually increasing.

Although automated audit solutions can provide completeness and rationality of analysis, many traditional automated audit tools sacrifice the advantages of automation for faster response due to high computing power and high running time overhead. However, Chaofan Shou believes that automated contract security services and on-chain attack firewalls are still in the early stages. Fuzzland is making some new attempts to solve the problems of computing power and automation by introducing a combination of formal verification, static analysis, and fuzz testing tools through distributed computing. And adjust parameters based on AI's natural language to lower the technical threshold for product users.

In addition, Ethereum co-founder Vitalik Buterin also posted on the social platform, "I am excited about a technology that applies artificial intelligence, that is, AI-assisted formal code verification and vulnerability discovery. At present, the biggest technical risk of Ethereum may be vulnerabilities in the code. Any technology that can significantly change this situation will be amazing."

BlockBeats: In addition to Blaz, what other products and features does Fuzzland consider launching in the future? Are you considering getting involved in MEV protection or privacy RPC and other areas that have attracted much attention recently?

Chaofan Shou: We will launch an AI-based Web2 fuzz testing platform in the near future to help projects find vulnerabilities in front-end and back-end code. We are not considering getting involved in MEV protection or privacy RPC for the time being.

BlockBeats: Nowadays, there are more and more security audit tools in the crypto industry, covering a wider range of technologies and security. In your opinion and that of the Fuzzland team, has contract security become a "red ocean track"? What gaps are left for entrepreneurs in this field?

Chaofan Shou:Manual contract audits have indeed become a red ocean track, but manual audits usually cannot find all loopholes, and require project parties to wait a lot of time. At present, automated contract security services and on-chain attack firewalls are still in the early stages, which are gaps left for entrepreneurs. Fuzzland is making some new attempts in this field and has launched two products, Blaz and Blaz+. Judging from the current results, they are very good.

BlockBeats: The crypto market has recently ushered in a new round of bull market, and there are many newcomers in the industry. If you can only give three security suggestions to users who have just joined Crypto, which three would they be?

Chaofan Shou:If you are not familiar with Web3 at all, you can take a look at the blockchain dark forest self-help manual by Yu Xian.

Don’t blindly trust the audit of a single company. If you want to put a large amount of funds into a DeFi, first make sure that the contract is audited by multiple well-known audit companies and that real-time on-chain defense measures are deployed.

Try to use hardware wallets. It is recommended to install wallet security tools such as Webacy, Wallet Guard, Fire, etc.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia