This directory contains fuzz testing targets for the token factory contract using libfuzzer and the arbitrary crate. The fuzz targets are designed to test critical contract logic with randomly generated inputs to uncover edge cases and potential panics.
Fuzz testing generates random inputs to discover edge cases and potential crashes in arithmetic and validation logic. The fuzz targets focus on five critical areas:
- create_token: UTF-8 string validation, name/symbol/decimals parsing, fee arithmetic with random inputs
- fee_arithmetic: Integer overflow checking in fee calculations, saturation arithmetic, boundary conditions
- burn: Burn amount arithmetic, balance invariants, total supply calculations with random amounts
- set_metadata: Metadata URI string handling, fee comparison arithmetic, duplicate-set guard
- mint_tokens: Amount validation, max-supply cap overflow (
checked_add), fee distribution arithmetic
- Rust toolchain (latest stable)
cargo-fuzz(optional, for full libfuzzer integration):cargo install cargo-fuzz
cd contracts/token-factory/fuzz
cargo build --releasecd contracts/token-factory/fuzz
cargo fuzz run fuzz_create_tokencd contracts/token-factory/fuzz
cargo +nightly run --release --bin fuzz_create_tokencargo +nightly run --release --bin fuzz_create_token -- -max_len=10000 -timeout=60Focus: Input validation and string creation with random data
Tests:
- UTF-8 validation of random byte sequences
- String creation with various name/symbol values
- Decimals clamping (0-255)
- Saturation arithmetic on supply and fee values
- No panics on any valid input combination
Success Criteria: No panics on valid inputs; all assertions pass
File: fuzz_targets/fuzz_create_token.rs
Focus: Fee calculation logic and overflow checking
Tests:
- Saturation arithmetic properties
- Base fee and metadata fee combinations
- Fee multiplication with operation counts
- Monotonic increase property (fees never decrease)
- No signed integer overflow
Success Criteria:
- No integer overflow panics
- All saturation operations complete safely
- Arithmetic properties maintained
File: fuzz_targets/fuzz_fee_arithmetic.rs
Focus: Burn amount validation and balance calculations
Tests:
- Burn amount clamping and validation
- Sequential balance updates
- Full balance burns
- Negative amount handling
- Unsigned vs signed arithmetic edge cases
Success Criteria:
- No panics on any input value
- Balance invariants maintained (never negative)
- Saturation arithmetic works correctly
File: fuzz_targets/fuzz_burn.rs
Focus: Metadata URI string handling and fee arithmetic for set_metadata
Tests:
- Arbitrary byte sequences converted to UTF-8 metadata URIs (no length limit in contract)
- Fee sufficiency guard:
fee_payment >= metadata_fee - Fee remainder arithmetic after payment
- Duplicate-set guard simulation (idempotency path skips arithmetic)
- Saturating fee-accumulation operations matching
distribute_fee
Success Criteria:
- No panics on any valid UTF-8 URI or fee combination
- Non-UTF-8 inputs handled without panic
- All arithmetic invariants maintained
File: fuzz_targets/fuzz_set_metadata.rs
Focus: Amount validation, max-supply cap enforcement, and fee distribution for mint_tokens
Tests:
- Non-positive amount rejection (
amount <= 0) - Fee sufficiency guard:
fee_payment >= base_fee checked_addoverflow oncurrent_supply + amount(maps toArithmeticOverflowerror)- Max-supply cap enforcement:
new_total > cap(maps toMaxSupplyExceedederror) - Supply monotonicity: minting always increases total supply
- Fee split distribution arithmetic (two-recipient model)
Success Criteria:
- No panics on any
i128amount or supply combination - Overflow paths detected via
checked_add, not via panic - Supply invariants (
new_total <= cap) maintained on success path
File: fuzz_targets/fuzz_mint_tokens.rs
Fuzz tests are automatically run by GitHub Actions:
- Trigger: Pull requests modifying contract code
- Schedule: Daily at 2 AM UTC
- Duration: 60 seconds per target
- Artifacts: Crash artifacts uploaded on failure
See .github/workflows/fuzz-testing.yml for the workflow configuration.
...
artifact summary: 0 new, 0 unique
No artifacts = no crashes found ✓
A crash will be saved to the work directory. The file contains the input that triggered the crash.
Next Steps:
- Note the failing input sequence
- Add regression test to contract test suite with the failing case
- Fix the underlying bug
- Verify crash is resolved in next fuzz run
- Simplified Targets: Fuzz targets focus on pure Rust logic, not full contract interaction
- No WASM Execution: Contract WASM execution is tested separately via integration tests
- Mock Environment: Contract setup uses mocked Soroban environment
- Integration with continuous fuzzing service (OSS-Fuzz)
- More comprehensive contract interaction fuzzing
- Generational corpus for improved coverage
- Cross-contract fuzz testing
- Memory safety checking with sanitizers