Solana Fuzz Tester
This is a beta version of the Solana Toolkit, and is still a WIP. Please post all feedback as a GitHub issue here.
The Trident fuzz tester is still a WIP and currently only Anchor compatible may require some manual work to complete tests.
Initialize Fuzz Tests
Navigate to an Anchor based workspace and run:
trident init
This command does the following:
- Builds the Anchor-based project.
- Reads the generated IDL.
- Based on the IDL creates the fuzzing template.
Write Fuzz Tests
For projects without custom PDA seeds, Trident automatically generates a complete working fuzz test. Remove functions containing todo!
macros from the generated fuzz test and you can proceed directly to the Execute Fuzz Tests section.
Instruction Accounts
Define account properties using intuitive macro constraints:
pub struct InitializeFnInstructionAccounts {#[account(mut,signer,storage = author)]pub author: TridentAccount,#[account(mut,storage = hello_world_account,seeds = [b"hello_world_seed"],)]pub hello_world_account: TridentAccount,#[account(address = "11111111111111111111111111111111", skip_snapshot)]pub system_program: TridentAccount,}
For programs with complex seed structures, you'll need to configure accounts manually through the set_accounts
function.
Refer to detailed documentation for advanced configurations.
Instruction Data
Trident automatically handles data generation for primitive types (u64
, bool
, etc.). For custom data types or manual data specification, utilize the set_data
function.
Learn more in instruction data guide.
Customize Fuzz Tests
Enhance your fuzzing strategy with Trident's advanced features:
-
Fuzzing flows: Control the order of transaction execution. This feature lets you test specific sequences of instructions, ensuring your program handles state transitions correctly.
-
Invariant checks: Add validation functions that run after each successful transaction. Use these to verify your program maintains correct state throughout the test execution.
-
Transaction hooks: Insert custom logic before and after each transaction. This enables setup of preconditions and verification of post-conditions for each test case.
See advanced documentation for additional features and examples.
Execute Fuzz Tests
From your trident-tests
directory, launch the fuzzer:
# Replace <TARGET_NAME> with the name of the# fuzz test (for example: "fuzz_0")trident fuzz run-afl <TARGET_NAME>
Debug Fuzz Tests
When issues are detected, analyze them with the debugging tool:
# fuzzer will run the <TARGET_NAME> with the specified <CRASH_FILE_PATH>trident fuzz debug-afl <TARGET_NAME> <CRASH_FILE_PATH>
For comprehensive guidance, consult documentation or use the --help
flag.
Additional Resources
Is this page helpful?