ityfuzz icon indicating copy to clipboard operation
ityfuzz copied to clipboard

Published 20 hours ago verified publisher icon fuzzland

Wrong example in doc

Open jf-li00 opened this issue 10 months ago • 2 comments

In the example given in quickstart:

# -t [TARGET_ADDR]: specify the target contract
# --onchain-block-number [BLOCK]: fork the chain at block number [BLOCK]
# -c [CHAIN_TYPE]: specify the chain
# -f: (Optional) allow attack to get flashloan

ityfuzz evm\
    -o\
    -t 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2\
    --onchain-block-number 0\
    -c ETH\
    --onchain-etherscan-api-key [Etherscan API Key]\
    -f

After I added my Etherscan API Key and run the command above, I got the following error message:

thread 'main' panicked at src/evm/mod.rs:600:13:
Please specify --deployment-script (The contract that deploys the project) or --offchain-config-file (JSON for deploying the project)

Since ityfuzzer should run in onchain mode with that command(with the --onchain-etherscan-api-key and --onchain-block-numbe argument), I think it behaved werid. However, when I removed the -o argument, the program runs fine:

ityfuzz evm\
    -t 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2\
    --onchain-block-number 0\
    -c ETH\
    --onchain-etherscan-api-key [Etherscan API Key]\
    -f

jf-li00 avatar Apr 01 '24 14:04 jf-li00

I printed the EvmArgs parsed from cli args in evm_main and there's an intresting phenomenon. With the -o arg(the current version in the doc):

EvmArgs {
    target: "none",
    fetch_tx_data: false,
    proxy_address: "http://localhost:5001/data",
    constructor_args: "",
    target_type: None,
    chain_type: None,
    onchain_block_number: None,
    onchain_url: None,
    onchain_chain_id: None,
    onchain_explorer_url: None,
    onchain_chain_name: None,
    onchain_etherscan_api_key: None,
    onchain_storage_fetching: "onebyone",
    concolic: false,
    concolic_caller: false,
    concolic_timeout: 1000,
    concolic_num_threads: 0,
    flashloan: false,
    panic_on_bug: false,
    detectors: "high_confidence",
    replay_file: None,
    work_dir: "work_dir",
    write_relationship: false,
    run_forever: false,
    seed: 1667840158231589000,
    sha3_bypass: false,
    only_fuzz: "",
    base_path: "",
    spec_id: "Latest",
    onchain_builder: "",
    onchain_replacements_file: "",
    builder_artifacts_url: "",
    builder_artifacts_file: "",
    offchain_config_url: "",
    offchain_config_file: "",
    load_corpus: "",
    setup_file: "",
    deployment_script: "",
    force_abi: "",
    base_directory: "",
    build_command: [
        "-o",
        "-t",
        "0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2",
        "--onchain-block-number",
        "0",
        "-c",
        "ETH",
        "--onchain-etherscan-api-key",
        <Etherscan API Key>,
        "-f",
    ],
}

Without -o arg (The version I fixed):

EvmArgs {
    target: "0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2",
    fetch_tx_data: false,
    proxy_address: "http://localhost:5001/data",
    constructor_args: "",
    target_type: None,
    chain_type: Some(
        "ETH",
    ),
    onchain_block_number: Some(
        0,
    ),
    onchain_url: None,
    onchain_chain_id: None,
    onchain_explorer_url: None,
    onchain_chain_name: None,
    onchain_etherscan_api_key: Some(
          <Etherscan API Key>,
    ),
    onchain_storage_fetching: "onebyone",
    concolic: false,
    concolic_caller: false,
    concolic_timeout: 1000,
    concolic_num_threads: 0,
    flashloan: true,
    panic_on_bug: false,
    detectors: "high_confidence",
    replay_file: None,
    work_dir: "work_dir",
    write_relationship: false,
    run_forever: false,
    seed: 1667840158231589000,
    sha3_bypass: false,
    only_fuzz: "",
    base_path: "",
    spec_id: "Latest",
    onchain_builder: "",
    onchain_replacements_file: "",
    builder_artifacts_url: "",
    builder_artifacts_file: "",
    offchain_config_url: "",
    offchain_config_file: "",
    load_corpus: "",
    setup_file: "",
    deployment_script: "",
    force_abi: "",
    base_directory: "",
    build_command: [],
}

It seems that all the args goes to the last build_command array.

Then I looked up the definition of EvmArgs, and foud build_command has a type of Vec<String>. So I guess the -o arg is not recognized by the EvmArgs struct and somehow it falls back to the build_command vector, which makes all other args placed in the build_command image

jf-li00 avatar Apr 01 '24 14:04 jf-li00

And I found that in backtesting.md which stores several examples to launch ityfuzz have the same problem. I looked the commit(20c10b3815398a49c0518fd292536f7883677167) that introduced those example, and saw a member of EvmArgs called onchain: image I guess maybe the -o arg is onchain for short and that arg is now decrypted. When I try those commands in backtesting.md, I encountered the same problem I mentioned above, so I removed all the -o arg in backtesting.md to fix the problem. But I don't know if there's any further impact on the document due to the decryption of the onchain arg.

jf-li00 avatar Apr 01 '24 15:04 jf-li00