Coverage-Guided Fuzzing

Coverage-guided fuzzing is a technique where the fuzzer tracks which code paths are executed and prioritizes inputs that explore new, untested paths.

In Depth

Coverage-guided fuzzing uses code coverage feedback to make fuzzing more effective. As the fuzzer generates random inputs, it monitors which branches, lines, and paths in the code are exercised. Inputs that trigger new coverage are saved and mutated further, while inputs that only retrace known paths are deprioritized. This approach is dramatically more efficient than pure random fuzzing, as it systematically drives the fuzzer toward unexplored code regions where bugs are more likely to hide.

Frequently Asked Questions

What is coverage-guided fuzzing?

Coverage-guided fuzzing is a smart fuzzing technique that tracks which code paths each input explores. The fuzzer prioritizes inputs that reach new code paths, making it much more efficient at finding bugs than random input generation.

Which smart contract fuzzers use coverage guidance?

Both Echidna and Medusa use coverage-guided fuzzing. They track EVM opcode coverage and prioritize transaction sequences that explore new contract code paths.

Related Terms

Fuzzing Stateful Fuzzing Medusa

Need expert help with coverage-guided fuzzing?

RECON

Cloud-powered invariant testing and security auditing for DeFi protocols. Trusted by leading teams.

Product

Recon Pro

Request an Audit

AI Audits Demo

Dashboard

Docs

Tools

All Tools

Medusa Scraper

Echidna Scraper

Halmos Scraper

Test Builder

Resources

Case Studies

Team

Learn

Blog

Media

Bootcamp

Comparisons

FAQ

Company

Talk to Founder

Sales

Live Exploit Prevention

Dynamic Replacement

Ready to ship safer code?

Start with a free consultation or try Recon Pro today.