panic: runtime error: invalid memory address or nil pointer dereference #650
Description
I guess this is a bug, please help check.
the function I'm fuzzing is attached, same for the relevant code.
`// SPDX-License-Identifier: GPL-2.0
pragma solidity ^0.8.0;
import {Setup} from "./Setup.sol";
import {vm} from "@chimera/Hevm.sol";
contract Properties is Setup {
constructor() payable {
setup();
}
function property_claim() public returns (bool) {
// Fast forward to after release date
btc24h.approve(address(lock), 110000 * 1 ether);
lock.deposit();
vm.warp(1734220801);
uint256 before_claim = btc24h.balanceOf(address(lock));
// Try to claim as attacker
vm.prank(BOB);
lock.claim();
uint256 after_claim = btc24h.balanceOf(address(lock));
// because BOB should not be able to claim, thus the balance should not change
return (after_claim == before_claim);
}
}
`
`// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
import '@openzeppelin/contracts/token/ERC20/IERC20.sol';
import '@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol';
contract Lock {
using SafeERC20 for IERC20;
struct Claim {
uint256 amount;
uint256 releaseDate;
bool claimed;
}
IERC20 public token;
address public owner;
Claim private claims;
modifier onlyOwner() {
require(msg.sender == owner, 'Not authorized');
_;
}
modifier onlyOnOrAfter(uint256 date) {
require(block.timestamp >= date, 'Too early to claim');
_;
}
constructor(IERC20 _token) {
token = _token;
owner = msg.sender;
}
function deposit() external {
uint256 totalAmount = 110000;
token.safeTransferFrom(
msg.sender,
address(this),
totalAmount * 1 ether
);
claims = Claim({
amount: 110000 * 1 ether,
releaseDate: 1734220800,
claimed: false
});
}
function claim() external onlyOnOrAfter(claims.releaseDate) {
require(!claims.claimed, 'Already claimed');
claims.claimed = true;
uint256 claimAmount = claims.amount;
token.safeTransfer(msg.sender, claimAmount);
}
}`
`// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
import { ERC20 } from '@openzeppelin/contracts/token/ERC20/ERC20.sol';
import { ERC20Burnable } from '@openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol';
contract BTC24H is ERC20, ERC20Burnable {
constructor() ERC20('BTC24H', 'BTC24H') {
_mint(msg.sender, 21000000 * 10 ** decimals());
}
}`
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x20 pc=0x105140d34]
goroutine 17612 [running]:
github.com/crytic/medusa/chain.getStandardCheatCodeContract.func1(0x14000310780, {0x14002470010?, 0x2bfd6e5?, 0x140002286a4?})
github.com/crytic/medusa/chain/standard_cheat_code_contract.go:114 +0xb4
github.com/crytic/medusa/chain.(*CheatCodeContract).Run(0x14001f68788, {0x140002286a0, 0x24, 0x18e0})
github.com/crytic/medusa/chain/cheat_code_contract.go:181 +0xe0
github.com/crytic/medusa-geth/core/vm.RunPrecompiledContract({0x1054f4140, 0x14001f68788}, {0x140002286a0, 0x24, 0x18e0}, 0xba2db1, 0x1400313a000)
github.com/crytic/[email protected]/core/vm/contracts.go:230 +0xac
github.com/crytic/medusa-geth/core/vm.(*EVM).Call(0x14002879ce0, {0xa6, 0x47, 0xff, 0x3c, 0x36, 0xcf, 0xab, 0x59, 0x25, ...}, ...)
github.com/crytic/[email protected]/core/vm/evm.go:232 +0x560
github.com/crytic/medusa-geth/core/vm.opCall(0x14002879ce0?, 0x14003106480, 0x140023b1170)
github.com/crytic/[email protected]/core/vm/instructions.go:758 +0x478
github.com/crytic/medusa-geth/core/vm.(*EVMInterpreter).Run(0x14003106480, 0x14002865760, {0x140028176e8, 0x4, 0x8}, 0x0)
github.com/crytic/[email protected]/core/vm/interpreter.go:312 +0x7ec
github.com/crytic/medusa-geth/core/vm.(*EVM).Call(0x14002879ce0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}, ...)
github.com/crytic/[email protected]/core/vm/evm.go:243 +0x790
github.com/crytic/medusa-geth/core.(*stateTransition).execute(0x14002bcd1f8)
github.com/crytic/[email protected]/core/state_transition.go:509 +0xe84
github.com/crytic/medusa-geth/core.ApplyMessage(0x14002879ce0, 0x140027e5ec0, 0x14002817720)
github.com/crytic/[email protected]/core/state_transition.go:208 +0xc8
github.com/crytic/medusa/chain.(*TestChain).CallContract(0x1400096d600, 0x140027e5ec0, {0x0?, 0x0?}, {0x0, 0x0, 0x7?})
github.com/crytic/medusa/chain/test_chain.go:549 +0x774
github.com/crytic/medusa/fuzzing.(*PropertyTestCaseProvider).checkPropertyTestFailed(0x105410fe0?, 0x14000b6d1e0, 0x14002f08340, 0x0)
github.com/crytic/medusa/fuzzing/test_case_property_provider.go:94 +0x200
github.com/crytic/medusa/fuzzing.(*PropertyTestCaseProvider).callSequencePostCallTest.func1(0x14000b6d1e0, {0x14002bcdae0?, 0x14002bcdad0?, 0x0?})
github.com/crytic/medusa/fuzzing/test_case_property_provider.go:313 +0x54
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).testShrunkenCallSequence(0x14000b6d1e0, {0x1400279c540, 0x1, 0x1}, {{0x14002b92b70, 0x2a}, {0x1400279c448, 0x1, 0x1}, 0x140018a1728, ...})
github.com/crytic/medusa/fuzzing/fuzzer_worker.go:426 +0x140
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).shrinkCallSequence(0x14000b6d1e0, {{0x14002b92b70, 0x2a}, {0x1400279c448, 0x1, 0x1}, 0x140018a1728, 0x14000f847b0, 0x1})
github.com/crytic/medusa/fuzzing/fuzzer_worker.go:519 +0x4cc
github.com/crytic/medusa/fuzzing.(*FuzzerWorker).run(0x14000b6d1e0, 0x1054fbe80?)
github.com/crytic/medusa/fuzzing/fuzzer_worker.go:663 +0x6a4
github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop.func1({0x0?, 0x14000658c00?})
github.com/crytic/medusa/fuzzing/fuzzer.go:814 +0x154
created by github.com/crytic/medusa/fuzzing.(*Fuzzer).spawnWorkersLoop in goroutine 1
github.com/crytic/medusa/fuzzing/fuzzer.go:797 +0x1d4