// the find
fuzzland/ityfuzz
Blazing Fast Bytecode-Level Hybrid Fuzzer for Smart Contracts
ItyFuzz is a hybrid smart contract fuzzer that combines coverage-guided fuzzing with concolic execution, built on top of LibAFL. It targets EVM (Ethereum, Polygon, BSC) and MoveVM (Sui, Aptos) contracts and can fork live chains to fuzz deployed contracts in their real state. It's for security researchers and auditors who want automated vulnerability discovery that goes beyond what Echidna or Foundry's built-in fuzzer can find.
The chain-forking capability is the killer feature — you point it at a block number and a contract address and it fuzz-tests the deployed bytecode with real on-chain state, which catches vulnerabilities that local test setups miss. The hybrid concolic+fuzzing approach measurably outperforms pure fuzzing on hash checks and complex conditionals where random inputs almost never reach the branch. Automatic exploit generation is genuinely useful: it doesn't just report 'found a bug', it produces a Foundry test that reproduces the exact attack path including flashloans. LibAFL as the fuzzing backbone means the power scheduling and corpus management are not hand-rolled — they're built on a serious fuzzing framework.
The install story is a curl-pipe-to-bash that pulls from fuzz.land — no verification, no reproducible build, just trust the server. The concolic execution is Z3-based and will time out or miss paths on contracts with complex numeric constraints; this is an inherent limitation but the docs don't set expectations about when to expect it to fail. MoveVM support looks like it received less attention than EVM — the Move test suite is thin and the feature set mirrors EVM's without the same depth. The research paper benchmarks are cherry-picked comparisons against Echidna and Mythril, both of which are slower tools by design; the comparison against Foundry's fuzzer is more honest but shows ItyFuzz wins on coverage, not on finding bugs specifically.