Chaofan Shou is the cofounder and CTO of Fuzzland, a blockchain security company specializing in automated testing tools for smart contracts, and a software engineer at Solayer. He is also known for discovering and publicizing a major source code leak from Anthropic's AI coding assistant, Claude Code. ^{[1] [2] [6] [4]}​

Overview

Chaofan Shou has established himself as a notable figure in blockchain security and program analysis. His work spans academic research, entrepreneurship, and security engineering, with significant contributions to smart contract security and automated testing methodologies. Shou's expertise in identifying and addressing security vulnerabilities has led to the discovery of numerous critical issues across various platforms, with reported bounties reaching approximately $1.9 million. His research has been published in prestigious academic conferences, and he has delivered talks at industry events focused on blockchain security and fuzzing techniques. ^{[1] [2] [6] [4]}

Education

From August 2022 to 2025, Shou pursued a Ph.D. in Computer Science at the University of California, Berkeley, before dropping out. While there, he worked in the Sky Computing Lab under the supervision of Professor Koushik Sen, and his research concentrated on program analysis, security, and distributed systems. Before his doctoral studies, he earned a Bachelor of Science in Computer Science from the University of California, Santa Barbara, attending from October 2019 to December 2021. ^{[1] [4]}​

Career

Shou's professional career includes a position as a security engineer at Salesforce, where he contributed to Static Application Security Testing (SAST) solutions, internal network scanning services, and data pipelines. During this period, he developed expertise in identifying security vulnerabilities across various platforms, which served as a basis for later work with blockchain technologies.

Following his time at Salesforce, Shou became a founding engineer at Veridise, a blockchain security startup. At Veridise, he led the development of several automated testing tools specifically designed for smart contracts and blockchains. His work at Veridise included the development of Chainsaw, a tool for breaking blockchains with coverage-guided fuzzing, which he presented at the Smart Contract Summit (SBC) in 2022.

Shou co-founded Fuzzland, where he served as the Chief Technology Officer (CTO). Fuzzland focuses on blockchain security, particularly developing automated testing tools for smart contracts. In February 2024, Fuzzland announced the closing of a $3 million seed funding round. Following Fuzzland's acquisition by Solayer, Shou joined Solayer as a software engineer, contributing to the development of a high-performance SVM blockchain. ^{[2] [6] [7] [8]}​

Research and Publications

Shou has authored and co-authored several academic papers in the fields of smart contract security, program analysis, and distributed systems. His notable publications include:

• "ItyFuzz: Snapshot-Based Fuzzer for On-Chain Smart Contract Auditing" (ISSTA '23), co-authored with Shangyin Tan and Koushik Sen;
• "Rare-Seed Generation for Fuzzing" (ISSTA '23);
• "Query Planning for Robust and Scalable Hybrid Network Telemetry Systems" (CoNext '24), with multiple co-authors;
• "Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security Implications" (CCS '24);
• "CorbFuzz: Checking Browser Security Policies with Fuzzing" (ASE '21). ^[1]

Shou maintains an active presence on GitHub, where he has contributed to numerous repositories. His pinned projects include ItyFuzz, a bytecode-level hybrid fuzzer for smart contracts, and digfuzz, an implementation of probabilistic path prioritization for hybrid fuzzing. He has also contributed to major open-source projects such as LibAFL and Facebook's Hermes JavaScript engine. ^{[1] [6] [5] [5]}​

Notable Bug Bounties and Vulnerability Disclosures

Between 2020 and 2022, Chaofan Shou actively participated in bug bounty programs, earning approximately $1.9 million in rewards (including locked tokens). His discoveries include a wide array of critical security and privacy vulnerabilities. ^[1]​

