What's Changed

• Bump actions/cache from 3 to 4 by @dependabot in https://github.com/crytic/echidna/pull/1173
• Refactor BuildOutput by @arcz in https://github.com/crytic/echidna/pull/1174
• Validate corpus while replaying by @arcz in https://github.com/crytic/echidna/pull/1177
• Refactor by @arcz in https://github.com/crytic/echidna/pull/1178
• Save traces for every transaction in reproducer by @arcz in https://github.com/crytic/echidna/pull/1180
• Display contract names in UI by @arcz in https://github.com/crytic/echidna/pull/1181
• Fix faulty corpus transaction detection by @arcz in https://github.com/crytic/echidna/pull/1184
• Bump DeterminateSystems/magic-nix-cache-action from 2 to 3 by @dependabot in https://github.com/crytic/echidna/pull/1186
• nix: enhance TERMINFO for Linux builds by @elopez in https://github.com/crytic/echidna/pull/1187
• Update hevm to 0.53.0 by @arcz in https://github.com/crytic/echidna/pull/1189
• Update README.md by @0xicingdeath in https://github.com/crytic/echidna/pull/1190
• Speed up shrinking in some cases by @samalws-tob in https://github.com/crytic/echidna/pull/1192
• feat: add CLI commands for RPC URL and block number by @penandlim in https://github.com/crytic/echidna/pull/1194
• Echidna 2.2.3 by @arcz in https://github.com/crytic/echidna/pull/1195

New Contributors

• @penandlim made their first contribution in https://github.com/crytic/echidna/pull/1194

Full Changelog: https://github.com/crytic/echidna/compare/v2.2.2...v2.2.3

What's Changed

• Save corpus and reproducers continuously (#1167)
• Deliver status information using server-sent events (#1131)
• Performance improvements for coverage collection (#1160)
• Make slither optional (#1159)
• Rich trace printing (#1157)
• Static builds and release workflow (#1133)
• Re-enables using slither for vyper files (#1108)
• Dependency updates (#1153, #1096, #1154)

Full Changelog: https://github.com/crytic/echidna/compare/v2.2.1...v2.2.2

What's Changed

• Shanghai fork support with hevm 0.51.3 (#1090)
• Fixed coverage collection for delegatecalls (#1083)
• Added events to JSON output (#1069)
• Changed event sequence to be displayed on new lines (#1079)
• Improved "No tests found in ABI" error message (#1077)
• Refactored code (#1070, #1074)

Full Changelog: https://github.com/crytic/echidna/compare/v2.2.0...v2.2.1

Echidna 2.2.0 contains significant improvements to the fuzzing speed and UX:

• Multicore fuzzing & optimized coverage collection. Those combined delivered up to 20x fuzzing speed improvement on a real-world internal benchmark. The number of workers can be configured with workers config option or --workers CLI switch. Echidna runs only one worker by default, but this might change in future releases.
• Lcov support. It is output by default and can be controlled with the coverageFormats config option. This enables external coverage tools such as genhtml or VSCode plugins.
• More configuration options. Added --timeout <seconds> CLI switch. RPC URL and block number can now be also specified in the config file for on-chain fuzzing.
• UI improvements. Echidna now outputs an event log for any fuzzing breakthrough, such as new coverage. The interactive UI was significantly reworked to accommodate all the changes from this release (see the screenshot below).

Note, we changed the way reverts are shown in coverage reports. Now, only the line where a revert happened is marked, instead of the whole path.

The full changelog:

Added

• Multicore fuzzing (#963, #1033, #1026, #1035)
• Lcov format support (#1029)
• Experimental power number generator for uints (#892)

Changed

• Coverage collection optimization (#1003, #1041)
• On-chain fuzzing improvements (#1017)
• Refactored code (#1020, #1021)
• Updated dependencies (#1022, #1023)
• UI improvements (#1031, #1032, #1034, #1040)
• Readme improvements (#1019)

This is a release focused on fixes and minor features. User facing changes include:

• Optimized the memory usage during the fuzzing campaign.
• Added initial compatibility with invariant mode from Foundry.
• Added additional information on how Echidna spend time during startup.
• Fixed several small rare crashes.

This release also include a number of refactoring changes to make the code easier to improve in future.

Added

• Added missing space in ProcessorNotFound message (#977)
• Added measurement and log of external actions (#988)
• Avoid using cheat code address to form fuzzing call sequences (#993)
• Implemented invariant testing from foundry (#989)

Changed

• hevm upgraded to 0.50.4 (#986)
• Cleaned and improved codebase (#990, #994, #995, #997)
• Make frequently modified fields strict (#1000)
• Force corpus evaluation (#1002)
• Improved text/headless UI (#991, #1006, #1007, #1009)

Echidna 2.1.0 introduces on-chain fuzzing. Echidna can now run starting with an existing state provided by an external RPC service (Infura, Alchemy, local node, etc). This enables users to speed up the fuzzing setup when using already deployed contracts. For instance:

contract TestCompoundEthMint {
 constructor() {
    hevm.roll(16771449);  // sets the correct block number
    hevm.warp(1678131671); // sets the expected timestamp for the block number
  }
  …
  Compound comp = Compound(0x4Ddc2D193948926D02f9B1fE9e1daa0718270ED5);
  function assertNoBalance() public payable {
    require(comp.balanceOf(address(this)) == 0);
    comp.mint{value: msg.value}();
    assert(comp.balanceOf(address(this)) == 0);
  }
}

We can specify the RPC endpoint for Echidna to use before running the fuzzing campaign with the following environment variables:

export ECHIDNA_RPC_URL=http://.. ECHIDNA_RPC_BLOCK=16771449

And then Echidna can be executed as usual. At the end of the execution, if the source code mapping of any executed on-chain contract is available on Etherscan, it will be automatically fetched for the coverage report. Optionally, an Etherscan key can be provided using the ETHERSCAN_API_KEY environment variable.

