Real-time pen-testing technology for crypto projects with Jeff Liu, co-founder of Fuzzland

by

Raphael Rocher
– 6 mins read

Table of Contents

    Raphael Rocher

    Raphael Rocher contributes to VaaSBlock’s research and RMA™ assessments, specialising in operational risk, governance maturity, and cross-market analysis in Asian Web3 ecosystems. His background in product operations and compliance informs his work evaluating early-stage blockchain teams. He also hosts the NCNG podcast.

    TL;DR: In this episode, NCNG host Raphael Rocher speaks with Jeff Liu, Co-founder of Fuzzland, a Web3 security company building “always-on” smart-contract security using snapshot-based real-time fuzzing. Jeff explains Fuzzland’s core innovation: a hybrid approach that combines fuzzing and formal techniques to continuously test deployed protocols in real time—addressing the industry gap where most security checks happen only pre-deploy. He breaks down fuzzing in simple terms, then shares how Fuzzland uses large language models to generate fuzzing test cases and protocol-specific invariants (with ~60% of test cases generated by LLMs today). Finally, he gives three practical security recommendations for builders—open-source testing, multiple independent audits, and 24/7 monitoring—before previewing upcoming appearances (including Thailand events), a real-world detection story (UniBTC), and public-facing security partnership work.

    Context

    Raphael Rocher welcomes Jeff Liu, Co-founder ofFuzzland, to discuss why Web3 security needs to evolve beyond one-time, pre-deploy audits—especially as smart contracts become dynamic once deployed and exposed to real-world state changes.

    Jeff introduces Fuzzland’s snapshot-based real-time fuzzing approach (built around ItyFuzz), explains fuzzing in simple terms, and details how the team uses large language models to automate and scale 24/7 penetration testing. The conversation closes with practical advice for first-time builders and updates on where to meet the Fuzzland team next.

     

    Conversation Transcript

    Introduction & What Fuzzland Does

    Raphael Rocher (Host, NCNG): You can start by introducing yourself and describe a bit what Fuzzland does and what is the heart of the business.

    Jeff Liu (Co-founder, Fuzzland): The co-founder and CEO of Fuzzland. Fuzzland is a technology innovation company. We specialize in security, smart contract and digital asset through a very unique technology.

    We call it snapshot based real time fuzzing, which is our primary innovation. With this advanced technology combined fuzzing and formal verifications, we’ll be able to secure Web3 projects. Its solution is highly combined with AI and with the help of AI large language models, we will be able to offer this continuous 24/7 penetration test in real time to figure out vulnerabilities for DeFi protocols and blockchain applications on-chain.

    So the goal is for us to deliver enterprise solutions with unique technology innovations to transform the cybersecurity landscape for Web3.

     

    What Makes Fuzzland Unique

    Raphael Rocher (Host, NCNG): Can you get back more in details regarding what makes Fuzzland so unique versus the competitors, and why this aspect is needed for the market?

    Jeff Liu (Co-founder, Fuzzland): When we actually started Fuzzland, we asked the question: what is exactly the key issue with Web3 security? We believe we identified the key problem which hasn’t been addressed: smart contracts after they deploy.

    Smart contracts are dynamic once deployed. Even if you did a thorough audit before deploy—because it was on an empty smart contract state—once deployed, all the complexity is introduced. As well as new vulnerabilities.

    That’s why we spent a lot of effort doing PoCs and creative technology innovations. Last year we introduced a technology codename called ItyFuzz, which is snapshot-based real time fuzzing. It combines fuzzing and formal methods in one—academically, people call it hybrid fuzzing.

    This is the only fuzzing technology on the market that can do real-time analysis to figure out real-world vulnerabilities on-chain, 24/7. And it can do this analysis across multiple contracts at the same time.

     

    What “Fuzzing” Means in simple words

    Raphael Rocher (Host, NCNG): Before we move forward, can you explain in 30 seconds and in very simplistic terms what exactly fuzzing means?

    Jeff Liu (Co-founder, Fuzzland): Fuzzing is one method in program analysis. Academically, it executes a program with all the possible values or invariants to find if the program has potential vulnerabilities.

