Developers need to test the reliability and security of their programs before deployment. Traditional unit tests often fail to reveal the edge-case vulnerabilities. Trdelnik addresses this by introducing fuzz testing for Solana programs, which generates a large set of random inputs and call orders to probe for unexpected weaknesses.
Why we created Trdelnik
Programs for the Solana blockchain are mostly written in Rust programming language. There is a good reason to use Rust because it guarantees memory safety without compromising performance as it is the case with other programming languages that use garbage collection. Rust on the other hand uses a new unique concept of ownership. The downside is that Rust might become very complex and the learning curve is steep.
But wait, have you also heard that “only the best programmers can write in Rust and the best make fewer mistakes”? Well even if it was partially true, there are better ways to prevent bugs and one of them is testing. Extensive and systematic testing is an integral part of any software development and is a great way to discover bugs early during development.
How is it possible that most projects have only basic tests or no tests at all? Believe it or not, writing good tests is not as easy as it might seem and in some cases can take even longer than the development of the product alone. In the fast-paced world of crypto, the timelines are often very short and the pressure to launch new projects is extremely high.
That is why we have developed Trdelnik, our Rust-based testing framework providing several convenient developer tools for testing Solana programs written in Anchor. The main goal of Trdelnik is to simplify the setup of the testing environment, provide an automatically generated API to send instructions to custom programs and accelerate the testing process.
Fuzz Testing Solana Programs
A new feature recently introduced to Trdelnik is fuzz testing. It is an automated software testing technique that provides generated random, invalid, or unexpected input data to your program. This helps to discover unknown bugs and vulnerabilities and may prevent zero-day exploits of your program.
There are several fuzzers used for Rust programs, however, googling for Solana fuzz tests does not show any results and that is why we decided to integrate this feature into our framework. Under the hood, Trdelnik uses a well known fuzzer honggfuzz developed by Google.
In the following text we will describe step by step how to use Trdelnik for fuzz testing.
TL;DR Solana Fuzzing
# In the root of your Anchor project, execute these commands:
cargo install trdelnik-cli
cargo install honggfuzz
trdelnik init
# now to go ./trdelnik-tests/src/bin/fuzz_target.rs and edit the fuzz test template
# to run the fuzz test replace <TARGET_NAME> with fuzz_target
trdelnik fuzz run <TARGET_NAME>
# to debug a crash pass in a crash *.fuzz file with following path trdelnik-tests/hfuzz_workspace/<TARGET_NAME>/<CRASH_FILE>.fuzz
trdelnik fuzz run-debug <TARGET_NAME> <CRASH_FILE_PATH>
Fuzzing with Trdelnik Step by Step
In this tutorial we will go through the complete setup involving these steps:
- Setting up a new Anchor project
- Creating a program that contains bugs to detect
- Initializing Trdelnik test framework
- Writing a simple fuzz test
- Running the fuzz test
- Debugging our program using fuzz test crash files
- Setting up a new Anchor project
For the purpose of this tutorial we will create a new Anchor project. If you do not have Anchor framework yet, then install the version 0.28.0.
Open a terminal and go to your project folder where we will create the new project and verify if the project can be built:
anchor init my-trdelnik-fuzz-test
cd my-trdelnik-fuzz-test
anchor build
Verify that the Anchor project is initialized and built successfully.
Creating a program that contains bugs to detect
Next we will create a simple program where we will intentionally introduce bugs that we will try to find with our fuzzer. Open the source file of your program programs /my-trdelnik-fuzz-test/src/lib.rs
and replace everything after the declare_id!()
macro with the following code:
const MAGIC_NUMBER: u8 = 254;
#[program]
pub mod my_trdelnik_fuzz_test {
use super::*;
pub fn initialize(ctx: Context<Initialize>) -> Result<()> {
let counter = &mut ctx.accounts.counter;
counter.count = 0;
counter.authority = ctx.accounts.user.key();
Ok(())
}
pub fn update(ctx: Context<Update>, input1: u8, input2: u8) -> Result<()> {
let counter = &mut ctx.accounts.counter;
msg!("input1 = {}, input2 = {}", input1, input2);
// comment this to fix the black magic panic
if input1 == MAGIC_NUMBER {
panic!("Black magic not supported!");
}
counter.count = buggy_math_function(input1, input2).into();
Ok(())
}
}
pub fn buggy_math_function(input1: u8, input2: u8) -> u8 {
// comment the if statement to cause div-by-zero or subtract with overflow panic
if input2 >= MAGIC_NUMBER {
return 0;
}
let divisor = MAGIC_NUMBER - input2;
input1 / divisor
}
#[derive(Accounts)]
pub struct Initialize<'info> {
#[account(init, payer = user, space = 8 + 40)]
pub counter: Account<'info, Counter>,
#[account(mut)]
pub user: Signer<'info>,
pub system_program: Program<'info, System>,
}
#[derive(Accounts)]
pub struct Update<'info> {
#[account(mut, has_one = authority)]
pub counter: Account<'info, Counter>,
pub authority: Signer<'info>,
}
#[account]
pub struct Counter {
pub authority: Pubkey,
pub count: u64,
}
It is a simple program with two instructions: initialize
and update
. The initialize
instruction will create the necessary data account and the update
instruction will update the on-chain data. It also contains an intentional panic!
