The testing configuration can be broken down into a few subcomponents:
- High-level configuration: Configures global testing parameters, regardless of the type of testing.
- Assertion testing configuration: Configures what kind of EVM panics should be treated as a failing fuzz test.
- Property testing configuration: Configures what kind of function signatures should be treated as property tests.
- Optimization testing configuration: Configures what kind of function signatures should be treated as optimization tests.
We will go over each subcomponent one-by-one:
- Type: Boolean
- Description: Determines whether the fuzzer should stop execution after the first failed test. If
false
,medusa
will continue fuzzing until either thetestLimit
is hit, thetimeout
is hit, or the user manually stops execution. - Default:
true
- Type: Boolean
- Description: Determines whether the fuzzer should stop execution if it is unable to match the bytecode of a dynamically
deployed contract. A dynamically deployed contract is one that is created during the fuzzing campaign
(versus one that is specified in the
fuzzing.targetContracts
). Here is an example of a dynamically deployed contract:
contract MyContract {
OtherContract otherContract;
constructor() {
// This is a dynamically deployed contract
otherContract = new otherContract();
}
}
- Default:
false
- Type: Boolean
- Description: Determines whether the fuzzer should stop execution if no tests are found
(property tests, assertion tests, optimization tests, or custom API-level tests). If
false
and no tests are found,medusa
will continue fuzzing until either thetestLimit
is hit, thetimeout
is hit, or the user manually stops execution. - Default:
true
- Type: Boolean
- Description: Determines whether all contracts should be tested (including dynamically deployed ones), rather than
just the contracts specified in the project configuration's
fuzzing.targetContracts
. - Default:
false
- Type: Boolean
- Description: Determines whether an
execution trace
should be attached to each element of a call sequence that triggered a test failure. - Default:
false
- Type: [String]
- Description: A list of function signatures that the fuzzer should exclusively target by omitting calls to other signatures. The signatures should specify the contract name and signature in the ABI format like
Contract.func(uint256,bytes32)
.Note: Property and optimization tests will always be called even if they are not explicitly specified in this list.
- Default:
[]
- Type: [String]
- Description: A list of function signatures that the fuzzer should exclude from the fuzzing campaign. The signatures should specify the contract name and signature in the ABI format like
Contract.func(uint256,bytes32)
.Note: Property and optimization tests will always be called and cannot be excluded.
- Default:
[]
- Type: Boolean
- Description: Enable or disable assertion testing
- Default:
true
- Type: Boolean
- Description: Whether
pure
/view
functions should be tested for assertion failures. - Default:
false
- Type: Struct
- Description: This struct describes the various types of EVM-level panics that should be considered a "failing case".
By default, only an
assert(false)
is considered a failing case. However, these configuration options would allow a user to treat arithmetic overflows or division by zero as failing cases as well.
- Type: Boolean
- Description: Triggering an assertion failure (e.g.
assert(false)
) should be treated as a failing case. - Default:
true
- Type: Boolean
- Description: Triggering a compiler-inserted panic should be treated as a failing case.
- Default:
false
- Type: Boolean
- Description: Arithmetic underflow or overflow should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: Dividing by zero should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: An out-of-bounds enum access should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: An out-of-bounds storage access should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: A
pop()
operation on an empty array should be treated as a failing case - Default:
false
- Type: Boolean
- Description: An out-of-bounds array access should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: Overallocation/excessive memory usage should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: Calling an uninitialized variable should be treated as a failing case
- Default:
false
- Type: Boolean
- Description: Enable or disable property testing.
- Default:
true
- Type: [String]
- Description: The list of prefixes that the fuzzer will use to determine whether a given function is a property test or not.
For example, if
property_
is a test prefix, then any function name in the formproperty_*
may be a property test.Note: If you are moving over from Echidna, you can add
echidna_
as a test prefix to quickly port over the property tests from it. - Default:
[property_]
- Type: Boolean
- Description: Enable or disable optimization testing.
- Default:
true
- Type: [String]
- Description: The list of prefixes that the fuzzer will use to determine whether a given function is an optimization
test or not. For example, if
optimize_
is a test prefix, then any function name in the formoptimize_*
may be a property test. - Default:
[optimize_]