|
|
|
@ -1,19 +1,18 @@ |
|
|
|
"""This module contains the detection code for insecure delegate call usage.""" |
|
|
|
"""This module contains the detection code for insecure delegate call usage.""" |
|
|
|
import json |
|
|
|
|
|
|
|
import logging |
|
|
|
import logging |
|
|
|
from copy import copy |
|
|
|
from typing import List |
|
|
|
from typing import List, cast, Dict |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
from mythril.analysis import solver |
|
|
|
from mythril.analysis.potential_issues import ( |
|
|
|
|
|
|
|
get_potential_issues_annotation, |
|
|
|
|
|
|
|
PotentialIssue, |
|
|
|
|
|
|
|
) |
|
|
|
from mythril.analysis.swc_data import DELEGATECALL_TO_UNTRUSTED_CONTRACT |
|
|
|
from mythril.analysis.swc_data import DELEGATECALL_TO_UNTRUSTED_CONTRACT |
|
|
|
from mythril.laser.ethereum.transaction.symbolic import ATTACKER_ADDRESS |
|
|
|
from mythril.laser.ethereum.transaction.symbolic import ATTACKER_ADDRESS |
|
|
|
from mythril.laser.ethereum.transaction.transaction_models import ( |
|
|
|
from mythril.laser.ethereum.transaction.transaction_models import ( |
|
|
|
ContractCreationTransaction, |
|
|
|
ContractCreationTransaction, |
|
|
|
) |
|
|
|
) |
|
|
|
from mythril.analysis.report import Issue |
|
|
|
|
|
|
|
from mythril.analysis.modules.base import DetectionModule |
|
|
|
from mythril.analysis.modules.base import DetectionModule |
|
|
|
from mythril.exceptions import UnsatError |
|
|
|
from mythril.exceptions import UnsatError |
|
|
|
from mythril.laser.ethereum.state.annotation import StateAnnotation |
|
|
|
|
|
|
|
from mythril.laser.ethereum.state.global_state import GlobalState |
|
|
|
from mythril.laser.ethereum.state.global_state import GlobalState |
|
|
|
from mythril.laser.smt import symbol_factory, UGT |
|
|
|
from mythril.laser.smt import symbol_factory, UGT |
|
|
|
|
|
|
|
|
|
|
|
@ -41,19 +40,16 @@ class DelegateCallModule(DetectionModule): |
|
|
|
""" |
|
|
|
""" |
|
|
|
if state.get_current_instruction()["address"] in self.cache: |
|
|
|
if state.get_current_instruction()["address"] in self.cache: |
|
|
|
return |
|
|
|
return |
|
|
|
issues = self._analyze_state(state) |
|
|
|
potential_issues = self._analyze_state(state) |
|
|
|
for issue in issues: |
|
|
|
|
|
|
|
self.cache.add(issue.address) |
|
|
|
annotation = get_potential_issues_annotation(state) |
|
|
|
self.issues.extend(issues) |
|
|
|
annotation.potential_issues.extend(potential_issues) |
|
|
|
|
|
|
|
|
|
|
|
@staticmethod |
|
|
|
def _analyze_state(self, state: GlobalState) -> List[PotentialIssue]: |
|
|
|
def _analyze_state(state: GlobalState) -> List[Issue]: |
|
|
|
|
|
|
|
""" |
|
|
|
""" |
|
|
|
:param state: the current state |
|
|
|
:param state: the current state |
|
|
|
:return: returns the issues for that corresponding state |
|
|
|
:return: returns the issues for that corresponding state |
|
|
|
""" |
|
|
|
""" |
|
|
|
op_code = state.get_current_instruction()["opcode"] |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
gas = state.mstate.stack[-1] |
|
|
|
gas = state.mstate.stack[-1] |
|
|
|
to = state.mstate.stack[-2] |
|
|
|
to = state.mstate.stack[-2] |
|
|
|
|
|
|
|
|
|
|
|
@ -67,16 +63,14 @@ class DelegateCallModule(DetectionModule): |
|
|
|
constraints.append(tx.caller == ATTACKER_ADDRESS) |
|
|
|
constraints.append(tx.caller == ATTACKER_ADDRESS) |
|
|
|
|
|
|
|
|
|
|
|
try: |
|
|
|
try: |
|
|
|
transaction_sequence = solver.get_transaction_sequence( |
|
|
|
|
|
|
|
state, state.mstate.constraints + constraints |
|
|
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
address = state.get_current_instruction()["address"] |
|
|
|
address = state.get_current_instruction()["address"] |
|
|
|
|
|
|
|
|
|
|
|
logging.debug( |
|
|
|
logging.debug( |
|
|
|
"[DELEGATECALL] Detected delegatecall to a user-supplied address : {}".format( |
|
|
|
"[DELEGATECALL] Detected potential delegatecall to a user-supplied address : {}".format( |
|
|
|
address |
|
|
|
address |
|
|
|
) |
|
|
|
) |
|
|
|
) |
|
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
description_head = "The contract delegates execution to another contract with a user-supplied address." |
|
|
|
description_head = "The contract delegates execution to another contract with a user-supplied address." |
|
|
|
description_tail = ( |
|
|
|
description_tail = ( |
|
|
|
"The smart contract delegates execution to a user-supplied address. Note that callers " |
|
|
|
"The smart contract delegates execution to a user-supplied address. Note that callers " |
|
|
|
@ -85,7 +79,7 @@ class DelegateCallModule(DetectionModule): |
|
|
|
) |
|
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
return [ |
|
|
|
return [ |
|
|
|
Issue( |
|
|
|
PotentialIssue( |
|
|
|
contract=state.environment.active_account.contract_name, |
|
|
|
contract=state.environment.active_account.contract_name, |
|
|
|
function_name=state.environment.active_function_name, |
|
|
|
function_name=state.environment.active_function_name, |
|
|
|
address=address, |
|
|
|
address=address, |
|
|
|
@ -95,8 +89,8 @@ class DelegateCallModule(DetectionModule): |
|
|
|
severity="Medium", |
|
|
|
severity="Medium", |
|
|
|
description_head=description_head, |
|
|
|
description_head=description_head, |
|
|
|
description_tail=description_tail, |
|
|
|
description_tail=description_tail, |
|
|
|
transaction_sequence=transaction_sequence, |
|
|
|
constraints=constraints, |
|
|
|
gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used), |
|
|
|
detector=self, |
|
|
|
) |
|
|
|
) |
|
|
|
] |
|
|
|
] |
|
|
|
|
|
|
|
|
|
|
|
|
Nathan
5 years ago
committed by
Nikhil Parasaram