macro that will immediately terminate the program simulating a crash if the first input to the program equals the constant MAGIC_NUMBER
.
Now you can again verify if your program builds successfully using anchor build
.
Initialize Trdelnik test framework
In order to use Trdelnik and the fuzzer, we have to install them:
cargo install trdelnik-cli
cargo install honggfuzz
If you had Trdelnik already installed then you need to upgrade to version 0.5.0.
After that, we must initialize Trdelnik framework in our project using the command:
trdelnik init
This command will automatically generate the .program_client folder with an API to our program, add necessary dependencies to the configuration files and generate trdelnik tests templates.
Write a simple fuzz test
The fuzz test target template is located in the trdelnik-tests/src/bin/fuzz_target.rs
file. This file can be modified according to your needs.
Now, you can only replace its content with the following code:
use my_trdelnik_fuzz_test::entry;
use program_client::my_trdelnik_fuzz_test_instruction::*;
const PROGRAM_NAME: &str = "my_trdelnik_fuzz_test";
use assert_matches::*;
use trdelnik_client::fuzzing::*;
#[derive(Arbitrary)]
pub struct FuzzData {
param1: u8,
param2: u8,
}
fn main() {
loop {
fuzz!(|fuzz_data: FuzzData| {
Runtime::new().unwrap().block_on(async {
let program_test = ProgramTest::new(PROGRAM_NAME, PROGRAM_ID, processor!(entry));
let mut ctx = program_test.start_with_context().await;
let counter = Keypair::new();
let init_ix =
initialize_ix(counter.pubkey(), ctx.payer.pubkey(), SYSTEM_PROGRAM_ID);
let mut transaction =
Transaction::new_with_payer(&[init_ix], Some(&ctx.payer.pubkey().clone()));
transaction.sign(&[&ctx.payer, &counter], ctx.last_blockhash);
let res = ctx.banks_client.process_transaction(transaction).await;
assert_matches!(res, Ok(()));
let res = fuzz_update_ix(
&fuzz_data,
&mut ctx.banks_client,
&ctx.payer,
&counter,
ctx.last_blockhash,
)
.await;
assert_matches!(res, Ok(()));
});
});
}
}
async fn fuzz_update_ix(
fuzz_data: &FuzzData,
banks_client: &mut BanksClient,
payer: &Keypair,
counter: &Keypair,
blockhash: Hash,
) -> core::result::Result<(), BanksClientError> {
let update_ix = update_ix(
fuzz_data.param1,
fuzz_data.param2,
counter.pubkey(),
payer.pubkey(),
);
let mut transaction = Transaction::new_with_payer(&[update_ix], Some(&payer.pubkey()));
transaction.sign(&[payer], blockhash);
banks_client.process_transaction(transaction).await
For the purpose of this tutorial and for simplicity we are fuzzing only the instruction parameters. Namely the two parameters input1
and input2
of the update
instruction.
If you look at the fuzz target code, you can see that the main
function contains an infinite loop with the fuzz!
macro that takes a closure where we pass the FuzzData
structure.
Let’s dissect the code a little. The entry point of the fuzz target is the main
function, where we call the fuzz!
macro over and over again. This macro executes the code in the closure, and in each loop, the passed fuzz_data
are different.
We are using the arbitrary
crate that enables us to easily transform unstructured random data to structured data as we defined it in the FuzzData
structure. The closure code gets executed, and if the program does not crash, the fuzz test continues with a new loop iteration, and the fuzz_data
passed to the closure is modified. If the fuzz_data
variable contains data that produces a crash in our program, the fuzzer automatically stores the data in a separate fuzz crash file ./trdelnik-tests/hfuzz_workspace/<TARGET_NAME>/<CRASH_FILE_NAME>.fuzz
. This is useful especially for subsequent debugging.
