Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: UbiquityPoolFacet fuzz tests #940

Merged
merged 19 commits into from
Jun 24, 2024

Conversation

gitcoindev
Copy link
Contributor

Resolves #925

Skeleton based on UbiquityPoolFacet tests.

Base on facet tests. Update according to identified properties.
@gitcoindev gitcoindev self-assigned this May 24, 2024
@gitcoindev gitcoindev requested a review from rndquu as a code owner May 24, 2024 14:19
@gitcoindev gitcoindev marked this pull request as draft May 24, 2024 14:19
@gitcoindev
Copy link
Contributor Author

gitcoindev commented May 24, 2024

This pull request is still a draft. It contains a skeleton for fuzz tests, I will keep updating and hopefully make as ready for review during or after the weekend.

@gitcoindev gitcoindev removed the request for review from rndquu May 24, 2024 14:20
@gitcoindev gitcoindev changed the title test: add skeleton for UbiquityPoolFacet fuzz tests UbiquityPoolFacet fuzz tests May 24, 2024
@ubiquity-os-deployer
Copy link

ubiquity-os-deployer bot commented May 29, 2024

@gitcoindev
Copy link
Contributor Author

I am playing with the fuzzer a lot and discovered an interesting case. When redeem threshold is set to $0.99 , the curve price must be larger than 990000999999999999 due to conversion between 6 digit and 18 digit curve prices in getDollarPriceUsd() <= poolStorage.redeemPriceThreshold comparison, i.e

vm.assume(dollarPriceUsd > 990000999999999999); // 0.99e18 , greater than redeem threshold

I was stuck for some time with the failing fuzz test but after debugging found the edge value. Fuzzer is great, as setting mocked price to 990000999999999998 it almost immediately finds this and reports the case.

@gitcoindev
Copy link
Contributor Author

I will finish with the whole test suite till Friday EOD and set the pr as ready for review.

@rndquu
Copy link
Member

rndquu commented Jun 6, 2024

I am playing with the fuzzer a lot and discovered an interesting case. When redeem threshold is set to $0.99 , the curve price must be larger than 990000999999999999 due to conversion between 6 digit and 18 digit curve prices in getDollarPriceUsd() <= poolStorage.redeemPriceThreshold comparison, i.e

vm.assume(dollarPriceUsd > 990000999999999999); // 0.99e18 , greater than redeem threshold

I was stuck for some time with the failing fuzz test but after debugging found the edge value. Fuzzer is great, as setting mocked price to 990000999999999998 it almost immediately finds this and reports the case.

This seems to be a low severity issue but keeping in mind that nobody from the Sherlock audit have reported this bug it seems that nobody fuzzed the UbiquityPoolFacet contract extensively.

@gitcoindev
Copy link
Contributor Author

I pushed the remaining fuzz tests also for redemption delay, setting as ready for review now.

@gitcoindev gitcoindev marked this pull request as ready for review June 6, 2024 14:56
@gitcoindev gitcoindev self-assigned this Jun 6, 2024
@rndquu
Copy link
Member

rndquu commented Jun 6, 2024

@gitcoindev

  1. Could you add 2 more fuzz tests:
    a) If user mints X Dollars he gets exactly X Dollars (minus fee)
    b) If user redeems X Dollars exactly X Dollars are subtracted from user balance
  2. Pls notice the original issue spec also describe setting up CI

Overall the PR looks great, we will iterate on the fuzzing tests later

@gitcoindev
Copy link
Contributor Author

@gitcoindev

  1. Could you add 2 more fuzz tests:
    a) If user mints X Dollars he gets exactly X Dollars (minus fee)
    b) If user redeems X Dollars exactly X Dollars are subtracted from user balance
  2. Pls notice the original issue spec also describe setting up CI

Overall the PR looks great, we will iterate on the fuzzing tests later

Sure, thank you for the feedback.

@gitcoindev
Copy link
Contributor Author

Hi @rndquu @0x4007 @molecula451 the PR is ready to review, I executed QA against my fork: https://github.com/gitcoindev/ubiquity-dollar/actions/runs/9534134896/job/26278201422 . The CI setup is ready and according to the original spec. Fuzz tests run by default with 256 inputs on PR commits and the 'deep fuzz' workflow with 100000 inputs https://github.com/ubiquity/ubiquity-dollar/blob/development/.github/workflows/deep-fuzz.yml is executed after merge to the development branch.