This release also provides experimental support for Windows binaries.

Additionally, this release also includes fixes and a large refactor of several parts of the code that will facilitate the tool development and performance improvements. Other important changes are:

• echidna-test executable was renamed as echidna
• multi-abi config keyword was renamed to allContracts. multi-abi still works but will be removed in future.
• FFI cheat code to allow execute execution from Solidity
• Special UI screen to show when there is a crash in Echidna

Added

• On-chain fuzzing (#927, #971) [EXPERIMENTAL]
• Added Windows support (#943) [EXPERIMENTAL]
• Added scrollbar to the UI (#915)
• Added crash display to the UI (#944)
• Added human-friendly errors for panic codes (#965)
• Added support for the FFI cheatcode (#750)

Changed

• Refactored code (#903, #906, #908, #924, #925, #928, #946, #956, #966, #968)
• Updated dependencies (#942, #948)
• Build and CI improvements (#912, #914, #917, #952, #967)
• Renamed echidna-test binary to echidna (#826)
• Renamed multi-abi mode to allContracts, multi-abi still works but will be removed in future (#934)

Removed

• Removed generation of negative seeds (#933) [BREAKING CHANGE]

Fixed

• Fixed method filtering in multi-abi mode (#950, #954)
• Fixed config parsing for too large values (#935)
• Fixed parsing string constants that start with 0x (#958)

This release migrates Echidna to the new hevm implementation. Echidna can now use the prank cheat code that we recently added to hevm. It lets you override the msg.sender value for the next external call:

interface Hevm {
    ...
    function prank(address) external;
}

contract Test {
    Hevm hevm = Hevm(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
    function echidna_test() {
       hevm.prank(0x123..); 
       contract.f(); // msg.sender will be 0x123..
       contract.g(); // msg.sender will be address(this)
       ..
    }
} 

Prank should be used carefully since it can introduce false positives if used to simulate calls from contracts. Please refer to this documentation for the complete list of cheat codes.

The release also refactors several parts of the code to facilitate further Echidna development.

Added

• Added saving and loading of reproducers for every test (#858)
• Added events and revert reasons for any failure in the constructor (#871)

Fixed

• Optimized constant generation (#898, #900)
• Fixed how address are displayed in events (#891)
• Update hevm to 0.50 (#884, #894, #896, #897, #901)
• Fixed uninitialized sender addresses from etheno transactions (#823)
• Fixed crash when minimizing inputs during optimization tests (#837)
• Refactored code and removed useless dependencies (#856, #857, #874, #878, #895, #903)

This release introduces coverage reports as HTML files. This will ease the detection of uncovered code during fuzzing campaigns. It also includes bug fixes as well as a large refactor of several parts of the code. This means that new features and optimizations are easier to implement.

Echidna 2.0.4 will automatically generate a coverage report in HTML in the corpus directory following the same approach as the text file report (e.g. covered.X.html). The report will show colors to signal which lines are covered either without errors (green), with a revert (yellow) or not covered at all (red).

Additionally, lines with no color are not included in the bytecode.

Added

• Added colored html for coverage output code (#816)
• Added Homebrew installation instructions (#848)

Fixed

• Fixed crash when parsing solc versions (#835)
• Fixed long transactions and event lines in UI (#832)
• Moved all nix stuff to flake and use nix-bundle-exe for macOS release (#851)
• Updated codebase to GHC 9.0.2 (#846)
• Refactored code and removed useless dependencies (#854, #853, #829, #827, #828)

Watch our live streaming series to learn how to use Echidna like a pro (see our recent blogpost: "We're streamers now")

This release focuses on getting enhanced coverage during a fuzzing campaign when handling non-utf8 strings, extreme signed integers and the fallback function. It also improved the scripts to build Docker containers.

Fixed

• Avoid resetting accounts if there is a deployed contract (#795)
• Fixed decoding non-utf8 strings from slither printer (#799)
• Fixed generation and mutation of extreme signed integers (#791)
• Removed fallback from signature map when it is not defined (#772)
• Refactored Docker scripts and tests (#706)

This release eases the custom deployment of contracts at fixed addresses, improves the fuzzing's shrinking and fixes a crash the EVM emulation:

deployContracts: [["0x42", "ContractA"], ["0x43", "ContractB"]]
deployBytecodes: [["0x44", "60806.."]]

All the contracts are deployed using the deployer address and will produce an error if they fail.

Added

• Added support for deployment of certain contracts or bytecode in specific addresses (#758)
• Added support for detection and handling of ancient solc versions (#675)
• Added explicit static flag and removed pthread one from ghc options (#768)

Fixed

• Improved shrinking of dynamic arrays (#775)
• Fixed git attribute to support building docker containers in Windows (#773)
• Fixed crash when the EVM execution triggers more than one query (#760)