This marks a bug release of medusa. This version has bug fixes for three memory leaks and an integer overflow. Additionally, medusa now supports assert* (e.g assertEq or assertGte) cheatcodes.

What's Changed

• Add assert* cheatcodes by @samalws-tob in #806

Bug Fixes

• Fix integer overflow by @samalws-tob in #808
• Fix memory leaks in corpus pruner, trieDB, and RPC pool by @anishnaik in #812

Full Changelog: v1.5.0...v1.5.1

This marks a minor release of medusa. The primary improvement feature addition is the introduction of a new command: medusa corpus clean.

Using medusa corpus clean

This command can be used to remove corpus elements that are no longer valid. This is best used if your fuzzing harness has changed significantly or if your corpus health drops significantly.

The other feature that was added is that users are now notified if they are fuzzing against the same compilation artifacts. Two major bug fixes include a panic in the event parser and a bug in the display of call sequences.

What's Changed

• Add medusa corpus clean command by @dguido in #777
• Notify user when running medusa against unchanged artifacts by @dguido in #772
• Various CI improvements:
  • Add Claude Code GitHub Workflow by @computerality in #742
  • ci: improve security posture with dependabot cooldowns by @dguido in #761
  • ci: pin GitHub Actions to SHA hashes for supply chain security by @dguido in #765
  • ci: optimize CI speed with parallel builds, caching, and uv by @dguido in #766
  • ci: add pre-commit hooks with prek for code quality by @dguido in #767
  • ci: fix dprint plugin URL and add docs-check to pre-commit by @dguido in #778

Bug Fixes

• Fix panic in event parser during execution tracing (#789) by @anishnaik in #790
• Fix bug in the display of call sequences (#753) by @anishnaik in #785
• Improve shrinking by removing reverting transactions by @anishnaik in #786
• Use read-only locks for event callbacks by @0xalpharush in #388

New Contributors

• @computerality made their first contribution in #742
• @TechVest made their first contribution in #590
• @dguido made their first contribution in #761
• @changgesi made their first contribution in #747
• @zjumathcode made their first contribution in #738

Full Changelog: v1.4.1...v1.5.0

This is a bug release for medusa. A bug in the release pipeline has been fixed. There is no functional difference between v1.4.0 and v1.4.1.

What's Changed

• ci: update sigstore action to fix Windows Python compatibility by @anishnaik in #741

Full Changelog: v1.4.0...v1.4.1

This marks a minor release of medusa. The primary improvement is that corpus replaying is now parallelized across fuzzer workers and will notify of any test failures immediately. This release also comes with a critical bug fix for HTML coverage reports.

What's Changed

• Parallelize corpus replay and notify of test failures immediately @anishnaik in #696
• Allow fuzzer to call fallback/receive functions in target contracts @tuturu-tech in #723
• Add support for CLAUDE.md/AGENTS.md by @anishnaik in #721
• Automated vendorHash in flake.nix drift detection in CI by @elopez in #716
• Automated documentation drift detection in CI by @anishnaik in #734

Bug Fixes

• Link libraries during coverage report generation by @samalws-tob in #724
• Support for USE_FULL_BYTECODE environment variable by @samalws-tob in #728

Full Changelog: v1.3.1...v1.4.0

This marks a bug release of medusa. This version has bug fixes for issues related to automated library linking and event management.

What's Changed

• Filter coverage report using the coverageExclusions configuration option by @elopez in #663

Bug Fixes

• Fix issue with capturing events while tracing by @elopez in #675
• Fix deployment order when predeploys and auto-linking are both used by @samalws-tob in #658
• Fix library linking issue in the HTML coverage report by @anishnaik in #671

New Contributors

• @GalloDaSballo made their first contribution in #672

Full Changelog: v1.3.0...v1.3.1

This marks a minor release of medusa. This version brings significant performance improvements, support for [email protected], pruning of corpus elements, and rich support for external libraries.

We have improved the coverage tracking mechanism and reduced the number of state writes required, which brings a marked improvement in medusa's speed.

