mythril/tests/analysis/test_delegatecall.py

from mythril.analysis.modules.delegatecall import (
    execute,
    _concrete_call,
    _symbolic_call,
)
from mythril.analysis.ops import Call, Variable, VarType
from mythril.analysis.symbolic import SymExecWrapper
from mythril.laser.ethereum.cfg import Node
from mythril.laser.ethereum.state import GlobalState, Environment, Account
import pytest
from unittest.mock import MagicMock, patch
import pytest_mock


def test_concrete_call():
    # arrange
    address = "0x10"
    active_account = Account(address)
    active_account.code = Disassembly("00")
    environment = Environment(active_account, None, None, None, None, None)

    state = GlobalState(None, environment, None)
    state.mstate.memory = ["placeholder", "calldata_bling_0"]

    node = Node("example")
    node.contract_name = "the contract name"
    node.function_name = "the function name"

    to = Variable(1, VarType.CONCRETE)
    meminstart = Variable(1, VarType.CONCRETE)
    call = Call(node, state, None, None, to, None)

    # act
    issues = _concrete_call(call, state, address, meminstart)

    # assert
    issue = issues[0]
    assert issue.address == address
    assert issue.contract == node.contract_name
    assert issue.function == node.function_name
    assert issue.title == "Call data forwarded with delegatecall()"
    assert issue.type == "Informational"
    assert (
        issue.description
        == "This contract forwards its call data via DELEGATECALL in its fallback function."
        " This means that any function in the called contract can be executed."
        " Note that the callee contract will have access to the storage of the "
        "calling contract.\n DELEGATECALL target: 0x1"
    )


def test_concrete_call_symbolic_to():
    # arrange
    address = "0x10"

    active_account = Account(address)
    active_account.code = Disassembly("00")
    environment = Environment(active_account, None, None, None, None, None)
    state = GlobalState(None, environment, None)
    state.mstate.memory = ["placeholder", "calldata_bling_0"]

    node = Node("example")
    node.contract_name = "the contract name"
    node.function_name = "the function name"

    to = Variable("calldata_3", VarType.SYMBOLIC)
    meminstart = Variable(1, VarType.CONCRETE)
    call = Call(node, state, None, None, to, None)

    # act
    issues = _concrete_call(call, state, address, meminstart)

    # assert
    issue = issues[0]
    assert issue.address == address
    assert issue.contract == node.contract_name
    assert issue.function == node.function_name
    assert issue.title == "Call data forwarded with delegatecall()"
    assert issue.type == "Informational"
    assert (
        issue.description
        == "This contract forwards its call data via DELEGATECALL in its fallback function."
        " This means that any function in the called contract can be executed."
        " Note that the callee contract will have access to the storage of the "
        "calling contract.\n DELEGATECALL target: calldata_3"
    )


def test_concrete_call_not_calldata():
    # arrange
    state = GlobalState(None, None, None)
    state.mstate.memory = ["placeholder", "not_calldata"]
    meminstart = Variable(1, VarType.CONCRETE)

    # act
    issues = _concrete_call(None, state, None, meminstart)

    # assert
    assert issues == []


def test_symbolic_call_storage_to(mocker):
    # arrange
    address = "0x10"

    active_account = Account(address)
    active_account.code = Disassembly("00")
    environment = Environment(active_account, None, None, None, None, None)
    state = GlobalState(None, environment, None)
    state.mstate.memory = ["placeholder", "calldata_bling_0"]


    node = Node("example")
    node.contract_name = "the contract name"
    node.function_name = "the function name"

    to = Variable("storage_1", VarType.SYMBOLIC)
    call = Call(node, state, None, "Type: ", to, None)


    mocker.patch.object(SymExecWrapper, "__init__", lambda x, y: None)
    statespace = SymExecWrapper(1)

    mocker.patch.object(statespace, "find_storage_write")
    statespace.find_storage_write.return_value = "Function name"