Security Issues

• 2024 - RisingWave: RCE on any compute node with read-only/low-privilege accounts.
• 2024 - Devin.ai: SSRF leading to user info leaks and complete system takeover.
• 2024 - Kaito: API issues leading to user info leaks and complete system takeover.
• 2024 - Etherscan: XSS + Cloudflare bypass that can take over all accounts / facilitate phishing.
• 2023 - Twitter: XSS + CSRF + CSP bypass leading to all Twitter accounts take over.
• 2023 - Gate.io Exchange: CSRFs leading to manipulation of user positions.
• 2023 - FreedomFi: Authorization bypass leading to command execution (RCE) on 7000+ miners.
• 2022 - Polygon Edge: Multiple validator DoS leading to easy 51% (2/3 technically) attack.
• 2022 - DogeChain: Multiple validator DoS & genesis contracts critical logic flaws => fixed with a fork.
• 2022 - FTX OTC: Reflected XSS requiring certain user interaction.
• 2022 - IBAX Network: Multiple validator DoS leading to easy 51% attack.
• 2022 - FastRLP: Index out of range during parsing block data.
• 2022 - Ethgo: Memory vulnerabilities during decoding transaction & log.
• 2022 - Deeper Network: Memory vulnerabilities in pkt parsing leading to RCE on 30k+ miners.
• 2021 - React Native / Hermes: Memory vulnerability due to recursive JS proxy.
• 2021 - FTX US: Request smuggling leading to potential users trade information leakage.
• 2021 - CVS Pharmacy: SSRF + TLS Poisoning leading to public access of all internal systems.
• 2021 - Helium: Incorrect logic leading to easy manipulation of mining mechanism.
• 2020 - NetEase Email: XSS + CSP bypass, can lead to all business customer account takeover.
• 2020 - Baidu: Multiple stored XSS, can lead to 218M account takeover.
• 2019 - Gogs: Race conditions leading to policy bypass.
• 2019 - NetEase: XSS + CSRF, can lead to 1 billion+ account takeover.
• 2016 - Shanghai Government: 100+ SQL injection / LFI / etc.

Privacy Issues

• 2021 - Comcast: Malicious user can hijack network traffic.
• 2021 - Google Nest: Side-channel leading to leakage of user actions.
• 2021 - MyQ: Side-channel leading to leakage of user actions.
• 2021 - Samsung Home: Side-channel leading to leakage of user actions.
• 2020 - iQIYI: User PII leakage in APIs.
• 2020 - Mail.ru: User PII leakage in APIs.
• 2017 - Baidu: User PII leakage in APIs.

Interviews

Mitigating Smart Contract Attacks #01

On August 16, 2024, Chaofan Shou appeared in an interview on the IC3 Initiative for Cryptocurrencies and Contracts YouTube channel, presenting his views on the challenges and defense strategies against smart contract attacks. According to Shou, losses in 2024 have already exceeded US $100 million, with notable incidents such as the Ronin Bridge exploit and repeated hacks of protocols that underwent multiple audits without addressing critical flaws. $$widget0

$$ Shou points out that many attacks occur via private RPCs, preventing front‑running bots from detecting and blocking malicious transactions before they are mined. The fierce competition among defender and attacker bots, combined with skyrocketing gas fees, drastically reduces the effectiveness of on‑chain rescue attempts, he notes that no fund recoveries were successful in 2024 using front‑running alone.

According to the researcher, there is a recurring pattern in the preparatory phase of attacks: attackers often deploy exploit contracts moments before executing the malicious transaction. This detail, Shou argues, opens a window for proactive interventions. By monitoring and analyzing newly deployed contracts, defense teams could repurpose those same exploits to hijack the original attack, significantly increasing the chances of fund recovery.

To operationalize this concept, Chaofan Shou proposes the creation of a “mysterious Oracle” capable of predicting attack parameters or reconstructing exploit transactions in real time. In experiments conducted since January 2023, his team demonstrates that, with optimized parameters and exploit‑hijacking techniques, it would be possible to recover up to US $120 million in compromised funds.

Finally, Shou emphasizes the importance of combining on‑chain analysis, collaboration among research teams, and new approaches, such as programmatic repair of contracts, to create dynamic defense mechanisms. In his view, leveraging historical attack data and predictive models is essential to prevent future losses and more effectively protect the blockchain ecosystem. ^[9]

Anthropic Claude Code Leak

In March 2026, Shou discovered and publicized a major source code leak of Anthropic's AI coding assistant, Claude Code. On March 31, he revealed that the complete source code for the tool was accidentally exposed to the public due to human error in the product's release packaging. A JavaScript source map file (.map) included in a public npm package (version 2.1.88) contained a reference that allowed for the download of the full codebase, totaling over 512,000 lines of TypeScript. The leak, which Shou brought to light on X (formerly Twitter), exposed internal architecture, unreleased features, and internal model codenames. ^{[10] [11] [12]}