Ethereum smart contract fuzzer
Full Changelog: https://github.com/crytic/echidna/compare/v2.2.2...v2.2.3
Full Changelog: https://github.com/crytic/echidna/compare/v2.2.1...v2.2.2
Full Changelog: https://github.com/crytic/echidna/compare/v2.2.0...v2.2.1
Echidna 2.2.0 contains significant improvements to the fuzzing speed and UX:
workers
config option or --workers
CLI switch. Echidna runs only one worker by default, but this might change in future releases.--timeout <seconds>
CLI switch. RPC URL and block number can now be also specified in the config file for on-chain fuzzing.Note, we changed the way reverts are shown in coverage reports. Now, only the line where a revert happened is marked, instead of the whole path.
The full changelog:
This is a release focused on fixes and minor features. User facing changes include:
This release also include a number of refactoring changes to make the code easier to improve in future.
Echidna 2.1.0 introduces on-chain fuzzing. Echidna can now run starting with an existing state provided by an external RPC service (Infura, Alchemy, local node, etc). This enables users to speed up the fuzzing setup when using already deployed contracts. For instance:
contract TestCompoundEthMint {
constructor() {
hevm.roll(16771449); // sets the correct block number
hevm.warp(1678131671); // sets the expected timestamp for the block number
}
…
Compound comp = Compound(0x4Ddc2D193948926D02f9B1fE9e1daa0718270ED5);
function assertNoBalance() public payable {
require(comp.balanceOf(address(this)) == 0);
comp.mint{value: msg.value}();
assert(comp.balanceOf(address(this)) == 0);
}
}
We can specify the RPC endpoint for Echidna to use before running the fuzzing campaign with the following environment variables:
export ECHIDNA_RPC_URL=http://.. ECHIDNA_RPC_BLOCK=16771449
And then Echidna can be executed as usual. At the end of the execution, if the source code mapping of any executed on-chain contract is available on Etherscan, it will be automatically fetched for the coverage report. Optionally, an Etherscan key can be provided using the ETHERSCAN_API_KEY
environment variable.
This release also provides experimental support for Windows binaries.
Additionally, this release also includes fixes and a large refactor of several parts of the code that will facilitate the tool development and performance improvements. Other important changes are:
echidna-test
executable was renamed as echidna
multi-abi
config keyword was renamed to allContracts
. multi-abi
still works but will be removed in future.This release migrates Echidna to the new hevm implementation. Echidna can now use the prank cheat code that we recently added to hevm. It lets you override the msg.sender value for the next external call:
interface Hevm {
...
function prank(address) external;
}
contract Test {
Hevm hevm = Hevm(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function echidna_test() {
hevm.prank(0x123..);
contract.f(); // msg.sender will be 0x123..
contract.g(); // msg.sender will be address(this)
..
}
}
Prank should be used carefully since it can introduce false positives if used to simulate calls from contracts. Please refer to this documentation for the complete list of cheat codes.
The release also refactors several parts of the code to facilitate further Echidna development.
This release introduces coverage reports as HTML files. This will ease the detection of uncovered code during fuzzing campaigns. It also includes bug fixes as well as a large refactor of several parts of the code. This means that new features and optimizations are easier to implement.
Echidna 2.0.4 will automatically generate a coverage report in HTML in the corpus directory following the same approach as the text file report (e.g. covered.X.html). The report will show colors to signal which lines are covered either without errors (green), with a revert (yellow) or not covered at all (red).
Additionally, lines with no color are not included in the bytecode.
Watch our live streaming series to learn how to use Echidna like a pro (see our recent blogpost: "We're streamers now")
This release focuses on getting enhanced coverage during a fuzzing campaign when handling non-utf8 strings, extreme signed integers and the fallback function. It also improved the scripts to build Docker containers.
This release eases the custom deployment of contracts at fixed addresses, improves the fuzzing's shrinking and fixes a crash the EVM emulation:
deployContracts: [["0x42", "ContractA"], ["0x43", "ContractB"]]
deployBytecodes: [["0x44", "60806.."]]
All the contracts are deployed using the deployer
address and will produce an error if they fail.