Chaofan Shou

I am a Ph.D. student at UC Berkeley in the Sky Computing Lab advised by Prof. Koushik Sen. My research interest lies in program analysis, security, and distributed system. I am also cofounder and CTO of Fuzzland. Prior to these, I was a founding engineer at Veridise, a blockchain security startup, where I led development of several automated testing tools for smart contracts and blockchains. Before that, I was a security engineer at Salesforce, contributing to SAST solutions, internal network scanning service, and data pipelines.

Publications

• [CCS '24] - Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security Implications
  Tong Zhu, Chaofan Shou, Zhen Huang, Guoxing Chen, Xiaokuan Zhang, Yan Meng, Shuang Hao, Haojin Zhu
• [CoNext '24] - Query Planning for Robust and Scalable Hybrid Network Telemetry Systems
  Chaofan Shou, Rohan Bhatia, Arpit Gupta, Rob Harrison, Daniel Lokshtanov [PDF]
• [ISSTA '23] - ItyFuzz: Snapshot-Based Fuzzer for On-Chain Smart Contract Auditing
  Chaofan Shou, Shangyin Tan, Koushik Sen [PDF] [Code] [Slides]
• [ISSTA '23] - Rare-Seed Generation for Fuzzing
  Seemanta Saha, Laboni Sarker, Md Shafiuzzaman, Chaofan Shou, Albert Li, Ganesh Sankaran, Tevfik Bultan [PDF]
• [IOT '22] - Targeted Black-Box Side-Channel Mitigation for IoT
  İsmet Burak Kadron, Chaofan Shou, Emily O'Mahony, Yılmaz Vural, Tevfik Bultan [PDF] [Code]
• [ASE '21] - CorbFuzz: Checking Browser Security Policies with Fuzzing
  Chaofan Shou, İsmet Burak Kadron, Qi Su, Tevfik Bultan [PDF] [Code] [Slides]

Talks

• [BuildETH '23] - MEV + Fuzzing = DeFi Firewall
  Representing FuzzLand Inc. [Slides] [Event]
• [SBC '22] - Chainsaw: Breaking Blockchains With Coverage-Guided Fuzzing
  Representing Veridise Inc. [Slides] [Event]

Things I Broke

• 2024 - Etherscan XSS + Cloudflare bypass that can take over all accounts / facilitate phishing.
• 2023 - Twitter XSS + CSRF + CSP bypass leading to all Twitter accounts take over.
• 2023 - Gate.io Exchange CSRFs leading to manipulation of user positions.
• 2023 - FreedomFi Authorization bypass leading to command execution (RCE) on 7000+ miners.
• 2022 - Polygon Edge Multiple validator DoS leading to easy 51% (2/3 technically) attack.
• 2022 - DogeChain Multiple validator DoS & genesis contracts critical logic flaws => fixed with a fork.
• 2022 - FTX OTC Reflected XSS requiring certain user interaction.
• 2022 - IBAX Network Multiple validator DoS leading to easy 51% attack.
• 2022 - FastRLP Index out of range during parsing block data.
• 2022 - Ethgo Memory vulnerabilities during decoding transaction & log.
• 2022 - Deeper Network Memory vulnerabilities in pkt parsing leading to RCE on 30k+ miners.
• 2021 - React Native / Hermes Memory vulnerability due to recursive JS proxy.
• 2021 - FTX US Request smuggling leading to potential users trade information leakage.
• 2021 - CVS Pharmacy SSRF + TLS Poisoning leading to public access of all internal systems.
• 2021 - Helium Incorrect logic leading to easy manipulation of mining mechanism.
• 2020 - NetEase Email XSS + CSP bypass, can lead to all business customer account takeover.
• 2020 - Baidu Multiple stored XSS, can lead to 218M account takeover.
• 2019 - Gogs Race conditions leading to policy bypass.
• 2019 - NetEase XSS + CSRF, can lead to 1 billion+ account takeover.
• 2016 - Shanghai Government 100+ SQL injection / LFI / etc.

• 2021 - Comcast Malicious user can hijack network traffic.
• 2021 - Google Nest Side-channel leading to leakage of user actions.
• 2021 - MyQ Side-channel leading to leakage of user actions.
• 2021 - Samsung Home Side-channel leading to leakage of user actions.
• 2020 - iQIYI User PII leakage in APIs.
• 2020 - Mail.ru User PII leakage in APIs.
• 2017 - Baidu User PII leakage in APIs.

Portfolio

Exited (2024)	Exited (2024)	Exited (2024)

Exited (2023)	Exited (2022)	Exited (2022)

Contacts

Links