Added the completed invariant fuzzing suite (#106)

Author: ljz3

.gitignore

@@ -35,3 +35,9 @@ bootstrap.out
 
 # MacOS
 .DS_Store
+
+# Fuzz
+crytic-export
+echidna-corpus
+medusa-corpus
+med-logs

echidna-config.yaml

@@ -0,0 +1,54 @@
+workers: 1
+
+testMode: assertion
+
+prefix: echidna_
+corpusDir: echidna-corpus
+
+testLimit: 100000000000
+# testLimit: 1000000
+codeSize: 100000
+
+shrinkLimit: 1000
+
+seqLen: 100
+
+deployer: "0xfffff"
+sender: ["0x10000", "0x20000", "0x30000"]
+
+filterBlacklist: true
+filterFunctions:
+  [
+    "Fuzz.handler_activateWithdrawalQueue()",
+    "Fuzz.handler_deactivateWithdrawalQueue()",
+    "Fuzz.handler_deposit(uint8,uint256,uint256)",
+    "Fuzz.handler_depositETH(uint256,uint256)",
+    "Fuzz.handler_depositTo(uint8,uint8,uint256,uint256)",
+    "Fuzz.handler_depositToETH(uint8,uint256,uint256)",
+    "Fuzz.handler_finaliseQueuedWithdrawal(uint8,uint256)",
+    "Fuzz.handler_finaliseQueuedWithdrawalsAggregated(uint8,uint8,uint256,uint256)",
+    "Fuzz.handler_onMessageReceiveChild(bool,uint8,uint8,uint8,uint256)",
+    "Fuzz.handler_onMessageReceiveRoot(bool,uint8,uint8,uint8,uint256)",
+    "Fuzz.handler_pauseChild()",
+    "Fuzz.handler_pauseRoot()",
+    "Fuzz.handler_setRateControlThreshold(uint8,uint256,uint256,uint256)",
+    "Fuzz.handler_setWithdrawalDelay(uint256)",
+    "Fuzz.handler_unpauseChild()",
+    "Fuzz.handler_unpauseRoot()",
+    "Fuzz.handler_updateImxCumulativeDepositLimit(uint256)",
+    "Fuzz.handler_withdraw(uint8,uint256,uint256)",
+    "Fuzz.handler_withdrawETH(uint256,uint256)",
+    "Fuzz.handler_withdrawETHTo(uint8,uint256,uint256)",
+    "Fuzz.handler_withdrawIMX(uint256,uint256)",
+    "Fuzz.handler_withdrawIMXTo(uint8,uint256,uint256)",
+    "Fuzz.handler_withdrawTo(uint8,uint8,uint256,uint256)",
+    "Fuzz.handler_withdrawWIMX(uint256,uint256)",
+    "Fuzz.handler_withdrawWIMXTo(uint8,uint256,uint256)",
+  ]
+
+cryticArgs: ["--foundry-compile-all"]
+
+# Initial Ether balance of contractAddr
+balanceContract: 0xffffffffffffffffffffffffffffffffffffffffffffffff
+# maximum value to send to payable functions
+maxValue: 100000000000000000000000000000 # 100000000000 eth

