Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
hardhat-gas-report
Advanced tools
Hardhat plugin for eth-gas-report, a mocha report for Ethereum test suites
eth-gas-reporter plugin for hardhat.
A Mocha reporter for Ethereum test suites:
npm install hardhat-gas-reporter --save-dev
And add the following to your hardhat.config.js
:
require("hardhat-gas-reporter");
Or, if you are using TypeScript, add this to your hardhat.config.ts:
import "hardhat-gas-reporter"
Looking for buidler-gas-reporter docs? They moved here...
Configuration is optional.
module.exports = {
gasReporter: {
currency: 'CHF',
gasPrice: 21
}
}
:bulb: Pro Tips
Turning the plugin on/off
The options include an enabled
key that lets you toggle gas reporting on and off using shell
environment variables. When enabled
is false, mocha's (faster) default spec reporter is used.
Example:
module.exports = {
gasReporter: {
enabled: (process.env.REPORT_GAS) ? true : false
}
}
Migrating from Truffle
If you already have eth-gas-reporter
installed in your project, make sure you uninstall it before adding this plugin.
hardhat-gas-reporter
manages eth-gas-reporter
as a dependency and having multiple versions in your lockfile can stop the reporter
from working correctly.
This plugin overrides the built-in test
task. Gas reports are generated by default with:
npx hardhat test
:warning: CoinMarketCap API change :warning:
Beginning March 2020, CoinMarketCap requires an API key to access currency market
price data. The reporter uses an unprotected free tier key by default (10k reqs/mo). You can get
your own API key here and set it with the coinmarketcap
option.
In order to retrieve the gas price of a particular blockchain, you can configure the token
and gasPriceApi
(API key rate limit may apply).
NOTE: HardhatEVM and ganache-cli implement the Ethereum blockchain. To get accurate gas measurements for other chains you may need to run your tests against development clients developed specifically for those networks.
Option | Type | Default | Description |
---|---|---|---|
enabled | Boolean | true | Always generate gas reports when running the hardhat test command. |
currency | String | 'EUR' | National currency to represent gas costs in. Exchange rates loaded at runtime from the coinmarketcap api. Available currency codes can be found here. |
coinmarketcap | String | (unprotected API key) | API key to use when fetching current market price data. (Use this if you stop seeing price data) |
gasPrice | Number | (varies) | Denominated in gwei . Default is loaded at runtime from the eth gas station api |
token | String | 'ETH' | The reference token for gas price |
gasPriceApi | String | Etherscan | The API endpoint to retrieve the gas price. Find below other networks. |
outputFile | String | stdout | File path to write report output to |
noColors | Boolean | false | Suppress report color. Useful if you are printing to file b/c terminal colorization corrupts the text. |
onlyCalledMethods | Boolean | true | Omit methods that are never called from report. |
rst | Boolean | false | Output with a reStructured text code-block directive. Useful if you want to include report in RTD |
rstTitle | String | "" | Title for reStructured text header (See Travis for example output) |
showTimeSpent | Boolean | false | Show the amount of time spent as well as the gas consumed |
excludeContracts | String[] | [] | Contracts (or folders) to exclude from report. Ex: ['Migrations.sol', 'Wallets/'] . (See v1.0.3 release notes for additional usage help) |
src | String | "contracts" | Folder in root directory to begin search for .sol files. This can also be a path to a subfolder relative to the root, e.g. "planets/annares/contracts" |
url | String | web3.currentProvider.host | RPC client url (ex: "http://localhost:8545") |
proxyResolver | Function | none | Custom method to resolve identity of methods managed by a proxy contract. |
artifactType | Function or String | "truffle-v5" | Compilation artifact format to consume. (See advanced use.) |
showMethodSig | Boolean | false | Display complete method signatures. Useful when you have overloaded methods you can't tell apart. |
maxMethodDiff | Number | undefined | Codechecks failure threshold, triggered when the % diff for any method is greater than number (integer) |
maxDeploymentDiff | Number | undefined | Codechecks failure threshold, triggered when the % diff for any deployment is greater than number (integer) |
remoteContracts | RemoteContract[] | [] | Contracts pre-deployed to a (forked) network which the reporter should collect gas usage data for. (See RemoteContract type and usage example) |
token
and gasPriceApi
options exampleNetwork | token | gasPriceApi |
---|---|---|
Ethereum (default) | ETH | https://api.etherscan.io/api?module=proxy&action=eth_gasPrice |
Binance | BNB | https://api.bscscan.com/api?module=proxy&action=eth_gasPrice |
Polygon | MATIC | https://api.polygonscan.com/api?module=proxy&action=eth_gasPrice |
Avalanche | AVAX | https://api.snowtrace.io/api?module=proxy&action=eth_gasPrice |
Heco | HT | https://api.hecoinfo.com/api?module=proxy&action=eth_gasPrice |
Moonriver | MOVR | https://api-moonriver.moonscan.io/api?module=proxy&action=eth_gasPrice |
These APIs have rate limits. Depending on the usage, it might require an API Key.
NB: Any gas price API call which returns a JSON-RPC response formatted like this is supported:
{"jsonrpc":"2.0","id":73,"result":"0x6fc23ac00"}
.
Other useful documentation can be found at eth-gas-reporter
This plugin also adds a Hardhat Task for merging several gasReporterOutput.json
files, which are generated by eth-gas-reporter when running your tests with in parallelized jobs in CI.
To use the task you just have to give it the filepaths or a glob pattern pointing to all of the reports:
npx hardhat gas-reporter:merge 'gasReporterOutput-*.json'
Here is an example config.yml
file used by CircleCI to run the tests on parallel first, and then merge the reports
version: 2.1
jobs:
test:
docker:
- image: circleci/node:14.15.1-stretch
parallelism: 8
steps:
- attach_workspace:
at: .
- run:
name: Run tests
command: |
circleci tests glob 'test/**/*.spec.ts' |
circleci tests split |
xargs npx hardhat test
- run:
name: Save gas report
command: |
mv gasReporterOutput.json ./gasReporterOutput-$CIRCLE_NODE_INDEX.json
- persist_to_workspace:
root: .
paths:
- gasReporterOutput-*.json
test-gas-report:
docker:
- image: circleci/node:14.15.1-stretch
steps:
- checkout
- attach_workspace:
at: .
- run:
name: Upload gas reports
command: |
npx hardhat gas-reporter:merge gasReporterOutput-*.json
npx codechecks codechecks.unit.yml
- store_artifacts:
path: gasReporterOutput.json
workflows:
workflow-all:
jobs:
- test
- test-gas-report:
requires:
- test
FAQs
security holding package
The npm package hardhat-gas-report receives a total of 1 weekly downloads. As such, hardhat-gas-report popularity was classified as not popular.
We found that hardhat-gas-report demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.