mirror of https://github.com/ConsenSys/mythril
blockchainethereumsmart-contractssoliditysecurityprogram-analysissecurity-analysissymbolic-execution
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
415 lines
15 KiB
415 lines
15 KiB
#!/usr/bin/env python
|
|
"""mythril.py: Bug hunting on the Ethereum blockchain
|
|
|
|
http://www.github.com/b-mueller/mythril
|
|
"""
|
|
|
|
from mythril.ether import evm, util
|
|
from mythril.ether.contractstorage import get_persistent_storage
|
|
from mythril.ether.ethcontract import ETHContract
|
|
from mythril.ether.soliditycontract import SolidityContract
|
|
from mythril.rpc.client import EthJsonRpc
|
|
from mythril.ipc.client import EthIpc
|
|
from mythril.rpc.exceptions import ConnectionError
|
|
from mythril.support import signatures
|
|
from mythril.support.truffle import analyze_truffle_project
|
|
from mythril.support.loader import DynLoader
|
|
from mythril.exceptions import CompilerError, NoContractFoundError
|
|
from mythril.analysis.symbolic import StateSpace
|
|
from mythril.analysis.callgraph import generate_graph
|
|
from mythril.analysis.security import fire_lasers
|
|
from mythril.analysis.report import Report
|
|
from laser.ethereum import helper
|
|
from web3 import Web3
|
|
from ethereum import utils
|
|
from pathlib import Path
|
|
from json.decoder import JSONDecodeError
|
|
from solc.exceptions import SolcError
|
|
import solc
|
|
import logging
|
|
import json
|
|
import sys
|
|
import argparse
|
|
import os
|
|
import re
|
|
|
|
|
|
def searchCallback(code_hash, code, addresses, balances):
|
|
print("Matched contract with code hash " + code_hash)
|
|
|
|
for i in range(0, len(addresses)):
|
|
print("Address: " + addresses[i] + ", balance: " + str(balances[i]))
|
|
|
|
|
|
def exitWithError(message):
|
|
print(message)
|
|
sys.exit()
|
|
|
|
|
|
parser = argparse.ArgumentParser(description='Security analysis of Ethereum smart contracts')
|
|
parser.add_argument("solidity_file", nargs='*')
|
|
|
|
commands = parser.add_argument_group('commands')
|
|
commands.add_argument('-g', '--graph', help='generate a control flow graph', metavar='OUTPUT_FILE')
|
|
commands.add_argument('-x', '--fire-lasers', action='store_true', help='detect vulnerabilities, use with -c, -a or solidity file(s)')
|
|
commands.add_argument('-t', '--truffle', action='store_true', help='analyze a truffle project (run from project dir)')
|
|
|
|
inputs = parser.add_argument_group('input arguments')
|
|
inputs.add_argument('-c', '--code', help='hex-encoded bytecode string ("6060604052...")', metavar='BYTECODE')
|
|
inputs.add_argument('-a', '--address', help='pull contract from the blockchain', metavar='CONTRACT_ADDRESS')
|
|
inputs.add_argument('-l', '--dynld', action='store_true', help='auto-load dependencies from the blockchain')
|
|
|
|
inputs = parser.add_argument_group('output formats')
|
|
inputs.add_argument('-o', '--outform', choices=['text', 'markdown', 'json'], default='text', help='report output format', metavar='<text/json>')
|
|
|
|
database = parser.add_argument_group('local contracts database')
|
|
database.add_argument('--init-db', action='store_true', help='initialize the contract database')
|
|
database.add_argument('-s', '--search', help='search the contract database', metavar='EXPRESSION')
|
|
|
|
utilities = parser.add_argument_group('utilities')
|
|
utilities.add_argument('-d', '--disassemble', action='store_true', help='print disassembly')
|
|
utilities.add_argument('--xrefs', action='store_true', help='get xrefs from a contract')
|
|
utilities.add_argument('--hash', help='calculate function signature hash', metavar='SIGNATURE')
|
|
utilities.add_argument('--storage', help='read state variables from storage index, use with -a', metavar='INDEX,NUM_SLOTS,[array]')
|
|
utilities.add_argument('--solv', help='specify solidity compiler version. If not present, will try to install it (Experimental)', metavar='SOLV')
|
|
|
|
options = parser.add_argument_group('options')
|
|
options.add_argument('--sync-all', action='store_true', help='Also sync contracts with zero balance')
|
|
options.add_argument('--max-depth', type=int, default=12, help='Maximum recursion depth for symbolic execution')