The code executed in the closure in our fuzz target first creates a new TestProgram
and adds our program to the test environment. Then the test client is started that enables us to send transactions to our program. Having that, we have to first initialize our program. We create the initialize instruction with the help of Trdelnik that automatically generated the initialize_ix
function for us. Finally we create a new transaction, that we sign and send via the client to the test environment. Great, our program is initialized!
Now we call the fuzz_update_ix
function in order to supply random data to the update instruction that we want to fuzz and where we want to find bugs. Again, we construct the update instruction using the automatically generated update_ix
function and we supply the randomly generated parameters from the FuzzData
structure. Finally, we create the transaction, sign and send it. And that’s it, our fuzz target is ready to go!
Run the fuzz test
Trdelnik provides a convenient way to run the fuzz tests. Anywhere in your Anchor project, you can execute the command:
trdelnik fuzz run <TARGET_NAME>
So in our case if we replace the <TARGET_NAME>
with the actual name it gets the following:
trdelnik fuzz run fuzz_target
Once you execute this command, the whole project has to be built with instrumentation for fuzzing so it takes some time. After the build is finished, the fuzzer starts automatically and looks like this:
At the top, you can see fuzzing statistics. Especially how many times your program crashed, how many of these crashes were unique, how many iterations were done and so on.
To stop fuzzing, you can simply hit CTRL+C. As Trdelnik uses Honggfuzz under the hood, you can also pass parameters directly to the fuzzer using environment variables.
For example:
# Time-out: 10 secs
# Number of concurrent fuzzing threads: 1
# Number of fuzzing iterations: 10000
# Display Solana logs in the terminal
# Exit upon crash
HFUZZ_RUN_ARGS="-t 10 -n 1 -N 10000 -Q --exit_upon_crash" trdelnik fuzz run fuzz_target
If you run the command above, the fuzzer will stop after the first encountered crash and passing the -Q
flag allows us to see the Solana logs. In our Solana example program, we use the msg!
macro to display the value of the update instruction parameters input1
and input2
that you can see from the log that have values 254 and 255 respectively.
Debug our program using fuzz test crash files
As you can see from the log above, the data that caused the crash of our program was stored in the fuzz crash file in ./trdelnik-tests/hfuzz_workspace/fuzz_target
folder.
Now it is possible to use this crash file and “replay” the crash in the debugger to inspect the bug. The corresponding command is:
trdelnik fuzz run-debug <TARGET_NAME> <CRASH_FILE_PATH>
So in our case if we replace the <TARGET_NAME>
and <CRASH_FILE_PATH>
with the actual values. The name of the crash file might differ so you will have to modify it accordingly.
In our case the resulting command is as follows:
trdelnik fuzz run-debug fuzz_target ./trdelnik-tests/hfuzz_workspace/fuzz_target/SIGABRT.PC.7ffff7c8e83c.STACK.1b3a7a7882.CODE.-6.ADDR.0.INSTR.mov____\%eax,\%ebx.fuzz
Once you execute this command, the whole project has to be built for debugging. After that, the fuzzer runs your program with supplied parameters from the crash file and simulates the crash again for inspection.
Now you can see in the debugger, that the thread panicked at ‘Black magic not supported!’, programs/my-trdelnik-fuzz-test/src/lib.rs:27:13
This is the expected output because we have intentionally introduced a panic in our program if the input1
variable is equal to our MAGIC_NUMBER
which is 254.
if input1 == MAGIC_NUMBER {
panic!("Black magic not supported!");
}
While in the debugger, you can either execute a help
command for further actions or quit by executing the q
command.
If you want to try to find another bug in the program, you can uncomment the if statement
if input2 >= MAGIC_NUMBER {
return 0;
}
in the buggy_math_function
function in the Solana program in programs/my-trdelnik-fuzz-test/src/lib.rs
and run the fuzzer again. After some time, a new unique crash should be found that you can again analyze using the debugger as shown before.
Conclusion
We have shown how to use the Trdelnik framework to write fuzz tests for Solana programs written in Anchor. You can find the whole example project in Trdelnik’s GitHub repository.
The goal of Trdelnik is not to implement a new fuzzer but rather to provide a convenient way to use the existing honggfuzz fuzzer without the hassle of setting up the testing environment.
It is as simple as initializing Trdelnik in your project and you are ready to fuzz!
The next steps will be the accounts and instructions flow fuzzing.
Stay tuned for more tutorials in the future!