this can exceed uint128(-1), which I assume will produce a violation since init will revert

I just set _amt and _pmt min seed value to zero

this should be done.

same comment as above

Done.

Why not allow _clf ==0? Seems like a valid case.

Done.

same comment as above

Done.

Okay I need some education on echidna...how does the value of _tick affect the behavior of the the vest call? I guess what I'm expecting is some sort of special instruction that creates a relation between _tick and block.timestamp before the call to vest, similar to hevm.warp, but I'm not seeing it.

I've added _tick as a seed to simulate time for time dependant scenarios.

I've just removed _tick as echidna should increase block.timestamp when fuzzing.
Also fixed the check in test_vest with block.timestamp >= fin.
Let me know if it's ok.

I kind of think _amt = 0 is an uninteresting case--I'd recommend enforcing a reasonable minimum like you were before, just in a way that won't exceed the uint128(-1) limit. For example, here's one option:

_amt = _amt % uint128(-1);
if (_amt < WAD) _amt *= WAD;

That will never cause a uint128 overflow since WAD * (WAD - 1) < 2^128 - 1.

done!

Oh yeah...we want to avoid _amt == 0...so we need something like:

_amt = _amt % uint128(-1);
if (_amt < WAD) _amt = (1 + _amt) * WAD;

Done.

This won't hold in general. Suggest replacing with:

        assert(vest.ids() == add(prevId, 1));
        assert(vest.ids() == id);

Done.

If we're bothering to pass _mgr as a fuzz parameter, we should at least verify that it's being set correctly in the award (same for the other values).

this should be done in test_init_params

Actually I'd suggest to combine test_init_ids and test_init_params into a single test named test_init. And it's probably unnecessary to pass _mgr in test_vest; alternatively, test_vest could be modified to randomly call vest on a previously-initialized award.

Removed the _mgr seed and replace with echidna_mgr

might also be worthwhile to have a test that hevm warps to some random point during or after init and check that payouts and accrued and unpaid values all line up.

yeah, I think @kmbarry1 will make some dapp fuzz tests as well leveraging on hevm.warp to fuzz time-dependant logic and compare the two approaches.

yeah I was kind of waiting for all the churn to settle down in the code itself

So, the issue here is that the award will almost never exist if id is a random uint256. You'll need to mod it into the appropriate range:
id = 1 + id % vest.ids();
to effectively test already-created vests.

test_vest and test_yank are called inside test_init with an existing valid id.
I can fuzz them independently leveraging on the preserved state option eventually

I think we shouldn't fuzz the ids cause they're checked in all the functions on dss-vest, if the award exists, so declaring both test_vest and test_yank internal allows to check for asserts on test_init seeds.

I think this approach is good enough. The only downside is every award gets yanked before any more are created, so you're never testing with multiple awards in existence. However, given how the contract is written, there's very little chance of bugs that only surface when multiple awards exist.

You'll have a similar issue here as above.

In this case test_yank, that is called inside test_init, will use an existing valid id plus an _end seed from test_init.