Chaofan Shou

I am a Ph.D. student at UC Berkeley in the Sky Computing Lab advised by Prof. Koushik Sen. My research interest lies in program analysis, security, and distributed system. I am also cofounder and CTO of Fuzzland. Prior to these, I was a founding engineer at Veridise, a blockchain security startup, where I led development of several automated testing tools for smart contracts and blockchains. Before that, I was a security engineer at Salesforce, contributing to SAST solutions, internal network scanning service, and data pipelines.

Interested in blockchain security and open to work? => We are hiring @ FuzzLand

Publications

[CCS '24] - Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security Implications
Tong Zhu, Chaofan Shou, Zhen Huang, Guoxing Chen, Xiaokuan Zhang, Yan Meng, Shuang Hao, Haojin Zhu
[CoNext '24] - Query Planning for Robust and Scalable Hybrid Network Telemetry Systems
Chaofan Shou, Rohan Bhatia, Arpit Gupta, Rob Harrison, Daniel Lokshtanov [PDF]
[ISSTA '23] - ItyFuzz: Snapshot-Based Fuzzer for On-Chain Smart Contract Auditing
Chaofan Shou, Shangyin Tan, Koushik Sen [PDF] [Code] [Slides]
[ISSTA '23] - Rare-Seed Generation for Fuzzing
Seemanta Saha, Laboni Sarker, Md Shafiuzzaman, Chaofan Shou, Albert Li, Ganesh Sankaran, Tevfik Bultan [PDF]
[IOT '22] - Targeted Black-Box Side-Channel Mitigation for IoT
İsmet Burak Kadron, Chaofan Shou, Emily O'Mahony, Yılmaz Vural, Tevfik Bultan [PDF] [Code]
[ASE '21] - CorbFuzz: Checking Browser Security Policies with Fuzzing
Chaofan Shou, İsmet Burak Kadron, Qi Su, Tevfik Bultan [PDF] [Code] [Slides]

Talks

[BuildETH '23] - MEV + Fuzzing = DeFi Firewall
Representing FuzzLand Inc. [Slides] [Event]
[SBC '22] - Chainsaw: Breaking Blockchains With Coverage-Guided Fuzzing
Representing Veridise Inc. [Slides] [Event]

Things I Broke

I worked on a few bug bounty programs in 2020-2022. The total amount of bounty I earned reaches $1.9M (including tokens locked). Selected bugs I've reported:

Security Issues

2024 - RisingWave RCE on any compute node with read-only/low-privilege accounts.
2024 - Devin.ai SSRF leading to user info leaks and complete system takeover.
2024 - Kaito API issues leading to user info leaks and complete system takeover.
2024 - Etherscan XSS + Cloudflare bypass that can take over all accounts / facilitate phishing.
2023 - Twitter XSS + CSRF + CSP bypass leading to all Twitter accounts take over.
2023 - Gate.io Exchange CSRFs leading to manipulation of user positions.
2023 - FreedomFi Authorization bypass leading to command execution (RCE) on 7000+ miners.
2022 - Polygon Edge Multiple validator DoS leading to easy 51% (2/3 technically) attack.
2022 - DogeChain Multiple validator DoS & genesis contracts critical logic flaws => fixed with a fork.
2022 - FTX OTC Reflected XSS requiring certain user interaction.
2022 - IBAX Network Multiple validator DoS leading to easy 51% attack.
2022 - FastRLP Index out of range during parsing block data.
2022 - Ethgo Memory vulnerabilities during decoding transaction & log.
2022 - Deeper Network Memory vulnerabilities in pkt parsing leading to RCE on 30k+ miners.
2021 - React Native / Hermes Memory vulnerability due to recursive JS proxy.
2021 - FTX US Request smuggling leading to potential users trade information leakage.
2021 - CVS Pharmacy SSRF + TLS Poisoning leading to public access of all internal systems.
2021 - Helium Incorrect logic leading to easy manipulation of mining mechanism.
2020 - NetEase Email XSS + CSP bypass, can lead to all business customer account takeover.
2020 - Baidu Multiple stored XSS, can lead to 218M account takeover.
2019 - Gogs Race conditions leading to policy bypass.
2019 - NetEase XSS + CSRF, can lead to 1 billion+ account takeover.
2016 - Shanghai Government 100+ SQL injection / LFI / etc.

Privacy Issues

2021 - Comcast Malicious user can hijack network traffic.
2021 - Google Nest Side-channel leading to leakage of user actions.
2021 - MyQ Side-channel leading to leakage of user actions.
2021 - Samsung Home Side-channel leading to leakage of user actions.
2020 - iQIYI User PII leakage in APIs.
2020 - Mail.ru User PII leakage in APIs.
2017 - Baidu User PII leakage in APIs.

Portfolio

I am sometimes an irresponsible early token investor. I am broadly interested in anything other than ZK and games (because I really know nothing about them). Here are some projects I held equity or >.5% tradeable (LP + CEX) circulating supply:


Exited (2024)	Exited (2024)	Exited (2024)


Exited (2023)	Exited (2022)	Exited (2022)

I used to do quant trading on leveraged ETFs, contracts, and options based on reinforcement learning and fine-tuned LLM with a surprising PnL of -92% :).

Contacts

shou [at] berkeley.edu
shou [at] ucsb.edu
chaos [at] fuzz.land
which all likely go to scf [at] acm.org
Telegram: https://t.me/imcfs

Links

GitHub
Twitter
Google Scholar