fuzz

The fuzz command will initiate a fuzzing campaign:

medusa fuzz [flags]

Supported Flags

--config

The --config flag allows you to specify the path for your project configuration file. If the --config flag is not used, medusa will look for a medusa.json file in the current working directory.

# Set config file path
medusa fuzz --out myConfig.json

--compilation-target

The --compilation-target flag allows you to specify the compilation target. If you are using crytic-compile, please review the warning here about changing the compilation target.

# Set compilation target
medusa fuzz --target TestMyContract.sol

--workers

The --workers flag allows you to update the number of threads that will perform parallelized fuzzing (equivalent to fuzzing.workers)

# Set workers
medusa fuzz --workers 20

--timeout

The --timeout flag allows you to update the duration of the fuzzing campaign (equivalent to fuzzing.timeout)

# Set timeout
medusa fuzz --timeout 100

--test-limit

The --test-limit flag allows you to update the number of transactions to run before stopping the fuzzing campaign (equivalent to fuzzing.testLimit)

# Set test limit
medusa fuzz --test-limit 100000

--seq-len

The --seq-len flag allows you to update the length of a call sequence (equivalent to fuzzing.callSequenceLength)

# Set sequence length
medusa fuzz --seq-len 50

--target-contracts

The --target-contracts flag allows you to update the target contracts for fuzzing (equivalent to fuzzing.targetContracts)

# Set target contracts
medusa fuzz --target-contracts "TestMyContract, TestMyOtherContract"

--corpus-dir

The --corpus-dir flag allows you to set the path for the corpus directory (equivalent to fuzzing.corpusDirectory)

# Set corpus directory
medusa fuzz --corpus-dir corpus

--senders

The --senders flag allows you to update medusa's senders (equivalent to fuzzing.senderAddresses)

# Set sender addresses
medusa fuzz --senders "0x50000,0x60000,0x70000"

--deployer

The --deployer flag allows you to update medusa's contract deployer (equivalent to fuzzing.deployerAddress)

# Set deployer address
medusa fuzz --deployer "0x40000"

--use-slither

The --use-slither flag allows you to run Slither on the codebase to extract valuable constants for mutation testing. Equivalent to slither.useSlither. Note that if there are cached results (via slither.CachePath) then the cache will be used.

# Run slither and attempt to use cache, if available
medusa fuzz --use-slither

--use-slither-force

The --use-slither-force flag is similar to --use-slither except the cache at slither.CachePath will be overwritten.

# Run slither and overwrite the cache
medusa fuzz --use-slither-force

--fail-fast

The --fail-fast flag enables fast failure (equivalent to testing.StopOnFailedTest)

# Enable fast failure
medusa fuzz --fail-fast

--trace-all

The --trace-all flag allows you to retrieve an execution trace for each element of a call sequence that triggered a test failure (equivalent to testing.traceAll

# Trace each call
medusa fuzz --trace-all

--no-color

The --no-color flag disables colored console output (equivalent to logging.NoColor)

# Disable colored output
medusa fuzz --no-color

--explore

The --explore flag enables exploration mode. This sets the StopOnFailedTest and StopOnNoTests fields to false and turns off assertion, property, and optimization testing.

# Enable exploration mode
medusa fuzz --explore