def detect_fake_eos(vm, name) -> None: """Fake eos transfer vulnerability analysis function. Args: name: the name of current contract vm: WebAssembly module execution environment Returns: """ if global_vars.apply_function_address is None: return global_vars.fake_detect() # set flag for fake detection func_type = structure.FunctionType() func_type.args = bytearray( [bin_format.i64, bin_format.i64, bin_format.i64]) func_type.rets = bytearray() apply_func = vm.store.funcs[vm.module_instance.funcaddrs[ global_vars.apply_function_address]] global_vars.fake_detect() if apply_func.functype == func_type: params = utils.gen_symbolic_args(apply_func) global_vars.apply_params = params params[0] = utils.eos_abi_to_int(name) params[2] = utils.eos_abi_to_int('transfer') init_constraints = [ params[0] != params[1], params[1] != utils.eos_abi_to_int('eosio.token') ] vm.exec_by_address(global_vars.apply_function_address, params, init_constraints) global_vars.sym_exec() # set the detection mode to False
def locate_transfer(vm, name): """Using specific parameters to locate transfer function. Args: vm: virtual machine includes all env information name: the name of contract Returns: """ if global_vars.apply_function_address is None: return # check whether the type is valid transfer type apply_func_type = structure.FunctionType() apply_func_type.args = bytearray([bin_format.i64, bin_format.i64, bin_format.i64]) apply_func_type.rets = bytearray() apply_func = vm.store.funcs[vm.module_instance.funcaddrs[global_vars.apply_function_address]] global_vars.locate() if apply_func.functype == apply_func_type: params = [utils.eos_abi_to_int(name), utils.eos_abi_to_int('eosio.token'), utils.eos_abi_to_int('transfer')] global_vars.locate() try: vm.exec_by_address(global_vars.apply_function_address, params) except AssertionError as e: logger.println(f'unreachable transfer: {e}') except SystemExit as e: logger.debugln(f'transfer found') global_vars.sym_exec()
def detect_forged_transfer(store, frame, index): """Forge transfer notification vulnerability analysis function, and it is called when engine execute tee_local instruction in symbolic execution. Args: frame: the current execution frame store: the variables collection index: the index of transfer function Returns: """ global_vars.forged_detect() module = frame.module table = store.tables[module.tableaddrs[0]] transfer_func = store.funcs[table.elem[index]] params = utils.gen_symbolic_args(transfer_func) global_vars.vm.exec_by_index(index, params) if not global_vars.found_to_check: global_vars.find_forged_notification() global_vars.sym_exec() # set the detection mode to False