mirror of https://github.com/ConsenSys/mythril
Dr. Sergey Pogodin
7 years ago
parent
4c4de136c2
commit
ff775c91e5
@ -1,81 +0,0 @@ |
||||
For Developers |
||||
=============== |
||||
|
||||
## Deployment to PyPI |
||||
- Update `VERSION` constant on top of `setup.py` file to `vX.Y.Z`, where `X`, |
||||
`Y`, `Z` are some integers specifying the new version of the package; |
||||
- Create Git tag with the same version name `vX.Y.Z`; |
||||
- Push the tag to `Mythril` repo, CircleCI will take care about the rest |
||||
(testing, and deployment to PyPI if tests are successful). |
||||
|
||||
In case of mismatch between Git tag and `VERSION` in `CircleCI` deployment will |
||||
be failed. |
||||
|
||||
## Running tests |
||||
|
||||
### python version |
||||
|
||||
First, make sure your python version is `3.6.x`. Some tests will fail with `3.5.x` since some generated easm code is different from `3.6.x`. |
||||
|
||||
### truffle |
||||
|
||||
In the tests, we tested the command `--truffle`, which required the `truffle` command is installed. |
||||
|
||||
``` |
||||
npm install -g truffle |
||||
``` |
||||
|
||||
### geth |
||||
|
||||
In order to run tests and coverage reports, you need to run `geth` locally, since some tests depend on it. |
||||
|
||||
Install `geth` from here: <https://github.com/ethereum/go-ethereum/wiki/Building-Ethereum> |
||||
|
||||
Then you can run `geth version` and if you see `Version: 1.8.2-stable` or above, it's OK for testing. |
||||
|
||||
Don't forget to run `geth account new` to generate an account for you if this is the first time you use it. |
||||
|
||||
Then start it like this: |
||||
|
||||
``` |
||||
geth --syncmode full --rpc --shh --debug |
||||
``` |
||||
|
||||
We use `--syncmode full` here because the `eth.blockNumber` will get increased soon in this mode, which is useful in tests. |
||||
|
||||
If there is no error thrown, you can wait 1 or 2 minutes before running tests. |
||||
|
||||
And you need to check `eth.coinbase` has no error thrown and `eth.blockNumber` should greater than `0`: |
||||
|
||||
``` |
||||
$ geth attach |
||||
> eth.coinbase |
||||
> eth.blockNumber |
||||
``` |
||||
|
||||
### Run the tests |
||||
|
||||
```bash |
||||
pip3 install -r requirements.txt |
||||
./all_tests.sh |
||||
``` |
||||
|
||||
It may cost you about 3 minutes to run all the tests. |
||||
|
||||
The tests may save their outputs content to `./tests/testdata/outputs_current/`, you can compare the files between it and `./tests/testdata/outputs_expected/` to see the difference if there is any changes. |
||||
|
||||
If you think the changes are expected, you can just copy them to `outputs_expected` and commit them as new expected outputs. |
||||
|
||||
The `./tests/testdata/outputs_current/` directory is deleted and recreated in `all_tests.sh` and `coverage_report.sh` each time. |
||||
|
||||
### Generating test coverage report |
||||
|
||||
```bash |
||||
./coverage_report.sh |
||||
``` |
||||
|
||||
It will generate a coverage testing report `coverage_html_report/index.html`, which will be automatically opened in browser. You can find coverage rate and tested/missing code from the report. |
||||
|
||||
Notice there are some tests are running by shell commands(`tests/cmd_line_test.py`), not calling by python, so they are not included in the coverage analysis. |
||||
|
||||
It may cost you about 5 minutes to generate the report. |
||||
@ -1,26 +0,0 @@ |
||||
# Mythril Detection Capabilities |
||||
|
||||
Detection modules, ideas collection and wish list. Contributions are welcome! |
||||
|
||||
| Issue | Description | Mythril Detection Module(s) | References | |
||||
|------:|-------------|------------|----------| |
||||
