ItyFuzz: When Echidna Found 0 Bugs, This Tool Found 126

Sometimes you hear a stat that just stops you. "ItyFuzz finds 126 vulnerabilities where Echidna finds 0." That's not a typo. That's not a cherry-picked example. It's a real result from fuzzing real smart contracts, and it says something big about where fuzzing is headed.

If you've ever written a Solidity contract and wondered if you're missing something, you know the feeling. You run Echidna or Foundry's fuzz tests, they pass, and you breathe a sigh of relief. But what if they're passing because they're not looking hard enough? That's exactly the problem ItyFuzz solves.

What It Does

ItyFuzz is a hybrid fuzzer for smart contracts that combines multiple strategies to find bugs traditional fuzzers miss. It's built for Ethereum Virtual Machine (EVM) based chains and uses a combination of:

• Concolic execution (symbolic + concrete) to explore hard-to-reach paths
• Snapshot fuzzing to reset state quickly between test runs
• Multi-chain support — works on Ethereum, Polygon, BSC, and more

It's not just an optimizer. It's a fundamentally different approach to finding vulnerabilities. Instead of treating each transaction as independent, it tracks state across sequences and uses constraint solving to find inputs that trigger edge cases.

Why It's Cool

The "126 vs 0" claim comes from real benchmarks on real contracts. The repository doesn't just throw that number out — it backs it up with reproducible tests. That alone makes it worth a look.

But the cooler part is the architecture. Most fuzzers work like a brute force search. They generate random inputs, run them, and hope something breaks. That works for shallow bugs, but it fails for deep logic errors that require a specific sequence of 5+ transactions.

ItyFuzz uses symbolic execution to reason about what inputs would actually trigger a bug, then generates those inputs directly. It's like having a debugger that can "see around corners" and tell you exactly what sequence of calls would drain a contract.

Another neat trick: snapshot fuzzing. It saves the state after each sequence, so it can rewind and try different paths without replaying the entire history from scratch. That makes it orders of magnitude faster for complex contracts.

How to Try It

Getting started is straightforward. You need Rust installed (nightly toolchain recommended).

Clone the repo:

git clone https://github.com/fuzzland/ityfuzz.git
cd ityfuzz

Build it:

cargo build --release

Then run it against a contract:

./target/release/ityfuzz fuzz --target <contract_address> --chain-id <chain_id>

For a quick demo, you can also use the existing benchmark contracts in the tests/ directory. The README has examples for running against Uniswap V2 and other common protocols.

If you want to see the 126 vs 0 claim yourself, check the benchmarks/ folder for the specific test cases. They include instructions to reproduce the comparison with Echidna.

Final Thoughts

ItyFuzz isn't going to replace every fuzzer you use. Foundry's built-in fuzzing is still great for quick checks. But if you're auditing a complex DeFi protocol or writing contracts where a single missed bug means millions lost, this tool earns its place in your toolkit.

The developer community has been sleeping on concolic execution for a while. Tools like this show it's not just academic — it's practical, it works, and it finds real bugs that other tools literally cannot find.

Give it a spin. You might be surprised what's hiding in your contracts.

Brought to you by @githubprojects