Fuzzing 1-2-3

There are going to be three main steps to set up fuzzing: 
1. Write properties using Scribble​
2. Deploy annotated contracts to Ganache
 3. Start Fuzzing!
Writing Properties
The first step is where you’ll be using Scribble to write properties that the fuzzer should check. Without this, fuzzing can only find generic vulnerabilities and assertion violations.
Interested in vulnerability detection? Check out our other product, MythX. It uses fuzzing, symbolic execution and static analysis to detect tons of different vulnerabilities out of the box.
There are tons of ways that you can write properties and property checks. We recommend Scribble! A tool was tailored for property based testing and fuzzing!
You can find the Scribble documentation here.
You can learn everything you need about writing properties here:
✍️ Writing Properties
Seed Deployments
In the second step, you’ll deploy Scribble instrumented smart contracts to a Ganache node. Why? We will copy over this deployment into our fuzzer and use it as a seed to initialize our fuzzing campaign. This way, fuzzing starts on an actual deployment of the components in your system, and we’re able to test how the system components interact.
💡 You can often use existing test fixtures or deployment scripts for your fuzzing seeds!
Browse over to the following page for more information about seed deployments:
🌱
Seed Deployment
Fuzzing
The last step is where the fun is at! We’ll start fuzzing!
We first build a simple configuration that tells our CLI (how to install the cli?) utils where to find all the artifacts needed for fuzzing.
# .fuzz_token.yml
​
analyze:
    # We need to know where the dependencies live
    remappings:
      - "@openzeppelin=./node_modules/@openzeppelin"
fuzz:
    # Tell the CLI where to find the compiled contracts and compilation artifacts
    build_directory: artifacts
    
    # The following address is going to be the main target for the fuzzing campaign
    deployed_contract_address: "0x48b8050b4174f7871ce53AaF76BEAcA765037BFf"
    
    # We'll do fuzzing with 4 cores 🚀
    number_of_cores: 4
    
    # When the campaign is created it'll get a name <prefix>_<random_characters>
    campaign_name_prefix: "my-first-campaign"
    
    # Enable this option if you're fuzzing Scribble annotated code
    # It'll visualise all the results for the original source code, 
    # instead of the instrumentation code.
    map_to_original_source: true   
    
    # Point to your ganache node which holds the seed 🌱
    rpc_url: "http://localhost:8545"
    
    # This is the contract that the campaign will show coverage for, map issues to, etc.
    # It's a list of all the relevant contracts (don't worry about dependencies, we'll get those automatically 🙌)
    targets:
        - "contracts/Token.sol"
You only need to setup your configuration once! Then you're all set to fuzz in seconds!
Want to learn more about the configuration options? 
💻
Configuring the CLI
You can now start a fuzzing campaign!
$ fuzz -c .fuzz_token.yml run
​
You can find your report at: <report_url>
🤞 Let's hope we don't find any bugs in your contracts! 
For more information on the fuzzing campaign reports check out this page:
📊
Report

Welcome!

Next - Getting Started

✍️ Writing Properties

Last modified 2mo ago

Copy link

Outline

Writing Properties

Seed Deployments

Fuzzing