Comments (7)
There is a regression bug making targetContract
not picked up. Shall be fixed by EOD
from ityfuzz.
@shouc well, these lines were on the original implementation from @tuturu-tech, but I guess they are not necessary after all.
Thanks for the fix in any case!
from ityfuzz.
Onchain flashloan can be enabled by adding ‘—flashloan’ flag. ItyFuzz would then automatically flashloan and liquidate related tokens from Uniswap, etc.
If the token has no LPs, you can use a Foundry fork test to set up (e.g., overwriting slots): https://github.com/fuzzland/ityfuzz/blob/master/tests/evm_manual/foundry1/test/Onchain.t.sol
runs with ‘ityfuzz evm -m OnchainTest — forge test’
from ityfuzz.
@shouc Not sure but it is not working.
I am using the following setup: https://github.com/aviggiano/ityfuzz/pull/1/files
ityfuzz/tests/evm_manual
[I] ➜ ityfuzz evm -m StaxExploitTest -- forge test
Nothing to compile
thread 'main' panicked at src/evm/mod.rs:612:54:
Failed to build the project: "no json file found"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
from ityfuzz.
@aviggiano The issue has been fixed, with a few points to note:
- The test execution path is incorrect, it should be in
tests/evm_manual/foundry1
. - The command
ityfuzz evm -m StaxExploitTest -- forge test
indicates the use offorge test
to compile solidity files, but some tests under this path can only be tested via ityfuzz. Runningforge test
directly will fail. Soforge build
should be used instead. - A etherscan_api_key is required to fetch code and ABI from Etherscan. The key can be obtained from Etherscan.
The complete steps are as follows:
git pull
cd tests/evm_manual/foundry1
cargo run evm -k <YOUR-SCAN-API-KEY> -m StaxExploitTest -- forge build
from ityfuzz.
Thank you @jacob-chia @shouc, this worked.
However, ityfuzz was not able to reproduce the bug that Echidna found in 10min.
Maybe something's wrong with my invariant test?
It would be nice to have some benchmarks for ityfuzz vs Echidna, which I believe are currently the only 2 fuzzers capable of fuzzing mainnet contracts. Please let me know if you want to work on this together.
from ityfuzz.
Is there a reason that these lines are added?
vm.prank(tokenHolder);
StaxLP.transfer(address(this), initialAmount);
StaxLP.approve(address(StaxLPStaking), type(uint256).max);
With them you just simply need to transfer to somewhere to break the invariant.
Removing these line shall yield the intended exploit with PR #469 :
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import {Test} from "forge-std/Test.sol";
interface IStaxLP {
function balanceOf(address) external returns (uint256);
function transfer(address, uint256) external returns (bool);
function approve(address, uint256) external returns (bool);
}
contract StaxExploitTest is Test {
uint256 private initialAmount;
IStaxLP private StaxLP =
IStaxLP(0xBcB8b7FC9197fEDa75C101fA69d3211b5a30dCD9);
address private StaxLPStaking = 0xd2869042E12a3506100af1D192b5b04D65137941;
address private tokenHolder =
address(0xeCb456EA5365865EbAb8a2661B0c503410e9B347);
function setUp() public {
vm.createSelectFork("http://64.71.166.16:28545/", 15725066);
targetContract(address(StaxLP));
targetContract(address(StaxLPStaking));
initialAmount = StaxLP.balanceOf(address(this));
}
function invariant_1() public {
assertEq(StaxLP.balanceOf(address(this)), initialAmount);
}
}
![Screen Shot 2024-04-18 at 12 25 35 PM](https://private-user-images.githubusercontent.com/10573715/323736070-75e51be6-2572-41fe-9851-8c5ea4d65107.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkzMzU3NjQsIm5iZiI6MTcxOTMzNTQ2NCwicGF0aCI6Ii8xMDU3MzcxNS8zMjM3MzYwNzAtNzVlNTFiZTYtMjU3Mi00MWZlLTk4NTEtOGM1ZWE0ZDY1MTA3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjI1VDE3MTEwNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ4MDJjZDg4ZmFiMDc4YWMyZTFiZGIwOTYwZWU2YWJkN2JkZjcxNTEwYmJiNjEzYTQ5ZTA2ODU2MWM3OGZjNmUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.ZUPvDdwwHIS4SELmGiWQqmiwtPW1MOGP6pXfSt-YxRo)
from ityfuzz.
Related Issues (20)
- Fuzz with foundry custom setup is not targeting all the targetContracts HOT 4
- bug: release workflow failed
- bug: release workflow failed
- bug: release workflow failed
- Can't find USDC/WETH pair HOT 1
- bug: CMP_MAP polluted by contract setup deployer
- Targeted Fuzzing HOT 2
- Mutator selection prioritization HOT 2
- New code insertion is inconsistent with middlewares HOT 3
- libssl.so.1.1: cannot open shared object file what should i do HOT 4
- openssl dynamic lib not found HOT 1
- Testing invariants on chain HOT 1
- Continuous execution to find other methods of triggering bugs. HOT 1
- bug: release workflow failed
- CTF challenge from docs is broken HOT 1
- Publishing to crates.io HOT 2
- offchain evm fuzzing fails HOT 1
- Compilation error on rust-nightly `type annotations needed for Box<_>` HOT 2
- error[E0308] [E0053] [E0277] HOT 1
- how to add other chain url api HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ityfuzz.