@gitcoindev gitcoindev requested review from 0x4007 and rndquu June 16, 2024 08:15
@molecula451 molecula451 self-requested a review June 17, 2024 21:32
@molecula451
Copy link
Member

molecula451 commented Jun 18, 2024

hi @gitcoindev can we instead organize the tests inside a "fuzz" folder,

packages/contracts/test/fuzz/diamond/facets/UbiquityPoolFacet.fuzz.t.sol or something similar

i think this is our initial sketching/drawing for fuzzing inside the repo, besides the SMTChecker we've done before, but untouching the .sol files, this is the first so it would be nice the addition of the folder for future development

@gitcoindev
Copy link
Contributor Author

@molecula451 I moved fuzz tests as requested, could you please have a look once again now?

@molecula451 molecula451 changed the title UbiquityPoolFacet fuzz tests feat: UbiquityPoolFacet fuzz tests Jun 22, 2024
Copy link
Member

@molecula451 molecula451 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the foundry standard library allow us to use assume() as an abstraction to meet certain conditions on functionality, to fuzz input and get a corresponding value according to the data

we have moved the files and structured a new way for proper fuzzing tests file in the future

this PR meets the correct condition at issue #925 implementing

  • Correct foundry.toml profile for fuzzing selection

Minting:

Reedeeming:

function testRedeemDollar_FuzzRedemptionDelayBlocks(

of the corresponding user

and assuming arbitrary input, therefore i am approving this PR

@rndquu rndquu merged commit 565aaa6 into ubiquity:development Jun 24, 2024
13 checks passed
@rndquu rndquu deleted the ubiquitypoolfacet-fuzz-tests branch June 24, 2024 07:08
@ubiquibot ubiquibot bot mentioned this pull request Jun 24, 2024
@rndquu
Copy link
Member

rndquu commented Jun 24, 2024

@gitcoindev Did you experiment with how long the deep fuzz workflow runs for, let's say, 1_000_000 runs ? I want to find out a value so that deep fuzz workflow could run for the amount of hours close to github max CI limit (6 hours).

@0x4007
Copy link
Member

0x4007 commented Jun 24, 2024

@gitcoindev Did you experiment with how long the deep fuzz workflow runs for, let's say, 1_000_000 runs ? I want to find out a value so that deep fuzz workflow could run for the amount of hours close to github max CI limit (6 hours).

Can try a binary search and just push a few commits.

@molecula451
Copy link
Member

i think in part we're going to see the runs with new upcoming PRs and improve the addition workflow from there

@gitcoindev
Copy link
Contributor Author

@gitcoindev Did you experiment with how long the deep fuzz workflow runs for, let's say, 1_000_000 runs ? I want to find out a value so that deep fuzz workflow could run for the amount of hours close to github max CI limit (6 hours).

Can try a binary search and just push a few commits.

During my experiments and tests implementation I figured out that 100 000 was more than enough to find all edge cases for this Ubiquity pool lib. Before pushing the commit I modified e.g. vm.assume, expected values or lib implementation, with very small values or large values and fuzzer always found the problem with less than 10 000 iterations. I set deep fuzz to 100 000 to be sure that it will find new issues, but of course we can experiment and increase to full 6 hrs and check if it brings any value.

@rndquu
Copy link
Member

rndquu commented Jun 25, 2024

@gitcoindev Did you experiment with how long the deep fuzz workflow runs for, let's say, 1_000_000 runs ? I want to find out a value so that deep fuzz workflow could run for the amount of hours close to github max CI limit (6 hours).

Can try a binary search and just push a few commits.

During my experiments and tests implementation I figured out that 100 000 was more than enough to find all edge cases for this Ubiquity pool lib. Before pushing the commit I modified e.g. vm.assume, expected values or lib implementation, with very small values or large values and fuzzer always found the problem with less than 10 000 iterations. I set deep fuzz to 100 000 to be sure that it will find new issues, but of course we can experiment and increase to full 6 hrs and check if it brings any value.

#943

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fuzzing tests
4 participants