Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[thorchain] Add project #6828

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[thorchain] Add project #6828

wants to merge 5 commits into from

Conversation

guidovranken
Copy link
Contributor

Initial integration for Thorchain, which is a (currently) top 60 cryptocurrency and has 3.8 billion USD market cap. This first PR builds a simple fuzzer for a parser; later this will include cryptography fuzzers and a Solidity smart contract fuzzer (the first on OSS-Fuzz).

@oliverchang
Copy link
Collaborator

Thanks @guidovranken. The fuzzing itself looks cool!

We're not fully sold on the importance of thorchains though. Would the kind of fuzzing you're doing here apply to other bigger blockchains like ethereum (or is that already being done)?

@guidovranken
Copy link
Contributor Author

I will provide more information tomorrow.

@guidovranken
Copy link
Contributor Author

@oliverchang

  • Threshold signatures library, developed by Binance (https://github.com/binance-chain/tss-lib). This is a general purpose cryptographic library that is not intrinsically tied to blockchain projects. Technically we will be fuzzing Thorchain's fork (https://gitlab.com/thorchain/tss/tss-lib) but there's a lot of overlap with upstream.
  • The smart contract fuzzer. Thorchain's smart contracts were hacked a few times this year with millions of USD stolen. This project includes a modified version of the Ethereum EVM which extracts the code coverage inside the smart contract and passes it to libFuzzer, and hooks VM instructions to discover "special" values (like 4 byte hashes, which serve as function IDs/entry points -- it is critical to know these for code coverage) which it passes to an internal dictionary/mutator, along with a harness that checks all kinds of contract invariants. If this OSS-Fuzz project is accepted, everything will be released under LGPL3 and it can be used by other smart contracts (after making modifications suiting their needs). This may be the first libFuzzer-based Ethereum smart contract fuzzer and first smart contract fuzzer on OSS-Fuzz. If it is not accepted, it may or may not be released (I have to speak with Thorchain about that).

I'm personally not interested in receiving an integration reward for this, I don't think Thorchain is either, but I can ask if they want to formally decline the reward if this is impacts your decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@guidovranken @oliverchang