search

crytic / medusa

Parallelized, coverage-guided, mutational Solidity smart contract fuzzing, powered by go-ethereum
https://secure-contracts.com/program-analysis/medusa/docs/src/
GNU Affero General Public License v3.0
298 stars 40 forks source link

panic: runtime error: index out of range #487

Open bohendo opened 1 month ago

bohendo commented 1 month ago

I'm running medusa at commit 95f69b4c7224851cc200631f728965b7e2ac5ebb.

Issue #231 is closely related, although the PR fixing that one doesn't seem to do the job here.

Issue #299 is also related, the error message is the same at least, but this bug also occurs if coverageEnabled is false.

cd ./pkg/vault && medusa fuzz
⇾ Reading the configuration file at: /Users/bohendo/audits/audit-balancer-v3-aug-2024/pkg/vault/medusa.json
warn Disabling coverage may limit efficacy of fuzzing. Consider enabling coverage for better results.
⇾ Compiling targets with crytic-compile
⇾ Running command:
crytic-compile . --export-format solc --foundry-out-directory=forge-artifacts --foundry-compile-all
⇾ Finished compiling targets in 1m21s
⇾ Initializing corpus
⇾ Setting up test chain
⇾ Finished setting up test chain
⇾ Running call sequences in the corpus
⇾ Finished running call sequences in the corpus in 35s
⇾ corpus: health: 60%, sequences: 734 (442 valid, 292 invalid)
⇾ Fuzzing with 10 workers
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeRemoveLiquiditySingleTokenExactIn(uint256,uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeAddLiquidityUnbalanced(uint256[],uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeProportionalAmountsOut(uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeRemoveLiquiditySingleTokenExactOut(uint256,uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.createNewStablePool(uint256,uint256[])
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeAddLiquiditySingleTokenExactOut(uint256,uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeProportionalAmountsIn(uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeRemoveAndAddLiquidityMultiToken(uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeAddAndRemoveAddLiquidityMultiToken(uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeAddAndRemoveLiquiditySingleToken(uint256,uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.computeRemoveAndAddLiquiditySingleToken(uint256,uint256,uint256,bool)
⇾ [NOT STARTED] Assertion Test: FuzzHarness.createNewWeightedPool(uint256,uint256,uint256[])
⇾ [NOT STARTED] Optimization Test: FuzzHarness.optimize_bptProfit()

⇾ [NOT STARTED] Optimization Test: FuzzHarness.optimize_rateDecrease()

panic: runtime error: index out of range [16083] with length 16083

goroutine 30658 [running]:
github.com/crytic/medusa/fuzzing/coverage.(*CoverageMaps).UniquePCs(...)
    github.com/crytic/medusa/fuzzing/coverage/coverage_maps.go:269
github.com/crytic/medusa/fuzzing.(*Fuzzer).printMetricsLoop(0x14000255888)
    github.com/crytic/medusa/fuzzing/fuzzer.go:898 +0x15e8
created by github.com/crytic/medusa/fuzzing.(*Fuzzer).Start in goroutine 1
    github.com/crytic/medusa/fuzzing/fuzzer.go:791 +0xb30
bohendo commented 1 week ago

Hint: the fuzz harness in question has a helper function that deploys a contract, it's called from the constructor to setup part of the fuzz target. The panic occurs if this fn is made public so the fuzzer can call it & replace this contract w one that has new params. No panic occurs if this function is private & only run in the constructor.

anishnaik commented 1 week ago

Thanks @bohendo will take a look