def detect_fake_eos(vm, name) -> None:
"""Fake eos transfer vulnerability analysis function.
Args:
name: the name of current contract
vm: WebAssembly module execution environment
Returns:
"""
if global_vars.apply_function_address is None:
return
global_vars.fake_detect() # set flag for fake detection
func_type = structure.FunctionType()
func_type.args = bytearray(
[bin_format.i64, bin_format.i64, bin_format.i64])
func_type.rets = bytearray()
apply_func = vm.store.funcs[vm.module_instance.funcaddrs[
global_vars.apply_function_address]]
global_vars.fake_detect()
if apply_func.functype == func_type:
params = utils.gen_symbolic_args(apply_func)
global_vars.apply_params = params
params[0] = utils.eos_abi_to_int(name)
params[2] = utils.eos_abi_to_int('transfer')
init_constraints = [
params[0] != params[1],
params[1] != utils.eos_abi_to_int('eosio.token')
]
vm.exec_by_address(global_vars.apply_function_address, params,
init_constraints)
global_vars.sym_exec() # set the detection mode to False
def locate_transfer(vm, name):
"""Using specific parameters to locate transfer function.
Args:
vm: virtual machine includes all env information
name: the name of contract
Returns:
"""
if global_vars.apply_function_address is None:
return
# check whether the type is valid transfer type
apply_func_type = structure.FunctionType()
apply_func_type.args = bytearray([bin_format.i64, bin_format.i64, bin_format.i64])
apply_func_type.rets = bytearray()
apply_func = vm.store.funcs[vm.module_instance.funcaddrs[global_vars.apply_function_address]]
global_vars.locate()
if apply_func.functype == apply_func_type:
params = [utils.eos_abi_to_int(name), utils.eos_abi_to_int('eosio.token'), utils.eos_abi_to_int('transfer')]
global_vars.locate()
try:
vm.exec_by_address(global_vars.apply_function_address, params)
except AssertionError as e:
logger.println(f'unreachable transfer: {e}')
except SystemExit as e:
logger.debugln(f'transfer found')
global_vars.sym_exec()
def detect_forged_transfer(store, frame, index):
"""Forge transfer notification vulnerability analysis function, and it is called
when engine execute tee_local instruction in symbolic execution.
Args:
frame: the current execution frame
store: the variables collection
index: the index of transfer function
Returns:
"""
global_vars.forged_detect()
module = frame.module
table = store.tables[module.tableaddrs[0]]
transfer_func = store.funcs[table.elem[index]]
params = utils.gen_symbolic_args(transfer_func)
global_vars.vm.exec_by_index(index, params)
if not global_vars.found_to_check:
global_vars.find_forged_notification()
global_vars.sym_exec() # set the detection mode to False