Phink, the ink! fuzzer
Phink is an innovative, open-source fuzzing tool specifically designed for ink! smart contracts within the Polkadot ecosystem. Fuzzing is an essential in the developer toolbox and will increase the security and reliability of ink! smart contracts.
Developed by Security Research Labs (SRLabs), Phink aims to enhance the hacking resilience and robustness of smart contracts by utilizing advanced coverage-guided fuzzing techniques and smart mutations.
Goals of Phink
Enhanced Security Testing: Phink leverages cutting-edge fuzzers like AFL++ and Honggfuzz to provide comprehensive code coverage and systematic exploration of smart contract code paths, effectively identifying potential vulnerabilities.
Comprehensive Invariant Testing: By supporting both developer-specific and common smart contract invariants, Phink allows for rigorous verification of native code conditions and critical inputs, helping developers prevent bugs and ensuring long-term robustness.
Broad Compatibility: Designed to be free from ink! version dependencies, Phink enables developers to use their own runtime, storage, and state, making it highly flexible and applicable across various environments.
Open-Source and Easily Accessible: As an open-source tool, Phink encourages community contributions and continuous improvement. We create all resources necessary for developers to start fuzzing without the need for prior experience, including how-to tutorials and comprehensive documentation.
User-Friendly Interface: Phink includes an intuitive interface that visualizes code coverage, state transitions, and invariant testing results, making it accessible and easy to use for developers, auditors, and researchers.
Proposal Objective
SRLabs seeks funding to develop Phink, addressing the limitations of current smart contract fuzzing tools by incorporating advanced fuzzing techniques for more systematic and adaptive security testing. The project will involve the development of a fuzzing harness, custom instrumentation, a user-friendly interface, and thorough documentation to support community use and contribution.
Full Proposal: For a detailed understanding of the Phink project, including the context, identified problems, and proposed solutions, read our full proposal here.
SRLabs: Learn more about Security Research Labs and our commitment to enhancing cybersecurity on our website. Find our previous work on open-source fuzzers for the Polkadot community here and here.
We Value Your Feedback
We invite the Polkadot community to provide feedback on our proposal. Your insights on the critical features and improvements for Phink will help us better serve the ecosystem. Please share your thoughts and suggestions to refine our approach and enhance the security of ink! smart contracts.
How much of the codebase will be extendible for future non-Ink! smart contract development plans i.e. PolkaVM, Plaza and so on.
Will those require a new repository for fuzzing tools significantly different or is there any chance to bootstrap those in the future from this repo? We have voted AYE already because fuzzing remains an important element in smart contract development's pipelines.