def detect_fake_eos(vm, name) -> None: """Fake eos transfer vulnerability analysis function. Args: name: the name of current contract vm: WebAssembly module execution environment Returns: """ if global_vars.apply_function_address is None: return global_vars.fake_detect() # set flag for fake detection func_type = structure.FunctionType() func_type.args = bytearray( [bin_format.i64, bin_format.i64, bin_format.i64]) func_type.rets = bytearray() apply_func = vm.store.funcs[vm.module_instance.funcaddrs[ global_vars.apply_function_address]] global_vars.fake_detect() if apply_func.functype == func_type: params = utils.gen_symbolic_args(apply_func) global_vars.apply_params = params params[0] = utils.eos_abi_to_int(name) params[2] = utils.eos_abi_to_int('transfer') init_constraints = [ params[0] != params[1], params[1] != utils.eos_abi_to_int('eosio.token') ] vm.exec_by_address(global_vars.apply_function_address, params, init_constraints) global_vars.sym_exec() # set the detection mode to False
def _get_symbolic_params(self, address: int): """Create the valid symbolic parameters of corresponding function. Args: address: function address. Returns: symbolic_params: a list of ordered symbolic parameters. """ # Invoke a function denoted by the function address with the provided arguments. func = self.store.funcs[self.module_instance.funcaddrs[address]] return utils.gen_symbolic_args(func)
def detect_forged_transfer(store, frame, index): """Forge transfer notification vulnerability analysis function, and it is called when engine execute tee_local instruction in symbolic execution. Args: frame: the current execution frame store: the variables collection index: the index of transfer function Returns: """ global_vars.forged_detect() module = frame.module table = store.tables[module.tableaddrs[0]] transfer_func = store.funcs[table.elem[index]] params = utils.gen_symbolic_args(transfer_func) global_vars.vm.exec_by_index(index, params) if not global_vars.found_to_check: global_vars.find_forged_notification() global_vars.sym_exec() # set the detection mode to False