Skip to content

πŸ”§ Fix Echidna Security Workflow - Solc Checksum Error and Missing PermissionsΒ #1669

New issue
New issue
Open
Open
πŸ”§ Fix Echidna Security Workflow - Solc Checksum Error and Missing Permissions#1669
Labels
bugcisecurityPull requests that address a security vulnerability
@MantisClone

Description

@MantisClone
MantisClone
opened on Dec 12, 2025

Summary

The security-echidna.yml workflow has been failing consistently for at least 5 days due to two separate issues:

  1. Solc checksum mismatch in the Echidna Docker image
  2. Missing issues: write permission preventing automatic issue creation

Evidence

Recent workflow runs all failing:

Issue 1: Solc Checksum Error

Error message:

ERROR:CryticCompile:
Solidity version not found:
STDERR:
argparse.ArgumentTypeError: Error: Checksum mismatch linux-amd64 - 0.8.31

Root cause: The trailofbits/echidna:latest Docker image uses solc-select which has a known issue with checksum verification for newer Solidity versions.

Proposed fix: Pin a specific Solidity version using --crytic-args or set SOLC_VERSION environment variable before running Echidna.

Issue 2: Missing Permissions

Error message:

RequestError [HttpError]: Resource not accessible by integration
status: 403
x-accepted-github-permissions: issues=write

Root cause: The workflow only has pull-requests: write permission, but issues: write is required to create issues for nightly failures.

Current permissions:

permissions:
  contents: read
  pull-requests: write

Required permissions:

permissions:
  contents: read
  pull-requests: write
  issues: write

Proposed Workflow Changes

# Fix 1: Add issues permission
permissions:
  contents: read
  pull-requests: write
  issues: write

# Fix 2: Pin solc version in Setup Echidna step
- name: Setup Echidna
  run: |
    docker pull trailofbits/echidna:latest
    
    cat > /tmp/echidna << 'EOF'
    #!/bin/bash
    REPO_ROOT="$PWD"
    while [ ! -f "$REPO_ROOT/lerna.json" ] && [ "$REPO_ROOT" != "/" ]; do
      REPO_ROOT="$(dirname "$REPO_ROOT")"
    done
    REL_PATH="${PWD#$REPO_ROOT/}"
    
    # Pin solc version to avoid checksum issues
    docker run --rm \
      -e SOLC_VERSION=0.8.9 \
      -v "$REPO_ROOT":/src \
      -w "/src/$REL_PATH" \
      trailofbits/echidna:latest echidna "$@"
    EOF
    
    sudo mv /tmp/echidna /usr/local/bin/echidna
    sudo chmod +x /usr/local/bin/echidna
    echidna --version

Impact

  • Security risk: Nightly fuzzing campaigns are not running, reducing security coverage
  • Silent failures: Issues are not being created for failures, so the team is not being notified
  • CI/CD: All scheduled runs fail within ~2 minutes

Labels

  • security
  • ci
  • bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugcisecurityPull requests that address a security vulnerability

    Type

    No type

    Projects

    Request Network Tech Backlog

    Status

    πŸ†• New

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions