Security firm Fuzzland finds a way to reverse exploits

Web3 security and smart contract auditing firm Fuzzland has prevented the loss of over $15 million in stolen crypto from about a dozen different exploits, co-founder Chaofan Shou said on stage at the Science of Blockchain conference in New York City.

The firm, founded in early 2023, has developed two main strategies to recover funds: what Shou calls “hijacking” and “backrunning.” With attack hijacking, as the name implies, Fuzzland runs bots that can identify when a blockchain contract is being exploited and then will “hijack” the malicious actor’s efforts. Meanwhile, backrunning is the process of identifying potential victims and then preemptively draining their funds so that bad actors cannot.

To date, the largest exploit Fuzzland was able to disrupt was on DeFi protocol Sonne Finance, which was attacked on both the Base and Optimism Layer 2 networks. That saved the protocol about $10 million in crypto. It also stopped multi-million dollar hacks targeting AllianceBlock, Dough Finance and Nexera (though it was attacked again on Wednesday).

According to the firm’s analysis shared on stage, 57% of funds can be rescued by backruns, while 26% can be rescued by hijacking.

Shou estimates Fuzzland’s efforts have brought in $1.5 million in bug bounties. Earlier this year, the firm closed a $3 million seed funding round led by 1kx with participation from HashKey Capital, SNZ and Panga Capital. The security firm has about 30 employees, many of whom have PhDs or are candidates, Shou said.

Fuzzland gets its name from the process of “fuzzing” or fuzz testing, an automated technique for investigating smart contracts to discover vulnerabilities or bugs. Shou open-sourced the “ItyFuzz” fuzzing bot on GitHub, which he first proposed with fellow Ph.D. student Shangyin Tan at Berkley.