medusa
medusa
is a cross-platform go-ethereum-based smart contract fuzzer inspired by Echidna.
It provides parallelized fuzz testing of smart contracts through CLI, or its Go API that allows custom user-extended testing methodology.
Disclaimer: Please note that medusa
is an experimental smart contract fuzzer. Currently, it should not be adopted into production systems. We intend for medusa
to reach the same capabilities and maturity that Echidna has. Until then, be careful using medusa
as your primary smart contract fuzz testing solution. Additionally, please be aware that the Go-level testing API is still under development and is subject to breaking changes.
Features
medusa
provides support for:
- ✔️Parallel fuzzing and testing methodologies across multiple workers (threads)
- ✔️Assertion and property testing: built-in support for writing basic Solidity property tests and assertion tests
✔️ Mutational value generation: fed by compilation and runtime values.✔️ Coverage collecting: Coverage increasing call sequences are stored in the corpus✔️ Coverage guided fuzzing: Coverage increasing call sequences from the corpus are mutated to further guide the fuzzing campaign- ✔️Extensible low-level testing API through events and hooks provided throughout the fuzzer, workers, and test chains.
❌ Extensible high-level testing API allowing for the addition of per-contract or global post call/event property tests with minimal effort.
Installation
Precompiled binaries
To use medusa
, first ensure you have crytic-compile and a suitable compilation framework (e.g. solc
, hardhat
) installed on your machine.
You can then fetch the latest binaries for your platform from our GitHub Releases page.
Building from source
Requirements
- You must have at least go 1.18 installed.
- [Windows only] The
go-ethereum
dependency may require TDM-GCC to build.
Steps
- Clone the repository, then execute
go build
in the repository root. - Go will automatically fetch all dependencies and build a binary for you in the same folder when completed.
Usage
Although we recommend users run medusa
in a configuration file driven format for more customizability, you can also run medusa
through the CLI directly.
We provide instructions for both below.
We recommend you familiarize yourself with writing assertion and property tests for Echidna. medusa
supports Echidna-like property testing with config-defined function prefixes (default: fuzz_
) and assertion testing using Solidity assert(...)
statements.
Command-line only
You can use the following command to run medusa
against a contract:
medusa fuzz --target contract.sol --deployment-order ContractName
Where:
--target
specifies the pathcrytic-compile
should use to compile contracts--deployment-order
specifies comma-separated names of contracts to be deployed for testing.
Note: Check out the command-line interface wiki page, or run medusa --help
for more information.
Configuration file driven
The preferred method to use medusa is to enter your project directory (hardhat directory, or directory with your contracts), then execute the following command:
medusa init
This will create a medusa.json
in your current folder. There are two required fields that should be set correctly:
- Set your
"target"
under"compilation"
to point to the file/directory whichcrytic-compile
should use to build your contracts. - Put the names of any contracts you wish to deploy and run tests against in the
"deploymentOrder"
field. This must be non-empty.
After you have a configuration in place, you can execute:
medusa fuzz
This will use the medusa.json
configuration in the current directory and begin the fuzzing campaign.
Note: Check out the project configuration wiki page, or run medusa --help
for more information.
Running Unit Tests
First, install crytic-compile, solc-select, and ensure you have solc
(version >=0.8.7), and hardhat
available on your system.
- From the root of the repository, invoke
go test -v ./...
on through command-line to run tests from all packages at or below the root.- Or enter each package directory to run
go test -v .
to test the immediate package. - Note: the
-v
parameter provides verbose output.
- Or enter each package directory to run
- Otherwise, use an IDE like GoLand to visualize the tests and logically separate output.
FAQs
Why create medusa
if Echidna is already working just fine?
With medusa
, we are exploring a different EVM implementation and language for our smart contract fuzzer. We believe that
experimenting with a new fuzzer provides us with the following benefits:
- Since
medusa
is written in Go, we believe that this will lower the barrier of entry for external contributions. We have taken great care in thoroughly commenting our code so that it is easy for new contributors to get up-to-speed and start contributing! - The use of Go allows us to build an API to hook into the various parts of the fuzzer to build custom testing methodologies. See the API Overview (WIP) section in the Wiki for more details.
- Our forked version of go-ethereum,
medusa-geth
, exhibits behavior that is closer to that of the EVM in production environments. - We can take the lessons we learned while developing Echidna to create a fuzzer that is just as feature-rich but with additional capabilities to create powerful and unique testing methodologies.
Contributing
For information about how to contribute to this project, check out the CONTRIBUTING guidelines.
License
medusa
is licensed and distributed under the AGPLv3.