|
|
options.add_argument('--enable-physics', type=bool, default=False, help='enable graph physics simulation')
|
|
options.add_argument('-v', type=int, help='log level (0-2)', metavar='LOG_LEVEL')
|
|
|
|
rpc = parser.add_argument_group('RPC options')
|
|
rpc.add_argument('--rpc', help='connect via RPC', metavar='HOST:PORT')
|
|
rpc.add_argument('--rpctls', type=bool, default=False, help='RPC connection over TLS')
|
|
rpc.add_argument('--ganache', action='store_true', help='Preset: local Ganache')
|
|
rpc.add_argument('--infura-mainnet', action='store_true', help='Preset: Infura Node service (Mainnet)')
|
|
rpc.add_argument('--infura-rinkeby', action='store_true', help='Preset: Infura Node service (Rinkeby)')
|
|
rpc.add_argument('--infura-kovan', action='store_true', help='Preset: Infura Node service (Kovan)')
|
|
rpc.add_argument('--infura-ropsten', action='store_true', help='Preset: Infura Node service (Ropsten)')
|
|
|
|
# Get config values
|
|
|
|
try:
|
|
mythril_dir = os.environ['MYTHRIL_DIR']
|
|
except KeyError:
|
|
mythril_dir = os.path.join(os.path.expanduser('~'), ".mythril")
|
|
|
|
# Initialize data directry and singature database
|
|
|
|
if not os.path.exists(mythril_dir):
|
|
logging.info("Creating mythril data directory")
|
|
|
|
os.mkdir(mythril_dir)
|
|
|
|
|
|
# If no function signature file exists, create it. Function signatures from Solidity source code are added automatically.
|
|
|
|
signatures_file = os.path.join(mythril_dir, 'signatures.json')
|
|
|
|
if not os.path.exists(signatures_file):
|
|
logging.info("No signature database found. Creating empty database: " + signatures_file + "\n" \
|
|
"Consider replacing it with the pre-initialized database at " \
|
|
"https://raw.githubusercontent.com/ConsenSys/mythril/master/signatures.json")
|
|
|
|
sigs = {}
|
|
|
|
with open(signatures_file, 'a') as f:
|
|
json.dump({},f)
|
|
|
|
else:
|
|
with open(signatures_file) as f:
|
|
try:
|
|
sigs = json.load(f)
|
|
except JSONDecodeError as e:
|
|
exitWithError("Invalid JSON in signatures file " + signatures_file + "\n" + str(e))
|
|
|
|
# Parse cmdline args
|
|
|
|
args = parser.parse_args()
|
|
|
|
if not (args.search or args.init_db or args.hash or args.disassemble or args.graph or args.xrefs or args.fire_lasers or args.storage or args.truffle):
|
|
parser.print_help()
|
|
sys.exit()
|
|
|
|
if (args.v):
|
|
if (0 <= args.v < 3):
|
|
logging.basicConfig(level=[logging.NOTSET, logging.INFO, logging.DEBUG][args.v])
|
|
|
|
elif (args.hash):
|
|
print("0x" + utils.sha3(args.hash)[:4].hex())
|
|
sys.exit()
|
|
|
|
|
|
if args.truffle:
|
|
|
|
try:
|
|
analyze_truffle_project()
|
|
except FileNotFoundError:
|
|
print("Build directory not found. Make sure that you start the analysis from the project root, and that 'truffle compile' has executed successfully.")
|
|
|
|
sys.exit()
|
|
|
|
# Figure out solc binary and version
|
|
# Only proper versions are supported. No nightlies, commits etc (such as available in remix)
|
|
|
|
if args.solv:
|
|
version = args.solv
|
|
#tried converting input to semver, seemed not necessary so just slicing for now
|
|
if version == str(solc.main.get_solc_version())[:6]:
|
|
print('Given version matches installed version')
|
|
try:
|
|
solc_binary = os.environ['SOLC']
|
|
except KeyError:
|
|
solc_binary = 'solc'
|
|
else:
|
|
if util.solc_exists(version):
|
|
print('Given version is already installed')
|
|
solc_binary = os.path.join(os.environ['HOME'], ".py-solc/solc-v" + version, "bin/solc")
|
|
print("Setting the compiler to " + str(solc_binary))
|
|
else:
|
|
try:
|
|
solc.install_solc('v' + version)
|
|
solc_binary = os.path.join(os.environ['HOME'], ".py-solc/solc-v" + version, "bin/solc")
|
|
print("Setting the compiler to " + str(solc_binary))
|
|
except SolcError:
|
|
exitWithError("There was an error when trying to install the specified solc version")
|
|
else:
|
|
if not args.solv:
|
|
try:
|
|
solc_binary = os.environ['SOLC']
|
|
except KeyError:
|
|
try:
|
|
solc_binary = 'solc'
|
|
except:
|
|
exitWithError('No solidity compiler found, please make sure it is installed or specify it manually.')
