Merge remote-tracking branch 'origin/master' into HEAD

.github/workflows/ci.yml

@@ -190,7 +190,7 @@ jobs:
           ARCH: ${{ runner.arch }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: echidna-${{ steps.artifact-name.outputs.name }}
           path: echidna.tar.gz
@@ -204,7 +204,7 @@ jobs:
 
       - name: Upload testsuite
         if: runner.os != 'macOS'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: echidna-testsuite-${{ runner.os }}
           path: echidna-testsuite*
@@ -239,7 +239,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.8'
 
@@ -253,7 +253,7 @@ jobs:
           SOLC_VER: ${{ matrix.solc }}
 
       - name: Download testsuite
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
          name: echidna-testsuite-${{ runner.os }}
 

.github/workflows/hlint.yml

@@ -16,7 +16,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install Nix
-        uses: cachix/install-nix-action@v23
+        uses: cachix/install-nix-action@v25
         with:
           nix_path: nixpkgs=channel:nixos-unstable
 

.github/workflows/release.yml

@@ -0,0 +1,112 @@
+name: "Nix and release"
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - "v*"
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  nixBuild:
+    name: Build ${{ matrix.name }} binary
+    timeout-minutes: ${{ matrix.timeout || 30 }}
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            name: Linux (x86_64)
+            tuple: x86_64-linux
+            timeout: 180
+          - os: macos-latest
+            name: macOS (x86_64)
+            tuple: x86_64-macos
+          - os: macos-latest-xlarge
+            name: macOS (aarch64)
+            tuple: aarch64-macos
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Configure Cachix
+        uses: cachix/cachix-action@v14
+        with:
+          name: trailofbits
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: Configure Nix cache
+        if: runner.arch == 'X64'
+        # Unfortunately the action does not work on ARM runners
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+        with:
+          upstream-cache: https://trailofbits.cachix.org
+
+      - name: Obtain version number
+        id: version
+        run: |
+          if [[ "$GIT_REF" =~ ^refs/tags/v.* ]]; then
+            echo "version=$(echo "$GIT_REF" | sed 's#^refs/tags/v##')" >> "$GITHUB_OUTPUT"
+          else
+            echo "version=HEAD-$(echo "$GIT_SHA" | cut -c1-7)" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GIT_REF: ${{ github.ref }}
+          GIT_SHA: ${{ github.sha }}
+
+      - name: Build dynamic echidna
+        run: |
+          nix build .#echidna
+
+      - name: Build redistributable echidna
+        run: |
+          nix build .#echidna-redistributable --out-link redistributable
+          tar -czf "echidna-${{ steps.version.outputs.version }}-${{ matrix.tuple }}.tar.gz" -C ./redistributable/bin/ echidna
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: echidna-redistributable-${{ matrix.tuple }}
+          path: echidna-${{ steps.version.outputs.version }}-${{ matrix.tuple }}.tar.gz
+
+  release:
+    name: Create release
+    timeout-minutes: 10
+    needs: [nixBuild]
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download binaries
+        uses: actions/download-artifact@v4
+        with:
+          pattern: echidna-redistributable-*
+          merge-multiple: true
+
+      - name: Sign binaries
+        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        with:
+          inputs: ./echidna-*.tar.gz
+
+      - name: Create GitHub release and upload binaries
+        uses: softprops/action-gh-release@v0.1.15
+        with:
+          draft: true
+          name: "Echidna ${{ needs.nixBuild.outputs.version }}"
+          files: |
+            ./echidna-*.tar.gz
+            ./echidna-*.tar.gz.sigstore

README.md

@@ -272,10 +272,11 @@ $ nix run github:crytic/echidna/v2.1.1 # specific ref (tag/branch/commit)
 ```
 
 To build a standalone release for non-Nix macOS systems, the following will
-bundle Echidna and all linked dylibs:
+build Echidna in a mostly static binary. This can also be used on Linux systems
+to produce a fully static binary.
 
