def _run_test_case_on_contract(self, contract_code, conc_txs):
m2 = ManticoreEVM()
owner_account = m2.create_account(
balance=10**10,
name="owner",
address=self._main_evm.accounts.get('owner').address)
attacker_account = m2.create_account(
balance=10**10,
name="attacker",
address=self._main_evm.accounts.get('attacker').address)
try:
call_args = get_argument_from_create_transaction(
self._main_evm, conc_txs[0])
create_value = m2.make_symbolic_value()
m2.constrain(create_value == conc_txs[0].value)
contract_account = solidity_create_contract_with_zero_price(
m2,
contract_code,
owner=owner_account,
args=call_args,
balance=create_value,
gas=0,
)
except Exception as e:
return m2
for conc_tx in conc_txs[1:]:
try:
m2.transaction(
caller=conc_tx.caller,
address=contract_account,
value=conc_tx.value,
data=conc_tx.
data, # data has all needed metadata like function id ([:4]) and argument passed to function
gas=0,
price=0)
except Exception as e:
return m2
return m2
source_code = f.read()
# Create one user account
# And deploy the contract
user_account = m.create_account(balance=1000)
#tmp_account1 = m.create_account(balance=1000)
#tmp_account2 = m.create_account(balance=1000)
#print(hex(int(user_account)))
#print(hex(int(tmp_account1)))
#print(hex(int(tmp_account2)))
#print("-------\n")
from_account = m.make_symbolic_value()
to_account = m.make_symbolic_value()
m.constrain(from_account != to_account)
#print(hex(int(user_account)))
#print(hex(int(from_account)))
#print(hex(int(to_account)))
contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0)
contract_account.balanceOf(to_account, caller=user_account)
contract_account.balanceOf(from_account, caller=user_account)
contract_account.balanceOf(user_account, caller=user_account)
symbolic_val1 = m.make_symbolic_value()
#m.constrain(symbolic_val1 > 100)
contract_account.transfer(to_account, symbolic_val1, caller=from_account)
contract_account.balanceOf(user_account, caller=user_account)
def manticore_verifier(
source_code,
contract_name,
maxfail=None,
maxt=3,
maxcov=100,
deployer=None,
senders=None,
psender=None,
propre=r"crytic_.*",
compile_args=None,
outputspace_url=None,
timeout=100,
):
""" Verify solidity properties
The results are dumped to stdout and to the workspace folder.
$manticore-verifier property.sol --contract TestToken --smt.solver yices --maxt 4
# Owner account: 0xf3c67ffb8ab4cdd4d3243ad247d0641cd24af939
# Contract account: 0x6f4b51ac2eb017600e9263085cfa06f831132c72
# Sender_0 account: 0x97528a0c7c6592772231fd581e5b42125c1a2ff4
# PSender account: 0x97528a0c7c6592772231fd581e5b42125c1a2ff4
# Found 2 properties: crytic_test_must_revert, crytic_test_balance
# Exploration will stop when some of the following happens:
# * 4 human transaction sent
# * Code coverage is greater than 100% meassured on target contract
# * No more coverage was gained in the last transaction
# * At least 2 different properties where found to be breakable. (1 for fail fast)
# * 240 seconds pass
# Starting exploration...
Transactions done: 0. States: 1, RT Coverage: 0.0%, Failing properties: 0/2
Transactions done: 1. States: 2, RT Coverage: 55.43%, Failing properties: 0/2
Transactions done: 2. States: 8, RT Coverage: 80.48%, Failing properties: 1/2
Transactions done: 3. States: 30, RT Coverage: 80.48%, Failing properties: 1/2
No coverage progress. Stopping exploration.
Coverage obtained 80.48%. (RT + prop)
+-------------------------+------------+
| Property Named | Status |
+-------------------------+------------+
| crytic_test_balance | failed (0) |
| crytic_test_must_revert | passed |
+-------------------------+------------+
Checkout testcases here:./mcore_6jdil7nh
:param maxfail: stop after maxfail properties are failing. All if None
:param maxcov: Stop after maxcov % coverage is obtained in the main contract
:param maxt: Max transaction count to explore
:param deployer: (optional) address of account used to deploy the contract
:param senders: (optional) a list of calles addresses for the exploration
:param psender: (optional) address from where the property is tested
:param source_code: A filename or source code
:param contract_name: The target contract name defined in the source code
:param propre: A regular expression for selecting properties
:param outputspace_url: where to put the extended result
:param timeout: timeout in seconds
:return:
"""
# Termination condition
# Exploration will stop when some of the following happens:
# * MAXTX human transaction sent
# * Code coverage is greater than MAXCOV meassured on target contract
# * No more coverage was gained in the last transaction
# * At least MAXFAIL different properties where found to be breakable. (1 for fail fast)
# Max transaction count to explore
MAXTX = maxt
# Max coverage % to get
MAXCOV = maxcov
# Max different properties fails
MAXFAIL = maxfail
config.get_group("smt").timeout = 120
config.get_group("smt").memory = 16384
config.get_group("evm").ignore_balance = True
config.get_group("evm").oog = "ignore"
print("# Welcome to manticore-verifier")
# Main manticore manager object
m = ManticoreEVM()
# avoid all human level tx that are marked as constant (have no effect on the storage)
filter_out_human_constants = FilterFunctions(regexp=r".*",
depth="human",
mutability="constant",
include=False)
m.register_plugin(filter_out_human_constants)
filter_out_human_constants.disable()
# Avoid automatically exploring property
filter_no_crytic = FilterFunctions(regexp=propre, include=False)
m.register_plugin(filter_no_crytic)
filter_no_crytic.disable()
# Only explore properties (at human level)
filter_only_crytic = FilterFunctions(regexp=propre,
depth="human",
fallback=False,
include=True)
m.register_plugin(filter_only_crytic)
filter_only_crytic.disable()
# And now make the contract account to analyze
# User accounts. Transactions trying to break the property are send from one
# of this
senders = (None, ) if senders is None else senders
user_accounts = []
for n, address_i in enumerate(senders):
user_accounts.append(
m.create_account(balance=10**10,
address=address_i,
name=f"sender_{n}"))
# the address used for deployment
owner_account = m.create_account(balance=10**10,
address=deployer,
name="deployer")
# the target contract account
contract_account = m.solidity_create_contract(
source_code,
owner=owner_account,
contract_name=contract_name,
compile_args=compile_args,
name="contract_account",
)
# the address used for checking porperties
checker_account = m.create_account(balance=10**10,
address=psender,
name="psender")
print(f"# Owner account: 0x{int(owner_account):x}")
print(f"# Contract account: 0x{int(contract_account):x}")
for n, user_account in enumerate(user_accounts):
print(f"# Sender_{n} account: 0x{int(user_account):x}")
print(f"# PSender account: 0x{int(checker_account):x}")
properties = {}
md = m.get_metadata(contract_account)
for func_hsh in md.function_selectors:
func_name = md.get_abi(func_hsh)["name"]
if re.match(propre, func_name):
properties[func_name] = []
print(
f"# Found {len(properties)} properties: {', '.join(properties.keys())}"
)
if not properties:
print("I am sorry I had to run the init bytecode for this.\n"
"Good Bye.")
return
MAXFAIL = len(properties) if MAXFAIL is None else MAXFAIL
tx_num = 0 # transactions count
current_coverage = None # obtained coverge %
new_coverage = 0.0
print(f"""# Exploration will stop when some of the following happens:
# * {MAXTX} human transaction sent
# * Code coverage is greater than {MAXCOV}% meassured on target contract
# * No more coverage was gained in the last transaction
# * At least {MAXFAIL} different properties where found to be breakable. (1 for fail fast)
# * {timeout} seconds pass""")
print("# Starting exploration...")