|
|
|
|
# Establish RPC/IPC connection if necessary
|
|
|
|
if (args.address or len(args.solidity_file) or args.init_db):
|
|
|
|
if args.infura_mainnet:
|
|
eth = EthJsonRpc('mainnet.infura.io', 443, True)
|
|
elif args.infura_rinkeby:
|
|
eth = EthJsonRpc('rinkeby.infura.io', 443, True)
|
|
elif args.infura_kovan:
|
|
eth = EthJsonRpc('kovan.infura.io', 443, True)
|
|
elif args.infura_ropsten:
|
|
eth = EthJsonRpc('ropsten.infura.io', 443, True)
|
|
elif args.ganache:
|
|
eth = EthJsonRpc('localhost', 7545, False)
|
|
elif args.rpc:
|
|
|
|
try:
|
|
host, port = args.rpc.split(":")
|
|
except ValueError:
|
|
exitWithError("Invalid RPC argument, use HOST:PORT")
|
|
|
|
tls = args.rpctls
|
|
|
|
eth = EthJsonRpc(host, int(port), tls)
|
|
else:
|
|
eth = EthIpc()
|
|
|
|
|
|
# Database search ops
|
|
|
|
if args.search or args.init_db:
|
|
|
|
contract_storage = get_persistent_storage(mythril_dir)
|
|
|
|
if (args.search):
|
|
|
|
try:
|
|
contract_storage.search(args.search, searchCallback)
|
|
except SyntaxError:
|
|
exitWithError("Syntax error in search expression.")
|
|
|
|
elif (args.init_db):
|
|
try:
|
|
contract_storage.initialize(eth, args.sync_all)
|
|
except FileNotFoundError as e:
|
|
print("Error syncing database over IPC: " + str(e))
|
|
except ConnectionError as e:
|
|
print("Could not connect to RPC server. Make sure that your node is running and that RPC parameters are set correctly.")
|
|
|
|
|
|
sys.exit()
|
|
|
|
|
|
# Load / compile input contracts
|
|
|
|
contracts = []
|
|
|
|
if (args.code):
|
|
contracts.append(ETHContract(args.code, name="MAIN", address = util.get_indexed_address(0)))
|
|
|
|
# Get bytecode from a contract address
|
|
|
|
elif (args.address):
|
|
|
|
if not re.match(r'0x[a-fA-F0-9]{40}', args.address):
|
|
exitWithError("Invalid contract address. Expected format is '0x...'.")
|
|
|
|
try:
|
|
code = eth.eth_getCode(args.address)
|
|
|
|
if (code == "0x"):
|
|
exitWithError("Received an empty response from eth_getCode. Check the contract address and verify that you are on the correct chain.")
|
|
|
|
except FileNotFoundError as e:
|
|
exitWithError("IPC error: " + str(e))
|
|
except ConnectionError as e:
|
|
exitWithError("Could not connect to RPC server. Make sure that your node is running and that RPC parameters are set correctly.")
|
|
|
|
contracts.append(ETHContract(code, name=args.address, address = args.address))
|
|
|
|
# Compile Solidity source file(s)
|
|
|
|
elif (len(args.solidity_file)):
|
|
|
|
if(args.graph and len(args.solidity_file) > 1):
|
|
exitWithError("Cannot generate call graphs from multiple input files. Please do it one at a time.")
|
|
|
|
for file in args.solidity_file:
|
|
|
|
file = file.replace("~", str(Path.home())) # Expand user path
|
|
|
|
signatures.add_signatures_from_file(file, sigs) # Parse file for new function signatures
|
|
|
|
try:
|
|
contract = SolidityContract(file)
|
|
contracts.append(contract)
|
|
except CompilerError as e:
|
|
exitWithError(e)
|
|
except NoContractFoundError:
|
|
print("The file " + file + " does not contain a compilable contract.")
