Onboard Nerite target with recon harness and canaries

[aviggiano]

Summary

Onboards Recon-Fuzz/nerite-scfuzzbench for scfuzzbench with a vulnerable baseline branch (dev) and recon harness branch (dev-recon).

1) Vulnerable baseline ref

• Upstream project: https://github.com/NeriteOrg/nerite
• Baseline commit used for dev: b957c0417697ac4ee9c4aa6d4753739817f169df
• Rationale: this is the parent of the first recon harness commit (8a3e4afc) in Recon-Fuzz/nerite.

2) Recon harness source ref

• Source repo: https://github.com/Recon-Fuzz/nerite
• Source ref used for porting: 60b3171c8cf943e5aadf3c67a5d1fe1911e0db85 (origin/feat/benchmark-covg-workflow-fix-ghost)

3) Files copied/changed

• Ported full recon tree:
  • contracts/test/recon/**
• Ported fuzzer configs:
  • contracts/echidna.yaml
  • contracts/medusa.json
  • medusa.json
• Updated benchmark-compatible invariant config:
  • contracts/foundry.toml
• Updated ignore rules for fuzz artifacts:
  • contracts/.gitignore

4) Benchmark/canary compatibility updates

• Foundry [invariant] set to benchmark-compatible values:
  • runs=500000000, depth=100, include_storage=true, show_solidity=true, show_metrics=true, fail_on_revert=false, continuous_run=true, corpus_dir="corpus/foundry"
• Echidna set to property mode with invariant prefix:
  • testMode: "property", prefix: "invariant_"
• Medusa uses concrete compilation target (not .):
  • contracts/medusa.json: test/recon/CryticTester.sol
  • medusa.json: contracts/test/recon/CryticTester.sol
• Added required canaries:
  • Assertion canary reason: !!! canary assertion
  • Global invariant canary: invariant_canary -> immediate failure (Canary invariant)
  • Foundry wrapper canary: invariant_assertion_failure_CANARY
• Added Foundry assertion-visibility shim in CryticToFoundry.sol:
  • assertion prefix detection (!!!)
  • override wrappers for gt/gte/lt/lte/eq/t
  • per-assertion invariant check for canary
  • targetContract(address(this)) + multiple targetSender values in setUp()
• Added medusa/echidna compatibility for invariants:
  • invariant_* signatures return bool in Properties.sol

5) Local smoke test summary

Run from contracts/.

• forge test --match-contract CryticToFoundry --list
  • Found: invariant_canary, invariant_assertion_failure_CANARY
• Foundry canary smoke checks:
  • FOUNDRY_INVARIANT_CONTINUOUS_RUN=false forge test --match-contract CryticToFoundry --match-test invariant_canary -vv
  • FOUNDRY_INVARIANT_CONTINUOUS_RUN=false forge test --match-contract CryticToFoundry --match-test 'invariant_(canary_assertion_failure|assertion_failure_CANARY)' -vv
  • Both fail immediately with expected messages.
• Echidna smoke:
  • timeout 300 echidna test/recon/CryticTester.sol --contract CryticTester --config echidna.yaml --test-mode property --format text --disable-slither
  • Reports both failing properties: invariant_canary and invariant_assertion_failure_CANARY.
• Medusa smoke:
  • timeout 300 medusa fuzz --config medusa.json --timeout 300
  • Reports both failing property tests: CryticTester.invariant_canary() and CryticTester.invariant_assertion_failure_CANARY().

6) 5-minute canary trial summary per fuzzer

All fuzzers surfaced both required canaries well within 5 minutes:

• Echidna:
  • invariant_canary failed (Canary invariant)
  • invariant_assertion_failure_CANARY failed (!!! canary assertion)
• Medusa:
  • Property Test: CryticTester.invariant_canary() failed (Canary invariant)
  • Property Test: CryticTester.invariant_assertion_failure_CANARY() failed (assertion failure)
• Foundry:
  • invariant_canary failed (Canary invariant)
  • invariant_assertion_failure_CANARY failed (!!! canary assertion)

7) Canary validation summary

• Assertion canary: present and intentionally failing (!!! canary assertion)
• Global invariant canary: present and intentionally failing (invariant_canary, Canary invariant)

8) /start request JSON

{
  "target_repo_url": "https://github.com/Recon-Fuzz/nerite-scfuzzbench",
  "target_commit": "dev-recon",
  "benchmark_type": "property",
  "instance_type": "c6a.4xlarge",
  "instances_per_fuzzer": 4,
  "timeout_hours": 1,
  "fuzzers": ["echidna", "medusa", "foundry"],
  "foundry_version": "",
  "foundry_git_repo": "https://github.com/aviggiano/foundry",
  "foundry_git_ref": "master",
  "echidna_version": "",
  "medusa_version": "",
  "bitwuzla_version": "",
  "git_token_ssm_parameter_name": "/scfuzzbench/recon/github_token",
  "properties_path": "",
  "fuzzer_env_json": ""
}

9) Target-specific overrides

• No fuzzer_env_json overrides required.
• CryticTester constructor uses best-effort vm.etch for ERC1820 bootstrap compatibility across runners.

[aviggiano]

Applied requested canary tweak:

• Properties.sol now uses assert_canary(uint256 entropy) with t(entropy > 0, ASSERTION_CANARY_ASSERTION_FAILURE)
• Removed invariant-style assertion canary function from Properties.sol
• CryticToFoundry.sol invariant_assertion_failure_CANARY no longer calls a canary function directly; it only checks recorded assertion state
• No local invariant_canary override in CryticToFoundry.sol (inherits from Properties.sol)

Commit: 9c198186