Looking for guidance with setting up a testing environment for larger smart contract projects

[rappie]

Hello,

I'm an aspiring bug bounty hunter, looking to get into smart contract hacking. I'm especially interested in automated fuzzing/testing, this is what led me to your awesome tools :)

So far i've been looking at:

• Reading the "Mastering Ethereum" book
• CTF's like Ethernaut and Damn Vulnerable DeFi
• The slither/echidna/manticore exercises on the "Building Secure Smart Contracts" github page

While looking at real life smart contract bug bounty programs I noticed things tend to get big pretty quickly, into dozens or even more than a hundred smart contracts working together.

This led me to Etheno and here I ran into some roadblocks. While trying to get the examples working in the docker images i got adviced to explain my expectations here.

So, my plan:

I'm trying to set up a testing environment where I can run tools like Echidna/Manticore 24/7. My plan of attack would be to search for a couple of essential/sensitive parts of code in the contracts. First by looking at what at the main idea of the project, looking for ways to game the system etc. Second by looking at all the contracts manually one by one, looking for interesting pieces of code.

After this I can write tests for Echidna/Manticore and run them indefinetly, until i have another project figured out and ready to test.

The main hurdle i'm currently facing is trying to figure out how to set up all the smart contracts in such a way that i'm able to test/fuzz them as a whole. The examples I found are with 1 or 2 contracts, i'm looking for at least 10-20 (for a start).

I know there is a "multi abi" option in Echidna, but I have not been able to find any examples or further documentation about this. Etheno seems to be the most promising solution to me. It seems to have support for the Truffle migrations system, so I imagine I could set up all my smart contracts using Truffle scripts and have Etheno prepare them for testing.

Anyway, without making my post even longer than it already is, please let me know if i'm on the right track and where to go from here.

Some questions:

• Is Etheno indeed the way to go here? I'm not stuck on Etheno at all, so let me know if there are better alternatives
• Is my whole plan realistic? Are project of such a scale possible to fuzz/test using current technology?
• I'm also very interested in references to more documentation about using Echidna/Manticore on non-trivial smart contracts

Thanks.

[ggrieco-tob]

Hi,

The team will take a good look to this over the week, but in the meantime, if you want to try Echidna on large contracts with a complicate setup, please check these tutorials:

• https://github.com/crytic/building-secure-contracts/blob/master/program-analysis/echidna/smart-contract-fuzzing-at-scale.md
• https://github.com/crytic/building-secure-contracts/blob/master/program-analysis/echidna/end-to-end-testing.md

[rappie]

I have learned a lot since I wrote this. This can be closed now.