    # act
    issues = _symbolic_call(call, state, address, statespace)

    # assert
    issue = issues[0]
    assert issue.address == address
    assert issue.contract == node.contract_name
    assert issue.function == node.function_name
    assert issue.title == "Type:  to a user-supplied address"
    assert issue.type == "Informational"
    assert (
        issue.description
        == "This contract delegates execution to a contract address in storage slot 1."
        " This storage slot can be written to by calling the function `Function name`. "
        "Be aware that the called contract gets unrestricted access to this contract's state."
    )


def test_symbolic_call_calldata_to(mocker):
    # arrange
    address = "0x10"

    active_account = Account(address)
    active_account.code = Disassembly("00")
    environment = Environment(active_account, None, None, None, None, None)
    state = GlobalState(None, environment, None)
    state.mstate.memory = ["placeholder", "calldata_bling_0"]


    node = Node("example")
    node.contract_name = "the contract name"
    node.function_name = "the function name"

    to = Variable("calldata", VarType.SYMBOLIC)
    call = Call(node, state, None, "Type: ", to, None)


    mocker.patch.object(SymExecWrapper, "__init__", lambda x, y: None)
    statespace = SymExecWrapper(1)

    mocker.patch.object(statespace, 'find_storage_write')
    statespace.find_storage_write.return_value = "Function name"


    # act
    issues = _symbolic_call(call, state, address, statespace)

    # assert
    issue = issues[0]
    assert issue.address == address
    assert issue.contract == node.contract_name
    assert issue.function == node.function_name
    assert issue.title == "Type:  to a user-supplied address"
    assert issue.type == "Informational"
    assert (
        issue.description
        == "This contract delegates execution to a contract address obtained from calldata. "
        "Be aware that the called contract gets unrestricted access to this contract's state."
    )


@patch("mythril.laser.ethereum.state.GlobalState.get_current_instruction")
@patch("mythril.analysis.modules.delegatecall._concrete_call")
@patch("mythril.analysis.modules.delegatecall._symbolic_call")
def test_delegate_call(sym_mock, concrete_mock, curr_instruction):
    # arrange
    # sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")
    # concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")
    sym_mock.return_value = []
    concrete_mock.return_value = []
    curr_instruction.return_value = {"address": "0x10"}

    active_account = Account("0x10")
    active_account.code = Disassembly("00")

    environment = Environment(active_account, None, None, None, None, None)
    state = GlobalState(None, environment, Node)
    state.mstate.memory = ["placeholder", "calldata_bling_0"]
    state.mstate.stack = [1, 2, 3]
    assert state.get_current_instruction() == {"address": "0x10"}

    node = Node("example")
    node.contract_name = "the contract name"
    node.function_name = "fallback"

    to = Variable("storage_1", VarType.SYMBOLIC)
    call = Call(node, state, None, "DELEGATECALL", to, None)

    statespace = MagicMock()
    statespace.calls = [call]

    # act
    execute(statespace)

    # assert
    assert concrete_mock.call_count == 1
    assert sym_mock.call_count == 1


@patch("mythril.analysis.modules.delegatecall._concrete_call")
@patch("mythril.analysis.modules.delegatecall._symbolic_call")
def test_delegate_call_not_delegate(sym_mock, concrete_mock):
    # arrange
    # sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")
    # concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")
    sym_mock.return_value = []
    concrete_mock.return_value = []

    node = Node("example")
    node.function_name = "fallback"

    to = Variable("storage_1", VarType.SYMBOLIC)
    call = Call(node, None, None, "NOT_DELEGATECALL", to, None)

    statespace = MagicMock()
    statespace.calls = [call]

    # act
    issues = execute(statespace)

    # assert
    assert issues == []
    assert concrete_mock.call_count == 0
    assert sym_mock.call_count == 0


@patch("mythril.analysis.modules.delegatecall._concrete_call")
@patch("mythril.analysis.modules.delegatecall._symbolic_call")
def test_delegate_call_not_fallback(sym_mock, concrete_mock):
    # arrange
    # sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")
    # concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")
    sym_mock.return_value = []
    concrete_mock.return_value = []

    node = Node("example")
    node.function_name = "not_fallback"

    to = Variable("storage_1", VarType.SYMBOLIC)
    call = Call(node, None, None, "DELEGATECALL", to, None)

    statespace = MagicMock()
    statespace.calls = [call]

