How to fuzz test for Solana programs

This is a beta version of the Solana Toolkit, and is still a WIP. Please post all feedback as a GitHub issue here.

The Trident fuzz tester is still a WIP and currently only Anchor compatible may require some manual work to complete tests.

Initialize Fuzz Tests

Navigate to an Anchor based workspace and run:

trident init

This command does the following:

Builds the Anchor-based project.
Reads the generated IDL.
Based on the IDL creates the fuzzing template.

For projects without custom PDA seeds, Trident automatically generates a complete working fuzz test. Remove functions containing todo! macros from the generated fuzz test and you can proceed directly to the Execute Fuzz Tests section.

Instruction Accounts

Define account properties using intuitive macro constraints:

pub struct InitializeFnInstructionAccounts {
    #[account(mut,signer,storage = author)]
    pub author: TridentAccount,
    #[account(
        mut,
        storage = hello_world_account,
        seeds = [b"hello_world_seed"],
    )]
    pub hello_world_account: TridentAccount,
    #[account(address = "11111111111111111111111111111111", skip_snapshot)]
    pub system_program: TridentAccount,
}

For programs with complex seed structures, you'll need to configure accounts manually through the set_accounts function.

Refer to detailed documentation for advanced configurations.

Instruction Data

Trident automatically handles data generation for primitive types (u64, bool, etc.). For custom data types or manual data specification, utilize the set_data function.

Learn more in instruction data guide.

Customize Fuzz Tests

Enhance your fuzzing strategy with Trident's advanced features:

Fuzzing flows: Control the order of transaction execution. This feature lets you test specific sequences of instructions, ensuring your program handles state transitions correctly.
Invariant checks: Add validation functions that run after each successful transaction. Use these to verify your program maintains correct state throughout the test execution.
Transaction hooks: Insert custom logic before and after each transaction. This enables setup of preconditions and verification of post-conditions for each test case.

See advanced documentation for additional features and examples.

Execute Fuzz Tests

From your trident-tests directory, launch the fuzzer:

# Replace <TARGET_NAME> with the name of the
# fuzz test (for example: "fuzz_0")
trident fuzz run-afl <TARGET_NAME>

Debug Fuzz Tests

When issues are detected, analyze them with the debugging tool:

# fuzzer will run the <TARGET_NAME> with the specified <CRASH_FILE_PATH>
trident fuzz debug-afl <TARGET_NAME> <CRASH_FILE_PATH>

For comprehensive guidance, consult documentation or use the --help flag.

Additional Resources

Fuzz Tester Source Code.

Solana Fuzz Tester