Coverage-guided, structure-aware, and stateful fuzzer that systematically explores program state space to discover edge cases and vulnerabilities through bytecode-level instrumentation.
Off-the-shelf fuzzing tools cannot effectively test Solana smart contracts. We have engineered a complete instrumentation and fuzzing stack specifically for sBPF bytecode, enabling capabilities that distinguish our audits from traditional security firms
We model protocol state machines and construct decision trees that guide our fuzzing tools toward critical state transitions, using schema-driven input generation to track instruction sequences and systematically explore execution paths and discover vulnerabilities in complex protocol logic.
Traditional audits cannot quantify code coverage. Our custom sBPF runtime instrumentation tracks execution at the bytecode level, providing empirical metrics on audit thoroughness.
Random fuzzing generates invalid inputs rejected early in execution or during deserialization. Our schema-aware mutation engine respects protocol data structures and instruction formats, ensuring test cases penetrate deep into program logic.
Our automated framework tests invariants across millions of execution paths, systematically validating critical security properties and security guarantees.
A systematic approach to fuzzing Solana programs
Model program instructions and their parameters using structured schemas
Implement fuzzing harness that translates structured inputs into program instructions
Execute fuzzer with coverage-guided mutations to explore program states
Review discovered bugs, crashes, and invariant violations with reproducing test cases
Export visual code coverage reports to validate fuzzing campaign efficacy and demonstrate testing thoroughness
Maintain and evolve test case corpus to maximize coverage and minimize redundancy
Reproduce bugs with a single test case for easy debugging and analysis
Get early access to Solaris for Solana