|
|
|
|
# Save updated function signatures
|
|
|
|
with open(signatures_file, 'w') as f:
|
|
json.dump(sigs, f)
|
|
|
|
else:
|
|
exitWithError("No input bytecode. Please provide EVM code via -c BYTECODE, -a ADDRESS, or -i SOLIDITY_FILES")
|
|
|
|
# Commands
|
|
|
|
if args.storage:
|
|
if not args.address:
|
|
exitWithError("To read storage, provide the address of a deployed contract with the -a option.")
|
|
else:
|
|
position = 0
|
|
length = 1
|
|
array = 0
|
|
|
|
try:
|
|
params = (args.storage).split(",")
|
|
if len(params) >= 1 and len(params) <= 3:
|
|
position = int(params[0])
|
|
if len(params) >= 2 and len(params) <= 3:
|
|
length = int(params[1])
|
|
if len(params) == 3:
|
|
if re.match("array",params[2]):
|
|
array = 1
|
|
if len(params) >= 4:
|
|
exitWithError("Invalid number of parameters.")
|
|
except ValueError:
|
|
exitWithError("Invalid storage index. Please provide a numeric value.")
|
|
|
|
if array:
|
|
position_formated = str(position).zfill(64)
|
|
position = int(Web3.sha3(position_formated),16)
|
|
|
|
|
|
try:
|
|
if length == 1:
|
|
print("{}: ".format(position) + eth.eth_getStorageAt(args.address, position));
|
|
else:
|
|
for i in range(position, position + length):
|
|
print("{}: ".format(hex(i)) + eth.eth_getStorageAt(args.address, i));
|
|
except FileNotFoundError as e:
|
|
exitWithError("IPC error: " + str(e))
|
|
except ConnectionError as e:
|
|
exitWithError("Could not connect to RPC server. Make sure that your node is running and that RPC parameters are set correctly.")
|
|
|
|
|
|
elif (args.disassemble):
|
|
|
|
easm_text = contracts[0].get_easm()
|
|
sys.stdout.write(easm_text)
|
|
|
|
elif (args.xrefs):
|
|
|
|
print("\n".join(contracts[0].get_xrefs()))
|
|
|
|
elif (args.graph) or (args.fire_lasers):
|
|
|
|
if (args.graph):
|
|
|
|
if (args.dynld):
|
|
states = StateSpace(contracts, dynloader=DynLoader(eth), max_depth=args.max_depth)
|
|
else:
|
|
states = StateSpace(contracts, max_depth=args.max_depth)
|
|
|
|
if args.enable_physics is not None:
|
|
physics = True
|
|
|
|
html = generate_graph(states, args.enable_physics)
|
|
|
|
try:
|
|
with open(args.graph, "w") as f:
|
|
f.write(html)
|
|
except Exception as e:
|
|
print("Error saving graph: " + str(e))
|
|
|
|
else:
|
|
|
|
issues = []
|
|
report = Report()
|
|
|
|
for contract in contracts:
|
|
|
|
if (args.dynld):
|
|
states = StateSpace([contract], dynloader=DynLoader(eth), max_depth=args.max_depth)
|
|
else:
|
|
states = StateSpace([contract], max_depth=args.max_depth)
|
|
|
|
issues = fire_lasers(states)
|
|
|
|
if len(issues):
|
|
if (type(contract) == SolidityContract):
|
|
|
|
disassembly = contract.get_disassembly()
|
|
|
|
for issue in issues:
|
|
|
|
if (issue.pc):
|
|
|
|
index = helper.get_instruction_index(disassembly.instruction_list, issue.pc)
|
|
solidity_file = contract.solidity_files[contract.mappings[index].solidity_file_idx]
|
|
|
|
issue.filename = solidity_file.filename
|
|
|
|
offset = contract.mappings[index].offset
|
|
length = contract.mappings[index].length
|
|
|
|
issue.code = solidity_file.data[offset:offset+length]
|
|
|
|
for i in range(0, len(issues)):
|
|
report.append_issue(issues[i])
|
|
|
|
if len(report.issues):
|
|
|
|
if (args.outform == 'text'):
|
|
print(report.as_text())
|
|
elif (args.outform == 'json'):
|
|
print(report.as_json())
|
|
elif (args.outform == 'markdown'):
|
|
print(report.as_markdown())
|
|
|
|
else:
|
|
print("The analysis was completed successfully. No issues were detected.")
|
|
|
|
else:
|
|
parser.print_help()
|
|
|