Echidna is a weird creature that eats bugs and is highly electrosensitive (with apologies to Jacob Stanley)
More seriously, Echidna is a Haskell library designed for fuzzing/property-based testing of EVM code. It supports relatively sophisticated grammar-based fuzzing campaigns to falsify a variety of predicates.
The core Echidna functionality is an executable called echidna-test
. echidna-test
takes a contract and a list of invariants (properties that should always remain true) as input. For each invariant, it generates random sequences of calls to the contract and checks if the invariant holds. If it can find some way to falsify the invariant, it prints the call sequence that does so. If it can’t, you have some assurance the contract is safe.
Invariants are expressed as Solidity functions with names that begin with echidna_
, have no arguments, and return a boolean. For example, if you have some balance
variable that should never go below 20
, you can write an extra function in your contract like this one:
Also Read – NetSet : Operational Security Utility & Automator
function echidna_check_balance() {
return(balance >= 20);
}
To check these invariants, run:
$ echidna-test myContract.sol
An example contract with tests can be found examples/solidity/basic/flags.sol. To run it, you should execute:
$ echidna-test examples/solidity/basic/flags.sol
Echidna should find a a call sequence that falisfies echidna_sometimesfalse
and should be unable to find a falsifying input for echidna_alwaystrue
.
Echidna’s CLI can be used to choose the contract to test and load a configuration file.
$ echidna-test contract.sol TEST –config=”config.yaml”
The configuration file allows users to choose EVM and test generation parameters. An example of a complete config file with the default options can be found at examples/solidity/basic/default.yaml. More detailed documentation on the configuration options is available in our wiki.
Echidna exports an API to build powerful fuzzing systems, and has a multitude of configuration options. Unfortunately, these parts of the codebase change quickly and are thus poorly documented. The examples/api directory or Trail of Bits blog are excellent references, or use the references below to get in touch with us directly.
If you want to quickly test Echidna in Linux, we offer a statically linked binary release of v1.0.0.0 to download here.
Otherwise, to install the latest revision of Echidna, we recommend to use docker:
$ docker build -t echidna .
for example
$ docker run -t -v `pwd`:/src echidna echidna-test /src/examples/solidity/basic/flags.sol
If you’d prefer to build from source, use Stack. stack install
should build and compile echidna-test
in ~/.local/bin
. You will need to link against libreadline and libsecp256k1 (built with recovery enabled), which should be installed with the package manager of your choosing. Additionally, you need to install the latest release of libff (you can take a look to this script used in our CI tests)
If you’re getting errors building related to linking, try tinkering with --extra-include-dirs
and --extra-lib-dirs
.
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…