    There’s another method called formal verification which mathematically proves a program might have vulnerabilities. But fuzzing is unique because we actually execute the program—so you know what value triggers the vulnerability, and you can be 100% sure it’s real and exists.

     

    How Fuzzland Uses AI

    Raphael Rocher (Host, NCNG): You mentioned earlier that you were planning on integrating some AI in your process. What is specifically the way you are thinking or already using any AI models?

    Jeff Liu (Co-founder, Fuzzland): At day one, we are heavily utilizing AI large language models. One objective of this solution is automation—because it’s on-chain, so if you need a human involved, it’s not going to work.

    We train our large language model on previous hacking data and smart contract audit reports to understand historical vulnerabilities and exploit patterns. It helps us dynamically generate fuzzing test cases when we execute real-time penetration tests.

    As of today, around 60% of test cases are generated by the large language model. Furthermore, the model helps generate customized invariants on the fly for customer contracts based on historical data understanding.

     

    Three Security Tips for First-Time Builders

    Raphael Rocher (Host, NCNG): What are the three key advices that you would give from a security standpoint for beginners who are about to make their first smart contracts?

    Jeff Liu (Co-founder, Fuzzland): First, I would highly recommend using the product we created— ItyFuzz— to test your smart contract before you deploy it. It’s open source, free, and easy to use.

    Second, I recommend having more than one well-known auditor in the industry audit your contract.

    Third, always have a real-time penetration testing solution to monitor the contract for new vulnerabilities introduced in the future.

     

    What’s Next (Events & Recent Updates)

    Raphael Rocher (Host, NCNG): Is there anything else you want to add? Any updates coming for Fuzzland?

    Jeff Liu (Co-founder, Fuzzland): We will be in Thailand for DefCon and the DeFi Security Summit. We’re also a sponsor for DeFi Security Summit and DeFi World, which happens in between.

    Just last week we detected the UniBTC issue. That hack was a perfect example for our technology because it was introduced by a smart contract upgrade. If UniBTC is our client, we would be able to figure out the issue after two seconds once they deploy.

    UniBTC is talking with us and doing a trial with our product. More and more people are realizing the benefits of deploying a 24/7 penetration test on their smart contracts.

    Another thing: we are honored and happy to become a solution provider for President Trump’s crypto project World Liberty Financial. We’re going to continue to support the project and make sure it’s secure, with real-time solutions there to counterattack hackers.

    Raphael Rocher (Host, NCNG): Much. Thank you for your time.

     

    About Fuzzland

    Fuzzland is a Web3 security company focused on “always-on” smart contract security, including snapshot-based hybrid fuzzing designed to uncover real-world vulnerabilities both off-chain and on-chain. Its open-source tool ItyFuzz combines fuzzing with symbolic/formal techniques to discover bugs efficiently and can be used for continuous security workflows.

    Fuzzland is also part of broader ecosystem security efforts through partnerships and integrations (including Immunefi’s Magnus partner program), aligning automated analysis with live onchain threat monitoring.

    Raphael Rocher Contributor

    Raphael Rocher is Contributor at VaaSBlock and host of the NCNG podcast, specialising in operational oversight, risk management practices, and cross-market research across emerging Web3 ecosystems. With a background bridging blockchain, compliance workflows, and product operations, he focuses on improving the structure, transparency, and maturity of early-stage crypto organisations.

    Based between Seoul and Southeast Asia, Raphael works closely with founders navigating complex market conditions, helping evaluate organisational processes, governance readiness, and long-term operational resilience. His work contributes to VaaSBlock’s independent scoring methodology and research outputs, particularly for projects expanding into Asian markets.

    Prior to VaaSBlock, Raphael held roles across product operations and systems implementation, giving him a practical understanding of how teams execute under pressure, scale infrastructure, and manage operational risk. This experience allows him to analyse Web3 teams not only from a technical or marketing lens, but from an organisational and cross-functional standpoint.

    Today, Raphael contributes to ecosystem research publications, RMA™ assessment reviews, and due-diligence guidance for projects aiming to demonstrate higher operational credibility. He frequently examines trends across Korean blockchain ecosystems, cross-chain infrastructure, and the evolving requirements placed on Web3 companies by investors, regulators, and institutional partners.

    Recent Posts

    See All

    No categories found.