print(
f"Transactions done: {tx_num}. States: {m.count_ready_states()}, RT Coverage: {0.00}%, "
f"Failing properties: 0/{len(properties)}")
with m.kill_timeout(timeout=timeout):
while not m.is_killed():
# check if we found a way to break more than MAXFAIL properties
broken_properties = sum(
int(len(x) != 0) for x in properties.values())
if broken_properties >= MAXFAIL:
print(
f"Found {broken_properties}/{len(properties)} failing properties. Stopping exploration."
)
break
# check if we sent more than MAXTX transaction
if tx_num >= MAXTX:
print(f"Max number of transactions reached ({tx_num})")
break
tx_num += 1
# check if we got enough coverage
new_coverage = m.global_coverage(contract_account)
if new_coverage >= MAXCOV:
print(
f"Current coverage({new_coverage}%) is greater than max allowed ({MAXCOV}%). Stopping exploration."
)
break
# check if we have made coverage progress in the last transaction
if current_coverage == new_coverage:
print(f"No coverage progress. Stopping exploration.")
break
current_coverage = new_coverage
# Make sure we didn't time out before starting first transaction
if m.is_killed():
print("Cancelled or timeout.")
break
# Explore all methods but the "crytic_" properties
# Note: you may be tempted to get all valid function ids/hashes from the
# metadata and to constrain the first 4 bytes of the calldata here.
# This wont work because we also want to prevent the contract to call
# crytic added methods as internal transactions
filter_no_crytic.enable() # filter out crytic_porperties
filter_out_human_constants.enable() # Exclude constant methods
filter_only_crytic.disable(
) # Exclude all methods that are not property checks
symbolic_data = m.make_symbolic_buffer(320)
symbolic_value = m.make_symbolic_value()
caller_account = m.make_symbolic_value(160)
args = tuple(
(caller_account == address_i for address_i in user_accounts))
m.constrain(OR(*args, False))
m.transaction(
caller=caller_account,
address=contract_account,
value=symbolic_value,
data=symbolic_data,
)
# check if timeout was requested during the previous transaction
if m.is_killed():
print("Cancelled or timeout.")
break
m.clear_terminated_states() # no interest in reverted states
m.take_snapshot() # make a copy of all ready states
print(
f"Transactions done: {tx_num}. States: {m.count_ready_states()}, "
f"RT Coverage: {m.global_coverage(contract_account):3.2f}%, "
f"Failing properties: {broken_properties}/{len(properties)}")
# check if timeout was requested while we were taking the snapshot
if m.is_killed():
print("Cancelled or timeout.")
break
# And now explore all properties (and only the properties)
filter_no_crytic.disable() # Allow crytic_porperties
filter_out_human_constants.disable(
) # Allow them to be marked as constants
filter_only_crytic.enable(
) # Exclude all methods that are not property checks
symbolic_data = m.make_symbolic_buffer(4)
m.transaction(caller=checker_account,
address=contract_account,
value=0,
data=symbolic_data)
for state in m.all_states:
world = state.platform
tx = world.human_transactions[-1]
md = m.get_metadata(tx.address)
"""
A is _broken_ if:
* is normal property
* RETURN False
OR:
* property name ends with 'revert'
* does not REVERT
Property is considered to _pass_ otherwise
"""
N = constrain_to_known_func_ids(state)
for func_id in map(bytes, state.solve_n(tx.data[:4],
nsolves=N)):
func_name = md.get_abi(func_id)["name"]
if not func_name.endswith("revert"):
# Property does not ends in "revert"
# It must RETURN a 1
if tx.return_value == 1:
# TODO: test when property STOPs
return_data = ABI.deserialize(
"bool", tx.return_data)
testcase = m.generate_testcase(
state,
f"property {md.get_func_name(func_id)} is broken",
only_if=AND(tx.data[:4] == func_id,
return_data == 0),
)
if testcase:
properties[func_name].append(testcase.num)
else:
# property name ends in "revert" so it MUST revert
if tx.result != "REVERT":
testcase = m.generate_testcase(
state,
f"Some property is broken did not reverted.(MUST REVERTED)",
only_if=tx.data[:4] == func_id,
)
if testcase:
properties[func_name].append(testcase.num)
m.clear_terminated_states(
) # no interest in reverted states for now!
