This directory contains fuzz testing targets for the token factory contract using libfuzzer and the arbitrary crate. The fuzz targets are designed to test critical contract logic with randomly generated inputs to uncover edge cases and potential panics.
Fuzz testing generates random inputs to discover edge cases and potential crashes in arithmetic and validation logic. The fuzz targets focus on three critical areas:
- create_token: UTF-8 string validation, name/symbol/decimals parsing, fee arithmetic with random inputs
- fee_arithmetic: Integer overflow checking in fee calculations, saturation arithmetic, boundary conditions
- burn: Burn amount arithmetic, balance invariants, total supply calculations with random amounts
- Rust toolchain (latest stable)
cargo-fuzz(optional, for full libfuzzer integration):cargo install cargo-fuzz
cd contracts/token-factory/fuzz
cargo build --releasecd contracts/token-factory/fuzz
cargo fuzz run fuzz_create_tokencd contracts/token-factory/fuzz
cargo +nightly run --release --bin fuzz_create_tokencargo +nightly run --release --bin fuzz_create_token -- -max_len=10000 -timeout=60Focus: Input validation and string creation with random data
Tests:
- UTF-8 validation of random byte sequences
- String creation with various name/symbol values
- Decimals clamping (0-255)
- Saturation arithmetic on supply and fee values
- No panics on any valid input combination
Success Criteria: No panics on valid inputs; all assertions pass
File: fuzz_targets/fuzz_create_token.rs
Focus: Fee calculation logic and overflow checking
Tests:
- Saturation arithmetic properties
- Base fee and metadata fee combinations
- Fee multiplication with operation counts
- Monotonic increase property (fees never decrease)
- No signed integer overflow
Success Criteria:
- No integer overflow panics
- All saturation operations complete safely
- Arithmetic properties maintained
File: fuzz_targets/fuzz_fee_arithmetic.rs
Focus: Burn amount validation and balance calculations
Tests:
- Burn amount clamping and validation
- Sequential balance updates
- Full balance burns
- Negative amount handling
- Unsigned vs signed arithmetic edge cases
Success Criteria:
- No panics on any input value
- Balance invariants maintained (never negative)
- Saturation arithmetic works correctly
File: fuzz_targets/fuzz_burn.rs
Fuzz tests are automatically run by GitHub Actions:
- Trigger: Pull requests modifying contract code
- Schedule: Daily at 2 AM UTC
- Duration: 60 seconds per target
- Artifacts: Crash artifacts uploaded on failure
See .github/workflows/fuzz-testing.yml for the workflow configuration.
...
artifact summary: 0 new, 0 unique
No artifacts = no crashes found ✓
A crash will be saved to the work directory. The file contains the input that triggered the crash.
Next Steps:
- Note the failing input sequence
- Add regression test to contract test suite with the failing case
- Fix the underlying bug
- Verify crash is resolved in next fuzz run
- Simplified Targets: Fuzz targets focus on pure Rust logic, not full contract interaction
- No WASM Execution: Contract WASM execution is tested separately via integration tests
- Mock Environment: Contract setup uses mocked Soroban environment
- Integration with continuous fuzzing service (OSS-Fuzz)
- More comprehensive contract interaction fuzzing
- Generational corpus for improved coverage
- Cross-contract fuzz testing
- Memory safety checking with sanitizers