    # act
    issues = execute(statespace)

    # assert
    assert issues == []
    assert concrete_mock.call_count == 0
    assert sym_mock.call_count == 0
Apply black style formatting 6 years ago			`from mythril.analysis.modules.delegatecall import (`
			`execute,`
			`_concrete_call,`
			`_symbolic_call,`
			`)`
Initial delegate call tests 7 years ago			`from mythril.analysis.ops import Call, Variable, VarType`
			`from mythril.analysis.symbolic import SymExecWrapper`
Fix import 6 years ago			`from mythril.laser.ethereum.cfg import Node`
			`from mythril.laser.ethereum.state import GlobalState, Environment, Account`
Initial delegate call tests 7 years ago			`import pytest`
Fixes failing test and python version 7 years ago			`from unittest.mock import MagicMock, patch`
Initial delegate call tests 7 years ago			`import pytest_mock`

Cleanup concrete call test and add not concrete call test 7 years ago
Initial delegate call tests 7 years ago			`def test_concrete_call():`
			`# arrange`
			`address = "0x10"`
fix missing environments 6 years ago			`active_account = Account(address)`
			`active_account.code = Disassembly("00")`
			`environment = Environment(active_account, None, None, None, None, None)`
Initial delegate call tests 7 years ago
fix missing environments 6 years ago			`state = GlobalState(None, environment, None)`
Initial delegate call tests 7 years ago			`state.mstate.memory = ["placeholder", "calldata_bling_0"]`

Cleanup concrete call test and add not concrete call test 7 years ago			`node = Node("example")`
Initial delegate call tests 7 years ago			`node.contract_name = "the contract name"`
			`node.function_name = "the function name"`

Cleanup concrete call test and add not concrete call test 7 years ago			`to = Variable(1, VarType.CONCRETE)`
			`meminstart = Variable(1, VarType.CONCRETE)`
			`call = Call(node, state, None, None, to, None)`

Initial delegate call tests 7 years ago			`# act`
			`issues = _concrete_call(call, state, address, meminstart)`

			`# assert`
			`issue = issues[0]`
			`assert issue.address == address`
			`assert issue.contract == node.contract_name`
			`assert issue.function == node.function_name`
			`assert issue.title == "Call data forwarded with delegatecall()"`
Apply black style formatting 6 years ago			`assert issue.type == "Informational"`
			`assert (`
			`issue.description`
			`== "This contract forwards its call data via DELEGATECALL in its fallback function."`
			`" This means that any function in the called contract can be executed."`
			`" Note that the callee contract will have access to the storage of the "`
			`"calling contract.\n DELEGATECALL target: 0x1"`
			`)`
Initial delegate call tests 7 years ago

Add more unit tests 7 years ago			`def test_concrete_call_symbolic_to():`
			`# arrange`
			`address = "0x10"`

fix missing environments 6 years ago			`active_account = Account(address)`
			`active_account.code = Disassembly("00")`
			`environment = Environment(active_account, None, None, None, None, None)`
			`state = GlobalState(None, environment, None)`
Add more unit tests 7 years ago			`state.mstate.memory = ["placeholder", "calldata_bling_0"]`

			`node = Node("example")`
			`node.contract_name = "the contract name"`
			`node.function_name = "the function name"`

			`to = Variable("calldata_3", VarType.SYMBOLIC)`
			`meminstart = Variable(1, VarType.CONCRETE)`
			`call = Call(node, state, None, None, to, None)`

			`# act`
			`issues = _concrete_call(call, state, address, meminstart)`

			`# assert`
			`issue = issues[0]`
			`assert issue.address == address`
			`assert issue.contract == node.contract_name`
			`assert issue.function == node.function_name`
			`assert issue.title == "Call data forwarded with delegatecall()"`
Apply black style formatting 6 years ago			`assert issue.type == "Informational"`
			`assert (`
			`issue.description`
			`== "This contract forwards its call data via DELEGATECALL in its fallback function."`
			`" This means that any function in the called contract can be executed."`
			`" Note that the callee contract will have access to the storage of the "`
			`"calling contract.\n DELEGATECALL target: calldata_3"`
			`)`
Add more unit tests 7 years ago

