MCPcopy Index your code
hub / github.com/asymmetric-research/crucible

github.com/asymmetric-research/crucible @v0.2.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.0 ↗ · + Follow
2,242 symbols 10,586 edges 84 files 469 documented · 21%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Crucible

Coverage-guided fuzzing framework for Solana smart contracts

Built on LibAFL and LiteSVM for fast, local transaction simulation with edge-level coverage tracking.


Crucible enables property-based testing and stateful invariant checking for Solana programs through randomly generated action sequences. Define your program's actions, write invariants, and let the fuzzer find violations.

Performance

Upperbound throughput on small/medium programs with MacBook Pro M3:

Mode 1 core 12 cores 12 cores, no tracing
Stateless 1,200/s 9,600/s 22,000/s
Stateful 8,200/s 67,000/s 130,000/s

Features

  • Works on any compiled Solana program. Coverage comes from sBPF edge tracing on the LiteSVM execution trace, so no source-side instrumentation or program rebuild is required. Standard Anchor/Codama/Shank IDL is sufficient to generate typed call bindings at compile time. See IDL Code Generation. When no IDL available, calling can still be done with raw_call()
  • Concise harness API. TestContext collapses account construction, signing, instruction encoding, and result parsing into one builder chain: ctx.program(...).call(...).accounts(...).signers(...).send(). Helpers cover time control (advance_epoch, warp_to_slot), account creation, and mint setup. Reduces testing boilerplate by 50-70%. See API Reference.
  • Typed-action mutator. Mutations rewrite typed Vec<Action> entries directly. Sequence operations (insert, delete, swap, splice) and parameter rewrites (numeric values biased toward boundaries and declared #[range(..)] endpoints) keep every generated input structurally valid. Roughly a 5x improvement in bug discovery rate over arbitrary.
  • Stateless mode. Each iteration clones the post-setup snapshot and executes a full mutated sequence against it. Coverage feedback is per-sequence: sequences that reach a new edge survive into the corpus.
  • Stateful mode. Keeps a coverage-indexed pool of live program states and applies one mutated action at a time, picking up where prior iterations left off. Roughly an order-of-magnitude throughput gain over stateless, at the cost of higher memory use as the pool grows with coverage.
  • Crash triage built in. Findings are minimized with crucible tmin and replayed with crucible show. Programs compiled with debug symbols produce LCOV reports viewable with genhtml. See Crash Analysis and Coverage Reports.

Quick Start

Install

From source:

git clone https://github.com/asymmetric-research/crucible
cd crucible
cargo install --path crates/crucible-fuzz-cli

Initialize a fuzz harness

crucible init <program_name>

Defaults to fuzz/<program_name>/

Run a fuzz test

crucible run <program_name> <test_name> --release

Documentation

Topic Description
Getting Started Setup, running, project structure, feature flags
IDL Code Generation Using crucible-idl-gen for standalone harnesses
API Reference TestContext API — program loading, accounts, transactions, RPC cloning, time, oracles
Writing Tests Fixtures, actions, range constraints, simple & invariant fuzzing, assertion macros
CLI Reference All crucible commands and execution modes
Crash Analysis Listing, viewing, replaying, and minimizing crashes
Coverage Reports Bytecode & source-level coverage, LCOV, genhtml
Harness Guide In-depth guide to writing effective fuzz harnesses

License

Licensed under the MIT License.

Extension points exported contracts — how you extend this code

IntoActionSuccess (Interface)
Trait to normalize action return values to success/failure. Allows actions to return either `()` (always success) or `Re [3 …
crates/crucible-test-context/src/lib.rs
FuzzAction (Interface)
Trait for structured fuzz actions. Each action variant knows how to generate random valid instances, mutate its paramet [2 …
crates/crucible-fuzz-runtime/src/action.rs
AccountBuilderBase (Interface)
(no doc) [3 implementers]
crates/crucible-test-context/src/account_builders.rs

Core symbols most depended-on inside this repo

unwrap
called by 1498
crates/crucible-test-context/src/lib.rs
clone
called by 403
crates/crucible-test-context/src/snapshot/dirty_tracker.rs
len
called by 309
crates/crucible-test-context/src/snapshot/state_pool.rs
mark_account_dirty
called by 174
crates/crucible-test-context/src/snapshot/dirty_tracker.rs
get
called by 166
crates/crucible-test-context/src/snapshot/state_pool.rs
restore_selective
called by 145
crates/crucible-test-context/src/snapshot/svm_snapshot.rs
clear
called by 134
crates/crucible-test-context/src/snapshot/dirty_tracker.rs
clone
called by 132
crates/crucible-test-context/src/lib.rs

Shape

Function 1,824
Method 321
Class 83
Enum 11
Interface 3

Languages

Rust100%

Modules by API surface

crates/crucible-test-context/src/lib.rs276 symbols
crates/crucible-fuzz-runtime/src/mutators/bench_tests.rs196 symbols
crates/crucible-fuzzer/tests/cli.rs178 symbols
crates/crucible-idl-gen/src/lib.rs98 symbols
crates/crucible-test-context/src/snapshot/tests/state_pool.rs88 symbols
crates/crucible-test-context/src/snapshot/state_pool.rs82 symbols
crates/crucible-fuzz-macro/src/codegen.rs71 symbols
crates/crucible-fuzz-macro/src/stateful.rs64 symbols
crates/crucible-test-context/src/snapshot/tests/svm_snapshot.rs56 symbols
crates/crucible-test-context/src/snapshot/tests/rounds4_6.rs55 symbols
crates/crucible-idl-gen/src/codegen/types.rs55 symbols
crates/crucible-invariant-macro/src/lib.rs53 symbols

For agents

$ claude mcp add crucible \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page