Effective, Usable and Fast: Echidna, a Smart Contract Fuzzing Tool

Sensible contracts are absolutely nothing new anymore. They’ve been close to for a extensive time and we all know how they work. However, it is to be observed that hackers can not feel to get enough of them! The variety of hacks encompassing sensible contracts has only risen in modern years and we have all witnessed the outcomes. 

In case you’re not aware, clever contracts are almost nothing but computer programs that, after brought on, do your task for you and make lifetime a lot easier! But for a computer system program to not have any bugs and faults seems downright fictitious. 

So, what do you do to decrease the odds of your intelligent deal remaining struck by an asteroid-sized hack? You fuzz it!

Not certain what we mean? We’ve obtained you included.

Fuzz tests or Fuzzing is the artwork of automatic bug detection. It is a Black Box computer software screening technique, which is composed of locating implementation bugs using malformed/ semi-malformed details injection in an automated vogue. The purpose powering applying fuzzing is to tension the application and bring about unexpected habits, source leaks, or crashes. 

We have talked in depth about Clever Contract Fuzzing in the earlier. Examine out this blog in advance of looking at further more!

In today’s weblog, we’re speaking about a clever agreement fuzzing tool that is commonly applied by testers and auditors. The tool we’re chatting about is Echidna! Let us get started.

An Introduction to Echidna

Echidna is a Haskell application made for fuzzing/residence-based tests of Ethereum intelligent contracts. It uses refined grammar-centered fuzzing campaigns primarily based on a agreement ABI to falsify consumer-described predicates or Solidity assertions

It is a device created for testing extra intricate Ethereum good contracts. It has functions this kind of as:

  • Optional corpus selection, mutation, and coverage assistance to locate further bugs.
  • Computerized check circumstance minimization for brief triage.
  • Maximum gas usage reporting of the fuzzing campaign.

Characteristics of Echidna

  • Generates inputs tailor-made to your genuine code.
  • Optional corpus selection, mutation, and protection steering to locate further bugs.
  • Driven by Slither to extract useful details right before the fuzzing marketing campaign.
  • Resource code integration to discover which strains are included following the fuzzing campaign.
  • Curses-centered retro UI, textual content-only, or JSON output.
  • Computerized exam scenario minimization for quick triage.
  • Seamless integration into the advancement workflow.
  • Greatest gasoline usage reporting of the fuzzing marketing campaign.

Fuzzing with Echidna

Echidna belongs to a certain spouse and children of fuzzer: residence-dependent fuzzing heavily motivated by QuickCheck. In distinction to a classic fuzzer that will consider to come across crashes, Echidna will try to split consumer-described invariants.

In good contracts, invariants are Solidity features, that can characterize any incorrect or invalid state that the deal can achieve, like:

  • Incorrect accessibility command: the attacker became the proprietor of the contract.
  • Incorrect state device: the tokens can be transferred whilst the agreement is paused.
  • Incorrect arithmetic: the user can underflow its harmony and get unlimited cost-free tokens.

Testing a House with Echidna

We will now see how to exam a sensible agreement with Echidna. The target is the pursuing smart agreement: 

contract Token

  mapping(tackle => uint) public balances

  function airdrop() public

      balances[msg.sender] = 1000


  function consume() public


      balances[msg.sender] -= 1


  function backdoor() public

      balances[msg.sender] += 1


In the unique agreement, we have assumed that:

  • Any person can have a greatest of 1000 tokens
  • The token are unable to be transferred (it is not an ERC20 token)

Write a property

Echidna properties are Solidity functions. A property have to:

  • Have no argument
  • Return genuine if it is productive
  • Have its name starting with echidna

Echidna will:

  • Mechanically make arbitrary transactions to exam the home.
  • Report any transactions top residence to return fake or throw an error.
  • Discard aspect-consequences when contacting a home (i.e. if the residence variations a point out variable, it is discarded soon after the take a look at).

The next residence checks that the caller has no far more than 1000 tokens.

operate echidna_harmony_less than_1000() community look at returns(bool)

      return balances[msg.sender] <= 1000

Initiate a contract

Echidna needs a constructor without argument. If your contract needs a specific initialization, you need to do it in the constructor.

There are some specific addresses in Echidna:

  • 0x00a329c0648769A73afAc7F9381E08FB43dBEA72 which calls the constructor.
  • 0x10000, 0x20000, and 0x00a329C0648769a73afAC7F9381e08fb43DBEA70 which randomly calls the other functions

Run Echidna

The core Echidna functionality is an executable called echidna-test. echidna-test takes a contract and a list of invariants (properties that should always remain true) as input. 

For each invariant, it generates random sequences of calls to the contract and checks if the invariant holds. If it can find some way to falsify the invariant, it prints the call sequence that does so. If it can’t, you have some assurance the contract is safe.

Echidna is launched with:

$ echidna-test contract.sol

If contract.sol contains multiple contracts, you can specify the target:

$ echidna-test contract.sol –contract MyContract

Upon running Echidna, the output would be as follows:

$ echidna-test testtoken.sol –contract TestToken

echidna_balance_under_1000: failed!💥

 Call sequence, shrinking (1205/5000):



Echidna found that the property is violated if backdoor is called.

Collecting and visualizing coverage

After finishing a campaign, Echidna can save a coverage maximizing corpus in a special directory specified with the corpusDir config option. 

This directory will contain two entries: 

  • a directory named coverage with JSON files that can be replayed by Echidna  
  • a plain-text file named covered.txt, a copy of the source code with coverage annotations.

The tool signals each execution trace in the corpus with the following “line marker”:

  • * if an execution ended with a STOP
  • r if an execution ended with a REVERT
  • o if an execution ended with an out-of-gas error
  • e if an execution ended with any other error (zero division, assertion failure, etc)

And that’s how it is done!

Echidna for Smart Contract Build Systems

Echidna can test contracts compiled with different smart contract build systems, including Truffle, Embark, and even Vyper, using crytic-compile

Echidna supports two modes of testing complex contracts. Firstly, one can describe an initialization procedure with Truffle and Etheno and use that as the base state for Echidna. Secondly, echidna can call into any contract with a known ABI by passing in the corresponding solidity source in the CLI.

Echidna supports three different output drivers. There is the default text driver, a json driver, and a none driver, which should suppress all stdout output. 

Limitations and Known Issues

Echidna has quite a few limitations in the latest release. Some of these are inherited from hevm while some are results from design/performance decisions or simply bugs in the code. 

The issues are listed as follows:

  • Debug information can be insufficient.
  • Vyper support is limited.
  • Limited library support for testing.
  • If the contract is not properly linked, Echidna will crash.
  • Assertions are not detected in internal transactions.
  • Value generation can fail in multi-abi mode since the function hash is not precise enough.

With that being said, it is also to be noted that no testing/fuzzing tool out there is perfect as EVM emulation and testing is a hard nut to crack. However, Echidna is a great tool when dealing with complex smart contracts.

About Us 

ImmuneBytes is a Blockchain security firm that employs the industry’s best tools and practices to provide a comprehensive smart contract audit. We have a team of robust and experienced security professionals who are adept at their niches and provide you with a quality service. We have worked on 105+ projects spread across the world on different Blockchain frameworks with some of the industry’s top firms and we continue to unfold the decentralized movement.

We are also providing consultancy, coming up with a bug bounty platform, and also an insurance product to provide our clients with a hassle-free security product catalog. Stay tuned.

Source link