search

crytic / echidna

Ethereum smart contract fuzzer
https://secure-contracts.com/program-analysis/echidna/index.html
GNU Affero General Public License v3.0
2.73k stars 365 forks source link

Questions regarding functional capabilities of the tool #255

Closed unboxedtype closed 2 years ago

unboxedtype commented 5 years ago

Hi! I have two questions.

  1. The quote from the intro text of the tool:

    It supports relatively sophisticated grammar-based fuzzing campaigns to falsify a variety of predicates.

Can you please elaborate on what kind of sophisticated campaigns can be used in Echidna to falsify what predicates?

  1. In the source code, besides generating random inputs you also rely on some entity called dictionary. (GenDict, mkGenDict, ...) What exactly it is used for?

Thanks!

japesinator commented 5 years ago

  1. As an example, you can modify the generators in Echidna.ABI to generate inputs based on anything you can calculate in MonadRandom, and the predicate system supports any logic in Solidity. With the API, you can also test complex multi-contract systems, or even smart contracts not created with Solidity.

  2. GenDict is for dictionary-based generation of function parameters. We do constant extraction on the solidity source, then try calling functions with those constants as arguments, since that's remarkably more effective than purely random generation on real contracts

unboxedtype commented 5 years ago
  1. So, using the API of Echidna I can program complex testing scenarios. What "grammar-based" bit is related to?
  2. Constants found in a function/contract body may be used as an input argument during fuzzing with some probability, correct?
ggrieco-tob commented 2 years ago

We no longer have an API for Echidna :disappointed: