Getting started with the Recon VS Code extension

Setting up a fuzzing test suite usually means bouncing between terminal, config files, and documentation. The Recon VS Code extension puts the entire workflow — scaffolding, running fuzzers, reading coverage — inside your editor. This guide walks through every step from install to your first cloud campaign.

Install the Recon Extension

Install the extension

Search for "Recon" in the VS Code Marketplace and click Install. If you use Cursor, the extension works there too — install it the same way through the Extensions panel.

Prerequisites: You need Foundry installed on your machine. The extension wraps Foundry, Echidna, and Medusa — it doesn't replace them. If you don't have Echidna or Medusa installed yet, the extension will detect that and offer to walk you through setup when you try to run them.

After installation, you'll see a Recon icon in the sidebar. Click it to open the Recon panel.

Open a Foundry project

Open any directory that contains a foundry.toml file. The extension detects it automatically and indexes your project:

• Contract files in src/ — identified by pragma and contract declarations
• Existing test files in test/ — categorized as unit tests, fuzz tests, or invariant tests
• Dependencies in lib/ — resolved through remappings
• Remappings from foundry.toml and remappings.txt

The Recon panel shows a summary: how many contracts, whether a test/recon/ directory exists, which fuzzers are available on your PATH.

If you open a non-Foundry project, the extension stays dormant — no unnecessary UI or prompts.

Scaffold Chimera tests with one click

Open the command palette (Cmd+Shift+P on macOS, Ctrl+Shift+P on Linux/Windows) and run:

Recon: Initialize

This creates the full Chimera test structure inside test/recon/:

test/recon/
  Setup.sol            — Deploys contracts and sets initial state
  BeforeAfter.sol      — State snapshot hooks for transition properties
  Properties.sol       — Invariant definitions
  TargetFunctions.sol  — Fuzzer-callable handler functions
  CryticTester.sol     — Entry point for Echidna and Medusa

The generated files aren't empty templates. The extension reads your src/ contracts and pre-fills:

• Setup.sol with import statements and deployment calls for your main contracts
• TargetFunctions.sol with handler_ stubs for every external/public function it finds
• Properties.sol with starter invariants based on common patterns (solvency for vaults, supply conservation for tokens, balance consistency for pools)

You fill in the deployment parameters, tweak the handlers, and add protocol-specific properties. The scaffolding gets you past the blank-file problem and into writing real invariants within minutes.

For details on how the Chimera inheritance chain works and why each layer exists, see Why we built Chimera.

Run fuzzers from the editor

Once your test suite compiles, you can run any available fuzzer directly from the command palette:

• Recon: Run Foundry Tests — Executes forge test with your invariant test contract. Output streams to a dedicated Recon Output panel with clickable file references.

• Recon: Run Echidna — Launches Echidna against your CryticTester.sol with the config from echidna.yaml (generated during initialization). Shows real-time progress: properties tested, corpus size, coverage percentage.

• Recon: Run Medusa — Starts a Medusa fuzzing campaign using medusa.json. Displays worker count, total calls, and any property violations as they're found.

• Recon: Run Halmos — Runs Halmos symbolic execution on your properties. Useful for bounded verification of critical invariants where you want proof, not probabilistic confidence.

Each command remembers your last configuration. If a previous campaign's corpus exists, Echidna and Medusa pick up where they left off — no repeated work.

Configuration files

The Recon: Initialize command generates default configs:

# echidna.yaml
testMode: assertion
testLimit: 100000
seqLen: 50
corpusDir: "corpus-echidna"
cryticArgs: ["--compile-force-framework", "foundry"]

// medusa.json (relevant fields)
{
  "fuzzing": {
    "targetContracts": ["CryticTester"],
    "testLimit": 100000,
    "callSequenceLength": 50,
    "corpusDirectory": "corpus-medusa"
  }
}

Edit these files directly — the extension reads them at launch time. No separate settings UI to keep in sync.

Read coverage reports

After any fuzzer run, open:

Recon: Show Coverage

The extension overlays coverage data directly on your source files:

• Green highlights — Lines executed during the campaign
• Red highlights — Lines the fuzzer never reached
• Yellow highlights — Lines reached but only through a single code path

Red lines are your priority. Each one is a code path the fuzzer couldn't trigger, which often means your handlers are missing an action, your input bounds are too tight, or the code is genuinely unreachable.

The coverage panel also shows a summary per contract: percentage covered, number of unique paths explored, and which handler functions drove the most coverage. Use this to decide where to add handlers or loosen bounds.

Generate reports

When you're done with a campaign, generate a shareable report:

Recon: Generate Report

The report includes:

• Property results — Which invariants held, which were violated
• Violation traces — The exact call sequences that broke each property, with decoded arguments
• Coverage summary — Per-contract coverage with untested paths highlighted
• Campaign metadata — Fuzzer used, duration, total calls, corpus size
• Recommendations — Suggested next steps based on coverage gaps

Reports export as HTML or Markdown. Share them with your team in a PR or hand them to auditors as proof of testing depth.

Connect to Recon Pro for cloud runs

Local fuzzing is great for development. But serious campaigns — the ones that run for hours with high parallelism — need more compute than a laptop provides. Recon Pro runs campaigns in the cloud.

To connect:

1. Open Recon: Connect to Recon Pro from the command palette
2. Authenticate with your Recon Pro account
3. Select the repository and branch to fuzz

Once connected, you get two new commands:

• Recon: Launch Cloud Campaign — Pushes your test suite to Recon Pro and starts a campaign with configurable duration, worker count, and fuzzer selection. Results stream back to your editor in real time.

• Recon: View Cloud Results — Pulls results from previous cloud campaigns. Coverage data overlays the same way as local runs.

Cloud campaigns run Echidna and Medusa in parallel on dedicated infrastructure. A campaign that would take eight hours on your machine finishes in under an hour. The results sync back to your local corpus, so your next local run starts from where the cloud campaign left off.

For a detailed walkthrough of Recon Pro, see the cloud fuzzing guide.

What to do next

Once you have the extension installed and your first campaign running:

1. Write more properties. Start with solvency and accounting invariants, then add protocol-specific logic.
2. Read coverage after every run. Red lines tell you exactly where to improve your handlers.
3. Run multiple fuzzers. The Chimera structure means you can switch between Foundry, Echidna, and Medusa with one command.
4. Add fuzzing to CI. The extension's config files work in CI too — run forge test in your pipeline and Echidna/Medusa in nightly jobs.

Need help designing properties for your specific protocol? Request an audit with Recon — we'll build a complete Chimera test suite and run it at scale.