Cleanup concrete call test and add not concrete call test 7 years ago			`def test_concrete_call_not_calldata():`
			`# arrange`
Worklist implementation (#288) Refactor laser to work with a worklist vs a simple loop 6 years ago			`state = GlobalState(None, None, None)`
Cleanup concrete call test and add not concrete call test 7 years ago			`state.mstate.memory = ["placeholder", "not_calldata"]`
			`meminstart = Variable(1, VarType.CONCRETE)`

			`# act`
			`issues = _concrete_call(None, state, None, meminstart)`

			`# assert`
			`assert issues == []`


Adds calldata based symbolic call test 7 years ago			`def test_symbolic_call_storage_to(mocker):`
Initial delegate call tests 7 years ago			`# arrange`
			`address = "0x10"`

			`active_account = Account(address)`
fix missing environments 6 years ago			`active_account.code = Disassembly("00")`
Initial delegate call tests 7 years ago			`environment = Environment(active_account, None, None, None, None, None)`
Worklist implementation (#288) Refactor laser to work with a worklist vs a simple loop 6 years ago			`state = GlobalState(None, environment, None)`
Initial delegate call tests 7 years ago			`state.mstate.memory = ["placeholder", "calldata_bling_0"]`


			`node = Node("example")`
			`node.contract_name = "the contract name"`
			`node.function_name = "the function name"`

			`to = Variable("storage_1", VarType.SYMBOLIC)`
			`call = Call(node, state, None, "Type: ", to, None)`


			`mocker.patch.object(SymExecWrapper, "__init__", lambda x, y: None)`
			`statespace = SymExecWrapper(1)`

Apply black style formatting 6 years ago			`mocker.patch.object(statespace, "find_storage_write")`
Initial delegate call tests 7 years ago			`statespace.find_storage_write.return_value = "Function name"`


			`# act`
			`issues = _symbolic_call(call, state, address, statespace)`

			`# assert`
			`issue = issues[0]`
			`assert issue.address == address`
			`assert issue.contract == node.contract_name`
			`assert issue.function == node.function_name`
Apply black style formatting 6 years ago			`assert issue.title == "Type: to a user-supplied address"`
			`assert issue.type == "Informational"`
			`assert (`
			`issue.description`
			`== "This contract delegates execution to a contract address in storage slot 1."`
			" This storage slot can be written to by calling the function `Function name`. "
			`"Be aware that the called contract gets unrestricted access to this contract's state."`
			`)`
Initial delegate call tests 7 years ago

Adds calldata based symbolic call test 7 years ago			`def test_symbolic_call_calldata_to(mocker):`
			`# arrange`
			`address = "0x10"`

fix missing environments 6 years ago			`active_account = Account(address)`
			`active_account.code = Disassembly("00")`
			`environment = Environment(active_account, None, None, None, None, None)`
			`state = GlobalState(None, environment, None)`
Adds calldata based symbolic call test 7 years ago			`state.mstate.memory = ["placeholder", "calldata_bling_0"]`


			`node = Node("example")`
			`node.contract_name = "the contract name"`
			`node.function_name = "the function name"`

			`to = Variable("calldata", VarType.SYMBOLIC)`
			`call = Call(node, state, None, "Type: ", to, None)`


			`mocker.patch.object(SymExecWrapper, "__init__", lambda x, y: None)`
			`statespace = SymExecWrapper(1)`

			`mocker.patch.object(statespace, 'find_storage_write')`
			`statespace.find_storage_write.return_value = "Function name"`


			`# act`
			`issues = _symbolic_call(call, state, address, statespace)`

			`# assert`
			`issue = issues[0]`
			`assert issue.address == address`
			`assert issue.contract == node.contract_name`
			`assert issue.function == node.function_name`
Apply black style formatting 6 years ago			`assert issue.title == "Type: to a user-supplied address"`
			`assert issue.type == "Informational"`
			`assert (`
			`issue.description`
			`== "This contract delegates execution to a contract address obtained from calldata. "`
			`"Be aware that the called contract gets unrestricted access to this contract's state."`
			`)`


