github crytic/echidna v2.3.2-agents-preview-1
Echidna 2.3.2-agents-preview-1
on GitHub

pre-release29 days ago

This preview build introduces a significant internal rewrite of Echidna, transforming traditional workers into collaborative agents. These agents can receive commands, reason about campaign state, and actively guide fuzzing via an MCP (Model Context Protocol) server.

The goal is to enable interactive, AI-assisted fuzzing, where humans and language models can inspect coverage, design targeted transaction sequences, and steer Echidna toward uncovered logic or invariant violations.

⚠️ This build is experimental. APIs, commands, and workflows are subject to change.

What’s new

Agent-based fuzzing

  • Workers are now agents that can receive commands and collaborate.
  • Campaign state, coverage, and target metadata are exposed through MCP.

MCP command interface

  • A first set of MCP commands allows querying status, inspecting coverage, and influencing fuzzing behavior.
  • Designed for experimentation and rapid iteration.

Coverage-aware logging

  • Logs emit structured signals when new coverage is discovered, making it easier for agents to react: 
    [Worker 2] New coverage: 15176 instr, 7 contracts, 19 seqs in corpus (mintAndApprove)

Available MCP commands

  • status() – Show fuzzing campaign status
  • target() – Show the target contract name and ABI
  • reload_corpus() – Reload corpus transactions without replay
  • dump_lcov() – Dump coverage in LCOV format
  • inject_fuzz_transactions(string) – Inject prioritized fuzzing sequences
  • clear_fuzz_priorities() – Reset function prioritization
  • show_coverage(string) – Show coverage for a specific contract

Planned but not yet enabled: symbolic transaction injection, log reading, function avoidance.

How to use with AI assistants

Prerequisites

  • An Echidna-compatible fuzzing project
  • This preview build of echidna (compiled locally or downloaded from CI)
  • A running Echidna campaign started with: 
    echidna <args> --format text --server 3000
  • MCP server available at http://localhost:3000/mcp

Using GitHub Copilot (VS Code)

  1. Open your fuzzing project in Visual Studio Code.
  2. Ensure GitHub Copilot and Copilot Chat are installed and enabled.
  3. Create a file at .vscode/mcp.json with the following content: 
    {
  "servers": {
    "Echidna fuzzing campaign": {
      "type": "http",
      "url": "http://localhost:3000/mcp"
    }
  }
}
  4. Save the file. In VS Code:
    • Open the Copilot Chat panel.
    • Click Run next to Echidna fuzzing campaign to verify detection.
    • Copilot should report the number of available MCP commands.
  5. Open the chat window (Cmd + Shift + P/chat) and start prompting using the recommended prompt below.

Using Claude Code (CLI)

Claude Code natively supports MCP servers and can be used directly from the terminal.

  1. Ensure Claude Code is installed and up to date.
  2. Start or resume your Echidna campaign with the MCP server enabled: 
    echidna <args> --format text --server 3000
  3. Launch Claude Code and connect it to the MCP server: 
    claude mcp add echidna http://localhost:3000/mcp
claude mcp list
    You should see the Echidna MCP server and its available commands.
  4. Start a Claude Code session and instruct it to guide the running fuzzing campaign using MCP commands only.

Recommended agent prompt

The following prompt works well for both Copilot Chat and Claude Code when guiding a running Echidna campaign: 

An Echidna fuzzing campaign is currently running and has already achieved baseline coverage using the default strategy, meaning trivial execution paths are mostly explored.

Using the available MCP interface ONLY (do not modify any code or functions):

1. Identify the campaign context
   - Determine the fuzzing target and current campaign status using the appropriate MCP commands.

2. Analyze coverage
   - Inspect coverage for the relevant contracts using show_coverage.
   - Identify execution paths or code regions with low coverage that are theoretically reachable.

3. Design targeted fuzzing sequences
   - Use inject_fuzz_transactions to prioritize one or more transaction sequences.
   - Separate multiple calls with ; (e.g. f(1,?,?) ; g(?,2,5)).
   - Combine concrete values and random parameters strategically.
   - Do not use ? for all parameters.
   - Avoid making all parameters concrete when possible; leave at least one ? per call.
   - Remember: injected sequences are inserted at a random position in existing corpus sequences.

4. Evaluate results
   - Allow fuzzing to progress (e.g. sleep 20).
   - Use status to check for new coverage or invariant failures.

5. Reset priorities
   - Call clear_fuzz_priorities to return to the default fuzzing strategy.

Focus on transaction sequences that are most likely to exercise uncovered logic or trigger invariant violations, while preserving exploration.
Check out latest releases or
releases around crytic/echidna v2.3.2-agents-preview-1

Don't miss a new echidna release

NewReleases is sending notifications on new releases.

Get notifications