 ```sh
-$ nix build .#echidna-bundle
+$ nix build .#echidna-redistributable
 ```
 
 Nix will automatically install all the dependencies required for development
@@ -309,6 +310,40 @@ This is a partial list of smart contracts projects that use Echidna for testing:
 * [Tokencard](https://github.com/tokencard/contracts/tree/master/tools/echidna)
 * [Minimalist USD Stablecoin](https://github.com/usmfum/USM/pull/41)
 
+### Security reviews
+
+The following shows public security reviews that used Echidna to uncover vulnerabilities
+
+- [Advanced Blockchain](https://github.com/trailofbits/publications/blob/master/reviews/AdvancedBlockchain.pdf)
+- [Amp](https://github.com/trailofbits/publications/blob/master/reviews/amp.pdf)
+- [Ampleforth](https://github.com/trailofbits/publications/blob/master/reviews/ampleforth.pdf)
+- [Atlendis](https://github.com/trailofbits/publications/blob/master/reviews/2023-03-atlendis-atlendissmartcontracts-securityreview.pdf)
+- [Balancer](https://github.com/trailofbits/publications/blob/master/reviews/2021-04-balancer-balancerv2-securityreview.pdf)
+- [Basis](https://github.com/trailofbits/publications/blob/master/reviews/basis.pdf)
+- [Dai](https://github.com/trailofbits/publications/blob/master/reviews/mc-dai.pdf)
+- [Frax](https://github.com/trailofbits/publications/blob/master/reviews/FraxQ22022.pdf)
+- [Liquity](https://github.com/trailofbits/publications/blob/master/reviews/LiquityProtocolandStabilityPoolFinalReport.pdf)
+- [LooksRare](https://github.com/trailofbits/publications/blob/master/reviews/LooksRare.pdf)
+- [Maple](https://github.com/trailofbits/publications/blob/master/reviews/2022-03-maplefinance-securityreview.pdf)
+- [Optimism](https://github.com/trailofbits/publications/blob/master/reviews/2022-11-optimism-securityreview.pdf)
+- [Opyn](https://github.com/trailofbits/publications/blob/master/reviews/Opyn.pdf)
+- [Origin Dollar](https://github.com/trailofbits/publications/blob/master/reviews/OriginDollar.pdf)
+- [Origin](https://github.com/trailofbits/publications/blob/master/reviews/origin.pdf)
+- [Paxos](https://github.com/trailofbits/publications/blob/master/reviews/paxos.pdf)
+- [Primitive](https://github.com/trailofbits/publications/blob/master/reviews/Primitive.pdf)
+- [RocketPool](https://github.com/trailofbits/publications/blob/master/reviews/RocketPool.pdf)
+- [Seaport](https://github.com/trailofbits/publications/blob/master/reviews/SeaportProtocol.pdf)
+- [Set Protocol](https://github.com/trailofbits/publications/blob/master/reviews/setprotocol.pdf)
+- [Shell protocol](https://github.com/trailofbits/publications/blob/master/reviews/ShellProtocolv2.pdf)
+- [Sherlock](https://github.com/trailofbits/publications/blob/master/reviews/Sherlockv2.pdf)
+- [Pegasys Pantheon](https://github.com/trailofbits/publications/blob/master/reviews/pantheon.pdf)
+- [TokenCard](https://github.com/trailofbits/publications/blob/master/reviews/TokenCard.pdf)
+- [Uniswap](https://github.com/trailofbits/publications/blob/master/reviews/UniswapV3Core.pdf)
+- [Yearn](https://github.com/trailofbits/publications/blob/master/reviews/YearnV2Vaults.pdf)
+- [Yield](https://github.com/trailofbits/publications/blob/master/reviews/YieldProtocol.pdf)
+- [88mph](https://github.com/trailofbits/publications/blob/master/reviews/88mph.pdf)
+- [0x](https://github.com/trailofbits/publications/blob/master/reviews/0x-protocol.pdf)
+
 ### Trophies
 
 The following security vulnerabilities were found by Echidna. If you found a security vulnerability using our tool, please submit a PR with the relevant information.