echidna icon indicating copy to clipboard operation
echidna copied to clipboard
verified publisher icon crytic

[Bug-Candidate]: some .yaml configurations are ignored

Open NonameDevil opened this issue 8 months ago • 5 comments

Describe the issue:

  1. sender and deployer args in yaml are ignored in 2.2.6 v
  2. coverage: false is also ignored if corpusDir exists

Code example to reproduce the issue:

any

Version:

2.2.6

Relevant log output:

NonameDevil avatar Apr 10 '25 09:04 NonameDevil

Hi, thanks for the report! Can you provide a way/example to reproduce these issues?

Also regarding the first point, note that if the existing corpus contains entries with certain e.g. sender addresses and you then change them on your config, those corpus entries won't get updated when they are replayed. You may want to clear your corpus folder if you need all transactions to use the new configuration.

elopez avatar Apr 10 '25 10:04 elopez

solution.txt

Input data: https://github.com/crytic/echidna-streaming-series/tree/main/part1/exercise1

1. Issue (coverage)

testMode: property coverage: false It creates covered.1744280926.html, on opening it: "Coverage map is empty"

testMode: assertion coverage: false It creates covered.1744281063, on opening it: "Coverage map is empty"

Expected: Not create anything when coverage: false

2. Issue (sender, deployer)

yaml: corpusDir: "corpus-examp" prefix: "echidna_" contractAddr: "0x1234" seqLen: 100 coverage: false testMode: property testLimit: 100000 shrinkLimit: 5000 deployer: "0x20000" sender: ["0x50000"] maxValue: 1000000000000000000000

What I do: echidna2.2.6 ./exercise1/solution.sol --config config.yaml

Result:

[2025-04-10 13:34:52.94] Compiling ./exercise1/solution.sol... Done! (0.488044406s) Multiple contracts found, only analyzing the first Analyzing contract:./exercise1/solution.sol:TestToken [2025-04-10 13:34:53.45] Running slither on ./exercise1/solution.sol... Done! (0.84413261s) Loaded 2 transaction sequences from corpus-examp/reproducers Loaded 0 transaction sequences from corpus-examp/coverage echidna_sender: passing echidna_test_balance: failed!💥 Call sequence: TestToken.transfer(0x20000,49154663709194675381553871194911)

Traces: emit Notice(«echidna_caller!», 0x0000000000000000000000000000000000020000, 49154663709194675381553871204911) (./exercise1/solution.sol:15) emit Notice(«MSG.SENDER!», 0x0000000000000000000000000000000000010000, 0) (./exercise1/solution.sol:16) emit Notice(«ADDRESS.THIS!», TestToken, 0x0000000000000000000000000000000000001234) (./exercise1/solution.sol:17)

Expected: echidna_sender NOT PASS Second event in TestToken.transfer «MSG.SENDER!» = 0x0000000000000000000000000000000000050000

NonameDevil avatar Apr 10 '25 10:04 NonameDevil

For the second point, can you make sure "corpus-examp" is empty before you try it? I see it was not, according to your log:

Loaded 2 transaction sequences from corpus-examp/reproducers

Also, note that for echidna_* functions in property mode, you need to adjust the psender setting: https://secure-contracts.com/program-analysis/echidna/configuration.html#psender (psender is used for evaluating properties, sender is used for the rest of the transactions during fuzzing, deployer is used for deployment)

elopez avatar Apr 10 '25 11:04 elopez

1. Issue (coverage) testMode: property

  • I empty corpusDir covered.1744292161.html created with "Coverage map is empty"

Expected: not to be created as coverage: false

testMode: assertion

  • I empty corpusDir covered.1744292286.html created with "Coverage map is empty"

Expected: not to be created as coverage: false

2. Issue (sender, deployer)

adding psender to yaml solved the problem ?Expected: Maybe to make psender equals sender on default if sender exists?

NonameDevil avatar Apr 10 '25 14:04 NonameDevil

NEW ISSUE AROSE! Wrong naming

Input data: https://github.com/crytic/echidna-streaming-series/tree/main/part1/exercise1

In the example above I added a WETH entity:

IERC20 weth;

and in the constructor: weth = IERC20(payable(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2));

Now the result:

echidna2.2.6 ./exercise1/solution_weth.sol --contract TestToken --config config.yaml

[2025-04-10 18:30:21.75] Compiling ./exercise1/solution_weth.sol... Done! (0.4348333s) Analyzing contract: ./exercise1/solution_weth.sol:TestToken [2025-04-10 18:30:22.22] Running slither on ./exercise1/solution_weth.sol... Done! (0.876882399s) Loaded 0 transaction sequences from corpus-examp/reproducers Loaded 0 transaction sequences from corpus-examp/coverage echidna_sender: passing echidna_test_balance: failed!💥 Call sequence: TestToken.transfer(0x30000,1137906282994853005185990194939181166259)

Traces: emit Notice(«echidna_caller!», IERC20, 0x0000000000000000000000000000000000030000) (./exercise1/solution_weth.sol:19) emit Notice(«MSG.SENDER!», 0x0000000000000000000000000000000000060000, 0) (./exercise1/solution_weth.sol:20) emit Notice(«ADDRESS.THIS!», TestToken, 0x0000000000000000000000000000000000001234) (./exercise1/solution_weth.sol:21)

Problem:

In the first event echidna_caller which is equal DEPLOYER according yaml config is named as IERC20. Same happens if I omit declaration: address constant DEPLOYER = address(0x30000);

Expected:

Just address in the case there is no declaration for address or name of the address (DEPLOYER here)

solution_weth.txt

config.yaml.txt

NonameDevil avatar Apr 10 '25 15:04 NonameDevil

The discussion is unrelated to the issue reported in the first message, let's close this one.

gustavo-grieco avatar Oct 20 '25 17:10 gustavo-grieco