This repo is based around a fuzzing harness built with Recon, located in the test/recon directory to allow testing properties of the Renzo system.
Learn more about the standard Recon harness here
This suite integrates a full local deployment of the EigenLayer system (provided by this repo) with a fuzzing scaffolding of the Renzo system to test Renzo invariants.
The EigenLayer system is added as a dependency in the eigenlayer-fuzzing submodule.
To deploy the EigenLayer system in RenzoSetup it inherits from the EigenLayerSystem contract and calls the deployEigenLayerLocal function, allowing access to all EigenLayer contracts for setting up Renzo without any mocks, subsequently the EigenLayer system state can be directly manipulated for testing edge cases, as is described in the Externalities section.
Clamping has been applied for certain target functions to limit the fuzzer search space to values actually used within system, this is primarily done via _getRandomDepositableToken and _getRandomOperatorDelegator, which prevent reverts for uninteresting reasons, such as an address input for a token which is not set as a collateral token in RestakeManager.
The following externalities that may have side-effects within the Renzo system have been implemented to facilitate more realistic fuzzing of these types of events:
These have all been implemented as target functions in the RestakManagerTargetFunctions contract, and therefore will automatically be called in the default fuzz testing setup.
For more detail on the implementation and design decisions behind each, see the externalities.md file.
git clone --recurse-submodules https://github.com/Recon-Fuzz/renzo-fuzzing
npm install
forge installBecause this repo has been scaffolded with Recon, it automatically works for running jobs using Recon's cloud runner.
For an example 12hr job run with Medusa, see here
echidna . --contract CryticTester --config echidna.yamlmedusa fuzz