Chaofan Shou

I am a Ph.D. student at UC Berkeley in the Sky Computing Lab advised by Prof. Koushik Sen. My research interest lies in program analysis, security, and distributed system. Prior to Ph.D. study, I was a software engineer at Veridise, a blockchain security startup, where I led development of several automated testing tools for smart contracts and blockchains. Before that, I was a security engineer at Salesforce, contributing to SAST solutions, internal network scanning service, and data pipelines.

I received my CS bachelor degree from UC Santa Barbara, where I worked with Prof. Arpit Gupta on inband network telemetry (INT) and software-defined network. I was advised by Prof. Tevfik Bultan and conducted research on side-channel analysis and probablistic symbolic execution. I also interned at SJTU and worked with Prof. Haojin Zhu on ads and mobile security.

Interested in blockchain security and open to work? => We are hiring @ FuzzLand

Publications

[CCS '24] - Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security Implications
Tong Zhu, Chaofan Shou, Zhen Huang, Guoxing Chen, Xiaokuan Zhang, Yan Meng, Shuang Hao, Haojin Zhu
[CoNext '24] - Query Planning for Robust and Scalable Hybrid Network Telemetry Systems
Chaofan Shou, Rohan Bhatia, Arpit Gupta, Rob Harrison, Daniel Lokshtanov [PDF]
[ISSTA '23] - ItyFuzz: Snapshot-Based Fuzzer for On-Chain Smart Contract Auditing
Chaofan Shou, Shangyin Tan, Koushik Sen [PDF] [Code] [Slides]
[ISSTA '23] - Rare-Seed Generation for Fuzzing
Seemanta Saha, Laboni Sarker, Md Shafiuzzaman, Chaofan Shou, Albert Li, Ganesh Sankaran, Tevfik Bultan [PDF]
[IOT '22] - Targeted Black-Box Side-Channel Mitigation for IoT
İsmet Burak Kadron, Chaofan Shou, Emily O'Mahony, Yılmaz Vural, Tevfik Bultan [PDF] [Code]
[ASE '21] - CorbFuzz: Checking Browser Security Policies with Fuzzing
Chaofan Shou, İsmet Burak Kadron, Qi Su, Tevfik Bultan [PDF] [Code] [Slides]

Talks

[BuildETH '23] - MEV + Fuzzing = DeFi Firewall
Representing FuzzLand Inc. [Slides] [Event]
[SBC '22] - Chainsaw: Breaking Blockchains With Coverage-Guided Fuzzing
Representing Veridise Inc. [Slides] [Event]

Things I Broke

I worked on a few bug bounty programs in 2020-2021. The total amount of bounty I earned reaches $1.7M (including tokens locked). Selected bugs I've reported:

Security Issues

2023 - Twitter XSS + CSRF + CSP bypass leading to all Twitter accounts take over.
2023 - Gate.io Exchange CSRFs leading to manipulation of user positions.
2023 - FreedomFi Authorization bypass leading to command execution (RCE) on 7000+ miners.
2022 - Polygon Edge Multiple validator DoS leading to easy 51% (2/3 technically) attack.
2022 - DogeChain Multiple validator DoS & genesis contracts critical logic flaws => fixed with a fork.
2022 - FTX OTC Reflected XSS requiring certain user interaction.
2022 - IBAX Network Multiple validator DoS leading to easy 51% attack.
2022 - FastRLP Index out of range during parsing block data.
2022 - Ethgo Memory vulnerabilities during decoding transaction & log.
2022 - Deeper Network Memory vulnerabilities in pkt parsing leading to RCE on 30k+ miners.
2021 - React Native / Hermes Memory vulnerability due to recursive JS proxy.
2021 - FTX US Request smuggling leading to potential users trade information leakage.
2021 - CVS Pharmacy SSRF + TLS Poisoning leading to public access of all internal systems.
2021 - Helium Incorrect logic leading to easy manipulation of mining mechanism.
2020 - NetEase Email XSS + CSP bypass, can lead to all business customer account takeover.
2020 - Baidu Multiple stored XSS, can lead to 218M account takeover.
2019 - Gogs Race conditions leading to policy bypass.
2019 - NetEase XSS + CSRF, can lead to 1 billion+ account takeover.
2016 - Shanghai Government 100+ SQL injection / LFI / etc.

Privacy Issues

2021 - Comcast Malicious user can hijack network traffic.
2021 - Google Nest Side-channel leading to leakage of user actions.
2021 - MyQ Side-channel leading to leakage of user actions.
2021 - Samsung Home Side-channel leading to leakage of user actions.
2020 - iQIYI User PII leakage in APIs.
2020 - Mail.ru User PII leakage in APIs.
2017 - Baidu User PII leakage in APIs.

Portfolio

I am sometimes an irresponsible early token investor. I am broadly interested in anything other than ZK and games (because I really know nothing about them). Here are some projects I held >.5% tradeable (LP + CEX) circulating supply:


Exited (2023)	Exited (2022)	Exited (2022)

I used to do quant trading on leveraged ETFs, contracts, and options based on reinforcement learning and fine-tuned LLM with a surprising PnL of -92% :).

Contacts

shou [at] berkeley.edu
shou [at] ucsb.edu
chaos [at] fuzz.land
which all likely go to scf [at] acm.org
Telegram: https://t.me/imcfs

Links

GitHub
Twitter
Google Scholar
Blog
Not that formal ver of me
Resume for job