			`@patch("mythril.laser.ethereum.state.GlobalState.get_current_instruction")`
			`@patch("mythril.analysis.modules.delegatecall._concrete_call")`
			`@patch("mythril.analysis.modules.delegatecall._symbolic_call")`
Initial delegate call tests 7 years ago			`def test_delegate_call(sym_mock, concrete_mock, curr_instruction):`
			`# arrange`
			`# sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")`
			`# concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")`
			`sym_mock.return_value = []`
			`concrete_mock.return_value = []`
Apply black style formatting 6 years ago			`curr_instruction.return_value = {"address": "0x10"}`
Initial delegate call tests 7 years ago
Apply black style formatting 6 years ago			`active_account = Account("0x10")`
fix missing environments 6 years ago			`active_account.code = Disassembly("00")`

Initial delegate call tests 7 years ago			`environment = Environment(active_account, None, None, None, None, None)`
Worklist implementation (#288) Refactor laser to work with a worklist vs a simple loop 6 years ago			`state = GlobalState(None, environment, Node)`
Initial delegate call tests 7 years ago			`state.mstate.memory = ["placeholder", "calldata_bling_0"]`
			`state.mstate.stack = [1, 2, 3]`
Apply black style formatting 6 years ago			`assert state.get_current_instruction() == {"address": "0x10"}`
Initial delegate call tests 7 years ago
			`node = Node("example")`
			`node.contract_name = "the contract name"`
			`node.function_name = "fallback"`

			`to = Variable("storage_1", VarType.SYMBOLIC)`
			`call = Call(node, state, None, "DELEGATECALL", to, None)`

Fixes failing test and python version 7 years ago			`statespace = MagicMock()`
Initial delegate call tests 7 years ago			`statespace.calls = [call]`

			`# act`
Remove unused variables from tests 6 years ago			`execute(statespace)`
Initial delegate call tests 7 years ago
			`# assert`
			`assert concrete_mock.call_count == 1`
Add more unit tests 7 years ago			`assert sym_mock.call_count == 1`


Apply black style formatting 6 years ago			`@patch("mythril.analysis.modules.delegatecall._concrete_call")`
			`@patch("mythril.analysis.modules.delegatecall._symbolic_call")`
Add more unit tests 7 years ago			`def test_delegate_call_not_delegate(sym_mock, concrete_mock):`
			`# arrange`
			`# sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")`
			`# concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")`
			`sym_mock.return_value = []`
			`concrete_mock.return_value = []`

			`node = Node("example")`
			`node.function_name = "fallback"`

			`to = Variable("storage_1", VarType.SYMBOLIC)`
			`call = Call(node, None, None, "NOT_DELEGATECALL", to, None)`

Fixes failing test and python version 7 years ago			`statespace = MagicMock()`
Add more unit tests 7 years ago			`statespace.calls = [call]`

			`# act`
			`issues = execute(statespace)`

			`# assert`
			`assert issues == []`
			`assert concrete_mock.call_count == 0`
			`assert sym_mock.call_count == 0`


Apply black style formatting 6 years ago			`@patch("mythril.analysis.modules.delegatecall._concrete_call")`
			`@patch("mythril.analysis.modules.delegatecall._symbolic_call")`
Add more unit tests 7 years ago			`def test_delegate_call_not_fallback(sym_mock, concrete_mock):`
			`# arrange`
			`# sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")`
			`# concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")`
			`sym_mock.return_value = []`
			`concrete_mock.return_value = []`

			`node = Node("example")`
			`node.function_name = "not_fallback"`

			`to = Variable("storage_1", VarType.SYMBOLIC)`
			`call = Call(node, None, None, "DELEGATECALL", to, None)`

Fixes failing test and python version 7 years ago			`statespace = MagicMock()`
Add more unit tests 7 years ago			`statespace.calls = [call]`

			`# act`
			`issues = execute(statespace)`

			`# assert`
			`assert issues == []`
			`assert concrete_mock.call_count == 0`
			`assert sym_mock.call_count == 0`