def add(self, constraint, check=False):
'''
Add a constraint to the set
:param constraint: The constraint to add to the set.
:param check: Currently unused.
:return:
'''
if isinstance(constraint, bool):
constraint = BoolConstant(constraint)
assert isinstance(constraint, Bool)
constraint = simplify(constraint)
# If self._child is not None this constraint set has been forked and a
# a derived constraintset may be using this. So we can't add any more
# constraints to this one. After the child constraintSet is deleted
# we regain the ability to add constraints.
if self._child is not None:
raise Exception('ConstraintSet is frozen')
if isinstance(constraint, BoolConstant):
if not constraint.value:
logger.info("Adding an impossible constant constraint")
self._constraints = [constraint]
else:
return
self._constraints.append(constraint)
if check:
from manticore.core.smtlib import solver
if not solver.check(self):
raise ValueError("Added an impossible constraint")
def constraints_are_sat(cons):
'Whether constraints are sat'
return solver.check(constraints_to_constraintset(cons))
with open('overflow.sol') as f:
source_code = f.read()
# Generate the accounts
user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0)
#First add won't overflow uint256 representation
value_0 = m.make_symbolic_value()
contract_account.add(value_0, caller=user_account)
#Potential overflow
value_1 = m.make_symbolic_value()
contract_account.add(value_1, caller=user_account)
contract_account.sellerBalance(caller=user_account)
for state in m.running_states:
# Check if input0 > sellerBalance
# last_return is the data returned
last_return = state.platform.transactions[-1].return_data
# retrieve last_return and input0 in a similar format
last_return = Operators.CONCAT(256, *last_return)
state.constrain(Operators.UGT(value_0, last_return))
if solver.check(state.constraints):
print("Overflow found! see {}".format(m.workspace))
m.generate_testcase(state, 'OverflowFound')
print "Creator account: 0x%x (%d)"%(creator_account, creator_account)
print "Attacker account: 0x%x (%d)"%(attacker_account, attacker_account)
# Deposit 1 ether, from the creator
contract_account.deposit(caller=creator_account, value=10**18)
# Two raw transactions from the attacker
symbolic_data = m.make_symbolic_buffer(320)
m.transaction(caller=attacker_account,
address=contract_account,
data=symbolic_data,
value=0)
symbolic_data = m.make_symbolic_buffer(320)
m.transaction(caller=attacker_account,
address=contract_account,
data=symbolic_data,
value=0)
for state in m.running_states:
# Check if the attacker can ends with some ether
balance = state.platform.get_balance(attacker_account)
state.constrain(balance > 1)
if solver.check(state.constraints):
print "Attacker can steal the ether! see %s"%m.workspace
m.generate_testcase(state, 'WalletHack')