medusa.json

@@ -0,0 +1,116 @@
+{
+	"fuzzing": {
+		"workers": 1,
+		"workerResetLimit": 50,
+		"timeout": 0,
+		"testLimit": 1000000,
+		"callSequenceLength": 100,
+		"corpusDirectory": "medusa-corpus",
+		"coverageEnabled": true,
+		"deploymentOrder": [
+			"Fuzz"
+		],
+		"targetContracts": [
+			"Fuzz"
+		],
+		"targetContractsBalances": [
+			"0xffffffffffffffffffffffffffffffffffffffffffffffff"
+		],
+		"constructorArgs": {},
+		"deployerAddress": "0xfffff",
+		"senderAddresses": [
+			"0x10000",
+			"0x20000",
+			"0x30000"
+		],
+		"blockNumberDelayMax": 60480,
+		"blockTimestampDelayMax": 604800,
+		"blockGasLimit": 125000000,
+		"transactionGasLimit": 12500000,
+		"testing": {
+			"stopOnFailedTest": false,
+			"stopOnFailedContractMatching": true,
+			"stopOnNoTests": true,
+			"testAllContracts": false,
+			"traceAll": false,
+			"excludeFunctionSignatures": [
+				"Fuzz.handler_activateWithdrawalQueue()",
+				"Fuzz.handler_deactivateWithdrawalQueue()",
+				"Fuzz.handler_deposit(uint8,uint256,uint256)",
+				"Fuzz.handler_depositETH(uint256,uint256)",
+				"Fuzz.handler_depositTo(uint8,uint8,uint256,uint256)",
+				"Fuzz.handler_depositToETH(uint8,uint256,uint256)",
+				"Fuzz.handler_finaliseQueuedWithdrawal(uint8,uint256)",
+				"Fuzz.handler_finaliseQueuedWithdrawalsAggregated(uint8,uint8,uint256,uint256)",
+				"Fuzz.handler_onMessageReceiveChild(bool,uint8,uint8,uint8,uint256)",
+				"Fuzz.handler_onMessageReceiveRoot(bool,uint8,uint8,uint8,uint256)",
+				"Fuzz.handler_pauseChild()",
+				"Fuzz.handler_pauseRoot()",
+				"Fuzz.handler_setRateControlThreshold(uint8,uint256,uint256,uint256)",
+				"Fuzz.handler_setWithdrawalDelay(uint256)",
+				"Fuzz.handler_unpauseChild()",
+				"Fuzz.handler_unpauseRoot()",
+				"Fuzz.handler_updateImxCumulativeDepositLimit(uint256)",
+				"Fuzz.handler_withdraw(uint8,uint256,uint256)",
+				"Fuzz.handler_withdrawETH(uint256,uint256)",
+				"Fuzz.handler_withdrawETHTo(uint8,uint256,uint256)",
+				"Fuzz.handler_withdrawIMX(uint256,uint256)",
+				"Fuzz.handler_withdrawIMXTo(uint8,uint256,uint256)",
+				"Fuzz.handler_withdrawTo(uint8,uint8,uint256,uint256)",
+				"Fuzz.handler_withdrawWIMX(uint256,uint256)",
+				"Fuzz.handler_withdrawWIMXTo(uint8,uint256,uint256)"
+			],
+			"assertionTesting": {
+				"enabled": true,
+				"testViewMethods": true,
+				"panicCodeConfig": {
+					"failOnCompilerInsertedPanic": false,
+					"failOnAssertion": true,
+					"failOnArithmeticUnderflow": false,
+					"failOnDivideByZero": false,
+					"failOnEnumTypeConversionOutOfBounds": false,
+					"failOnIncorrectStorageAccess": false,
+					"failOnPopEmptyArray": false,
+					"failOnOutOfBoundsArrayAccess": false,
+					"failOnAllocateTooMuchMemory": false,
+					"failOnCallUninitializedVariable": false
+				}
+			},
+			"propertyTesting": {
+				"enabled": false,
+				"testPrefixes": [
+					"property_"
+				]
+			},
+			"optimizationTesting": {
+				"enabled": false,
+				"testPrefixes": [
+					"optimize_"
+				]
+			}
+		},
+		"chainConfig": {
+			"codeSizeCheckDisabled": true,
+			"cheatCodes": {
+				"cheatCodesEnabled": true,
+				"enableFFI": false
+			}
+		}
+	},
+	"compilation": {
+		"platform": "crytic-compile",
+		"platformConfig": {
+			"target": ".",
+			"solcVersion": "",
+			"exportDirectory": "",
+			"args": [
+				"--foundry-compile-all"
+			]
+		}
+	},
+	"logging": {
+		"level": "info",
+		"logDirectory": "med-logs",
+		"noColor": true
+	}
+}

package.json

@@ -48,6 +48,7 @@
         "@nomicfoundation/hardhat-toolbox": "^4.0.0",
         "@nomicfoundation/hardhat-verify": "^2.0.0",
         "@nomiclabs/hardhat-ethers": "npm:hardhat-deploy-ethers",
+        "@perimetersec/fuzzlib": "0.3.0",
         "@typechain/ethers-v6": "^0.5.0",
         "@typechain/hardhat": "^9.0.0",
         "@types/chai": "^4.2.0",

remappings.txt

@@ -2,4 +2,5 @@
 @openzeppelin/contracts-upgradeable=lib/openzeppelin-contracts-upgradeable/contracts
 @axelar-cgp-solidity=lib/axelar-cgp-solidity
 @axelar-gmp-sdk-solidity=lib/axelar-gmp-sdk-solidity
-@axelar-network/axelar-gmp-sdk-solidity/=lib/axelar-gmp-sdk-solidity/
+@axelar-network/axelar-gmp-sdk-solidity/=lib/axelar-gmp-sdk-solidity/
+@perimetersec/fuzzlib/src/=node_modules/@perimetersec/fuzzlib/src/

test/fuzzing/Fuzz.sol

@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity ^0.8.0;
+
+import "./FuzzIntegrityChildERC20Bridge.sol";
+import "./FuzzIntegrityRootERC20BridgeFlowRate.sol";
+
+/**
+ * @title Fuzz
+ * @author 0xScourgedev
+ * @notice Composite contract for all of the handlers
+ */
+contract Fuzz is FuzzChildERC20BridgeIntegrity, FuzzRootERC20BridgeFlowRateIntegrity {
+    constructor() payable {
+        setup();
+        setupActors();
+    }
+}

test/fuzzing/FuzzIntegrityBase.sol

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity ^0.8.0;
+
+/**
+ * @title FuzzIntegrityBase
+ * @author 0xScourgedev
+ * @notice Contains the base for all fuzz integrity contracts
+ */
+abstract contract FuzzIntegrityBase {
+    /**
+     * @notice Executes a delegatecall to the this contract with the given callData
+     * @dev This function is used to call the handlers in order to test the integrity of the handlers
+     * @param callData The data to be used in the delegatecall
+     * @return the success of the delegatecall and the return data
+     */
+    function _testSelf(bytes memory callData) internal returns (bool, bytes4) {
+        (bool success, bytes memory returnData) = address(this).delegatecall(callData);
+
+        return (success, bytes4(returnData));
+    }
+}