dapptools icon indicating copy to clipboard operation
dapptools copied to clipboard

Published 20 hours ago verified publisher icon dapphub

Coverage Guided / Mutation Based Fuzzing

Open d-xo opened this issue 4 years ago • 1 comments

Still very much WIP (and currently based off a pretty outdated commit).

This PR introduces a coverage guided / mutation based approach to fuzzing. All fuzz tests are now run with coverage enabled. We store each path seen, along with the input that we used to get there. When generating calldata for a fuzz run, we sometimes use the existing strategy (random), and sometimes choose instead to mutate one of the examples from the corpus of visited paths.

This should hopefully help us get even deeper inside complex contracts.

Still TODO:

  • [ ] rebase on master
  • [ ] general tidyup
  • [ ] generate coverage reports
  • [ ] use the symbolic execution engine to prefill the corpus with interesting calldata
  • [ ] apply a weighting to some examples (e.g. paths where the symbolic execution engine timed out can be targeted for fuzzing)

d-xo avatar Jul 02 '21 14:07 d-xo

does this include constant mining? https://github.com/crytic/echidna/pull/262

transmissions11 avatar Sep 04 '21 05:09 transmissions11