|Unprotected functions| Critical functions such as sends with non-zero value or suicide() calls are callable by anyone, or msg.sender is compared against an address in storage that can be written to. E.g. Parity wallet bugs. | [unchecked_suicide](mythril/analysis/modules/suicide.py), [ether_send](mythril/analysis/modules/ether_send.py) | | |
||||
|Missing check on CALL return value| | [unchecked_retval](mythril/analysis/modules/unchecked_retval.py) | [Handle errors in external calls](https://consensys.github.io/smart-contract-best-practices/recommendations/#use-caution-when-making-external-calls) | |
||||
|Re-entrancy| Contract state should never be relied on if untrusted contracts are called. State changes after external calls should be avoided. | [external calls to untrusted contracts](mythril/analysis/modules/external_calls.py) | [Call external functions last](https://consensys.github.io/smart-contract-best-practices/known_attacks/#reentrancy) [Avoid state changes after external calls](https://consensys.github.io/smart-contract-best-practices/recommendations/#avoid-state-changes-after-external-calls)| |
||||
|Multiple sends in a single transaction| External calls can fail accidentally or deliberately. Avoid combining multiple send() calls in a single transaction. | | [Favor pull over push for external calls](https://consensys.github.io/smart-contract-best-practices/recommendations/#favor-pull-over-push-for-external-calls) | |
||||
|External call to untrusted contract| | [external call to untrusted contract](mythril/analysis/modules/external_calls.py) | | |
||||
|Delegatecall or callcode to untrusted contract| | [delegatecall_forward](mythril/analysis/modules/delegatecall.py) | | |
||||
|Integer overflow/underflow| | [integer_underflow](mythril/analysis/modules/integer.py) | [Validate arithmetic](https://consensys.github.io/smart-contract-best-practices/known_attacks/#integer-overflow-and-underflow) | |
||||
|Timestamp dependence| | [Dependence on predictable variables](mythril/analysis/modules/dependence_on_predictable_vars.py) | [Miner time manipulation](https://consensys.github.io/smart-contract-best-practices/known_attacks/#timestamp-dependence) | |
||||
|Payable transaction does not revert in case of failure | | | | |
||||
|Use of `tx.origin`| | [tx_origin](mythril/analysis/modules/depreciated_ops.py) | [Solidity documentation](https://solidity.readthedocs.io/en/develop/security-considerations.html#tx-origin), [Avoid using tx.origin](https://consensys.github.io/smart-contract-best-practices/recommendations/#avoid-using-txorigin) | |
||||
|Type confusion| | | | |
||||
|Predictable RNG| | [Dependence on predictable variables](mythril/analysis/modules/dependence_on_predictable_vars.py) | | |
||||
|Transaction order dependence| | | [Front Running](https://consensys.github.io/smart-contract-best-practices/known_attacks/#transaction-ordering-dependence-tod-front-running) | |
||||
|Information exposure| | | | |
||||
|Complex fallback function (uses more than 2,300 gas) | A too complex fallback function will cause send() and transfer() from other contracts to fail. To implement this we first need to fully implement gas simulation. | | |
||||
|Use `require()` instead of `assert()` | Use `assert()` only to check against states which should be completely unreachable. | [Exceptions](mythril/analysis/modules/exceptions.py) | [Solidity docs](https://solidity.readthedocs.io/en/develop/control-structures.html#error-handling-assert-require-revert-and-exceptions)| |
||||
|Use of depreciated functions | Use `revert()` instead of `throw()`, `selfdestruct()` instead of `suicide()`, `keccak256()` instead of `sha3()` | | | |
||||
|Detect tautologies| Detect comparisons that always evaluate to 'true', see also [#54](https://github.com/ConsenSys/mythril/issues/54) | | |
||||
|Call depth attack| Depreciated | | [EIP 150 Hard Fork](https://consensys.github.io/smart-contract-best-practices/known_attacks/#call-depth-attack-deprecated)| |
||||
|
||||
Loading…
Reference in new issue