The ONE test that can check for (almost) every exploit
Heyo,
Jules here, from Cyfrin.
This week we launched the initial batch of early access codes for Cyfrin Updraft 👩🏻💻 the ultimate web3 learning platform for smart contract security and development.
One of the key topics we cover in Updraft courses is smart contract testing.
What if I told you that you could write ONE TEST that would check for almost every possible exploit scenario?
Hello Fuzzing 😸
Fuzz Testing or Fuzzing is when you automagically supply random data to your system in an attempt to break it.
Ok, sounds cool. But how does it work?
1. ✍🏼 Write a smart contract, define invariants
Invariants are statements that must always remain true.
For example, our variable shouldAlwaysBeZero MUST always return 0.
2. 👩🏻💻 Write fuzz tests
In order to prove our invariant holds true, we traditionally would write unit tests with function assertions.
Unit tests are great to prove a statement is true, but they often miss edge cases we didn’t think of.
That’s where fuzz tests come in. Fuzzers input semi-random values automatically to test a wider variety of scenarios.
These values are “semi-random” in that a fuzzer (in this case Foundry’s) is smart enough to pick out values based on its pre-defined data type, uint256, and other conditions you can configure.
For example, we may want to establish the amount of runs the fuzzer should do. The more times it runs, the closer we should be to bug-less code, but the longer the tests will take to run.
3. 🏃🏻♀️ Run the fuzz test
Depending on the fuzzer you’re using, running the fuzz test could require a different command.
In our case, we’re using the Foundry fuzzer so simply running forge test within our Foundry project will do.
Foundry fuzzer is great because of how easy it is to write tests. Alternatively, if you’d like to go deeper - you may want to try out Trail of Bit’s Echidna fuzzer which is arguably better, but a bit more complex - due to its intelligent random number selection process.
— To dive deeper into stateless and stateful fuzz testing, check out this article!
Make sure to check out Updraft’s smart contract security auditing course to learn more about:
Stateful and stateless fuzzing
formal verification
Mutation testing
Differentiated testing
Unit testing
and so much more!
⚡️ Apply and get access earlier here: https://x.com/CyfrinUpdraft/status/1727691247777685693?s=20
Keeping up with Web3 security
Korea is piloting digital currency for 100,000 citizens next year - an exciting experiment for the future of monetary systems.
KyberSwap DEX was hacked for $48 million cross-chain (a bit more than half their treasury size).
A comprehensive report on crypto fundraising was released - sharing that in 2023 alone, there were ~640 funding rounds funded by 1957 unique investors with cumulative financing amount totaling at $5.58 billion.
Spanish government tightens crypto regulation, requesting citizens to declare crypto holdings by March 2024.
Always feel free to reach out if there’s anything we can support or collaborate on.
Sending lots of cyber love,
Jules 🤸🏻