We now support the ability to prune corpus elements using the PruneFrequency configuration option. Pruning corpus elements aids in managing the overall corpus size and improves the likelihood that each element in the corpus aids in improving the coverage of the system.

Finally, since external libraries are now fully supported, users no longer have to use the PredeployedContracts configuration option or pass the --compile-libraries flag to crytic-compile.

What's Changed

• Reduce coverage tracking bloat for dynamically created contracts by @samalws-tob in #627
• Reduce the number of state writes by @samalws-tob in #629
• Add external library support by @priyankabose in #630
• Prune unnecessary transaction sequences from corpus by @samalws-tob in #625
• Upgrade to go-ethereum v1.15.5 by @anishnaik in #615

Bug Fixes

• Synchronize writes while running commands to avoid data race by @samalws-tob in #624

Full Changelog: v1.2.1...v1.3.0

This marks a minor release of medusa. Version 1.2.1 brings a patch that allows users to install medusa using go install.

Bug Fixes

• Fix go install installation by @elopez in #609

Full Changelog: v1.2.0...v1.2.1

This marks a minor release of medusa. Version 1.2.0 has a variety of new features, including the introduction of some very needed cheatcodes (startPrank, stopPrank, and getCode), verbosity levels for execution traces, and revert reports. Additionally, we have made significant improvements to the HTML coverage reports to improve user experience. Finally, we have migrated to branch coverage-guided fuzzing which, according to our internal benchmarking results, significantly outperforms PC coverage-guided fuzzing.

The installation process is now simpler than ever. Users across all operating systems can now run go install github.com/crytic/medusa@latest to download medusa!

What's Changed

• Support for startPrank and stopPrank cheatcodes by @Xenomega in #594
• Support for getCode cheatcode by @0xZRA in #593
• Add verbosity levels to execution traces by @priyankabose in #601
• Migrate from PC-based coverage to branch-based coverage by @samalws-tob in #585
• Introduction of revert reports for easier harness debugging by @bsamuels453 in #466
• Add file explorer and search capabilities to HTML coverage reports by @anishnaik in #588
• Support specifying target contract balances using hex, base-10, and scientific notation by @0xZRA in #580
• medusa-geth module path refactor by @Xenomega in #584

New Contributors

• @0xZRA made their first contribution in #580
• @laterlaugh made their first contribution in #589
• @MiloTruck made their first contribution in #597
• @growfrow made their first contribution in #596
• @MKVEERENDRA made their first contribution in #587

Full Changelog: v1.1.1...v1.2.0

This marks a minor release of medusa. Version 1.1.1 fixes two critical bugs: an out-of-memory leak that occurs during corpus initialization and a race condition due to concurrent reads and writes on coverage maps.

What's Changed

• Enable calling view methods by default by @anishnaik in #569
• Use address labels while logging call sequences by @smonicas in #572

Bug Fixes

• Fix memory leak during corpus initialization by @anishnaik in #581
• Acquire lock before calculating the unique program counter value by @anishnaik in #575
• Fix bug with the traceAll feature by @anishnaik in #573
• Trim whitespace around FFI output by @anishnaik in #578

Full Changelog: v1.1.0...v1.1.1

This marks a minor release of medusa. Version 1.1.0 introduces a few critical bug fixes and some minor feature additions.

What's Changed

• Allow users to specify additional arguments while running slither @anishnaik in #554
• Add --rpc-url and --rpc-block flags by @anishnaik in #557
• Add "Collapse all" and "Expand all" buttons to the HTML coverage report by @Xenomega in #302
• Deprecation of the difficulty cheatcode which is now a no-op by @anishnaik in #564
• Introduction of the prevrandao cheatcode by @anishnaik in #564
• Improvements to logging during call sequence shrinking by @anishnaik in #564

Bug Fixes

• Hotfix for a non-deterministic panic that was triggered with the introduction of on-chain fuzzing by @bsamuels453 in #560
• Fix issues related to using VM cheatcodes by @anishnaik in #564
• Fix panic that occurred in optimization mode by @anishnaik in #564
• Fix issues related to context management and cancellations by @anishnaik in #564

Full Changelog: v1.0.0...v1.1.0