phink 0.1.5

🐙 Phink, a ink! smart-contract property-based and coverage-guided fuzzer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

#![allow(unused_imports, unused_variables)]
use crate::{
    cli::config::Configuration,
    contract::{
        remote::{
            ContractSetup,
            FullContractResponse,
        },
        selectors::{
            database::SelectorDatabase,
            selector::Selector,
        },
    },
    cover::coverage::InputCoverage,
    fuzzer::parser::{
        Message,
        OneInput,
        Origin,
    },
    ResultOf,
};
use anyhow::{
    bail,
    Context,
};
use contract_transcode::ContractMessageTranscoder;
use sp_runtime::{
    DispatchError,
    ModuleError,
};
use std::{
    panic,
    path::Path,
    sync::{
        Arc,
        Mutex,
    },
};

#[derive(Clone)]
pub struct CampaignManager {
    setup: ContractSetup,
    database: SelectorDatabase,
    configuration: Configuration,
    transcoder: Arc<Mutex<ContractMessageTranscoder>>,
}

impl CampaignManager {
    pub fn new(
        database: SelectorDatabase,
        setup: ContractSetup,
        configuration: Configuration,
    ) -> ResultOf<Self> {
        let transcoder = Arc::new(Mutex::new(
            ContractMessageTranscoder::load(Path::new(&setup.path_to_specs))
                .context("Cannot instantiante the `ContractMessageTranscoder`")?,
        ));

        Ok(Self {
            setup,
            database,
            configuration,
            transcoder,
        })
    }

    pub fn config(&self) -> Configuration {
        self.configuration.clone()
    }

    pub fn database(&self) -> &SelectorDatabase {
        &self.database
    }

    pub fn transcoder(&self) -> Arc<Mutex<ContractMessageTranscoder>> {
        Arc::clone(&self.transcoder)
    }

    pub fn check_invariants(
        &self,
        responses: &[FullContractResponse],
        decoded_msgs: &OneInput,
        catch_trapped_contract: bool,
    ) {
        let trapped = responses.iter().filter(|response| response.is_trapped());

        // If we are running the seeds or that we want the fuzzer to catch the trapped contract AND
        // that we have a trapped contract, we panic artificially trigger a bug for AFL
        if catch_trapped_contract && trapped.clone().next().is_some() {
            trapped.for_each(|response| {
                self.display_trap(decoded_msgs, response);
            });
            // Artificially trigger a bug for AFL
            panic!("\n🫡  Job is done! Please, don't mind the backtrace below/above.\n\n");
        }

        // TODO: We only try to run the invariants as the first message's origin here
        if let Ok(invariant_tested) = self.are_invariants_failing(decoded_msgs.messages[0].origin) {
            self.display_invariant(responses.to_vec(), decoded_msgs, invariant_tested);
            panic!("\n🫡   Job is done! Please, don't mind the backtrace below/above.\n\n"); // Artificially trigger a bug for AFL
        }
    }

    pub fn display_trap(&self, message: &OneInput, response: &FullContractResponse) {
        #[cfg(not(fuzzing))]
        {
            println!("\n🤯 A trapped contract got caught! Let's dive into it");
            println!("\n🐛 IMPORTANT STACKTRACE : {response}\n");
            println!("🎉 Find below the trace that caused that trapped contract");
            message.pretty_print(vec![response.clone()]);
        }
    }

    #[allow(unused_mut)]
    pub fn display_invariant(
        &self,
        responses: Vec<FullContractResponse>,
        decoded_msg: &OneInput,
        mut invariant_tested: Selector,
    ) {
        #[cfg(not(fuzzing))]
        {
            let hex = self
                .transcoder()
                .lock()
                .unwrap()
                .decode_contract_message(&mut &*invariant_tested.as_mut())
                .unwrap();

            println!("\n🤯 An invariant got caught! Let's dive into it");
            println!("\n🫵  This was caused by `{hex}`\n");
            println!("🎉 Find below the trace that caused that invariant");
            decoded_msg.pretty_print(responses);
        }
    }

    /// This function aims to call every invariants via `invariant_selectors`.
    pub fn are_invariants_failing(&self, origin: Origin) -> ResultOf<Selector> {
        for invariant in &self.database.to_owned().invariants()? {
            let invariant_call: FullContractResponse = self.to_owned().setup.call(
                invariant.as_ref(),
                origin.into(),
                0,
                self.configuration.clone(),
            );
            if invariant_call.failed() {
                return Ok(*invariant);
            }
        }
        bail!("All invariants passed")
    }
}