m.goto_snapshot()
else:
print("Cancelled or timeout.")
m.clear_terminated_states()
m.clear_ready_states()
m.clear_snapshot()
if m.is_killed():
print("Exploration ended by CTRL+C or timeout")
print(f"Coverage obtained {new_coverage:3.2f}%. (RT + prop)")
x = PrettyTable()
x.field_names = ["Property Named", "Status"]
for name, testcases in sorted(properties.items()):
result = "passed"
if testcases:
result = f"failed ({testcases[0]})"
x.add_row((name, result))
print(x)
m.clear_ready_states()
workspace = os.path.abspath(m.workspace)[len(os.getcwd()) + 1:]
print(f"Checkout testcases here:./{workspace}")
from manticore.core.smtlib import Operators
from manticore.core.smtlib.solver import Z3Solver
from manticore.core.manticore import ManticoreBase
#ManticoreBase.verbosity(5)
m = ManticoreEVM()
solver = Z3Solver.instance()
with open('AP2.sol') as f:
source_code = f.read()
user_account = m.create_account(balance=1000)
spender_account = m.make_symbolic_value()
m.constrain(spender_account != user_account)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0,
args=None)
#contract_account.balanceOf(spender_account, caller=user_account)
contract_account.balanceOf(user_account, caller=user_account)
for state in m.ready_states:
val = state.platform.transactions[-1].return_data
val = ABI.deserialize("uint", val)
symbolic_val = m.make_symbolic_value()
m.constrain(symbolic_val > val)
from manticore.ethereum import ManticoreEVM
from manticore.core.smtlib import Operators
from manticore.core.smtlib import solver
m = ManticoreEVM() # initiate the blockchain
with open('contract.sol', 'rb') as f:
contract_src = f.read()
user_account = m.create_account(balance=1000)
attacker_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(contract_src,
owner=user_account,
balance=0)
sym_arg = m.make_symbolic_value(name='arg1')
contract_account.method(sym_arg, caller=user_account)
cond = sym_arg < 10
cond2 = sym_arg > 5
m.constrain(cond)
m.constrain(cond2)
# States
# [m.all_states, m.running_states, m.terminated_states]
counter = 0
for state in m.running_states:
state.generate_testcase('test{}'.format(counter))
counter += 1
m = ManticoreEVM()
solver = Z3Solver.instance()
with open('test08.sol') as f:
source_code = f.read()
# Create one user account
# And deploy the contract
user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0)
symbolic_val = m.make_symbolic_value()
m.constrain(symbolic_val > 0)
m.constrain(symbolic_val < 100)
symbolic_spender = m.make_symbolic_value(name="ADDRESS")
m.constrain(symbolic_spender != user_account)
contract_account.allowance(user_account, symbolic_spender)
contract_account.approve(symbolic_spender, symbolic_val, caller=user_account)
contract_account.allowance(user_account, symbolic_spender)
#print("TEST21! see {}".format(m.workspace))
for state in m.all_states:
state.constrain(symbolic_spender != user_account)
if solver.check(state.constraints):
print("TEST21! see {}".format(m.workspace))
m.generate_testcase(state, name="TEST21")
solver = Z3Solver.instance()
with open('test08.sol') as f:
source_code = f.read()
# Create one user account
# And deploy the contract
user_account = m.create_account(balance=100)
symbolic_spender = m.create_account(balance=101)
contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0)
contract_account.balanceOf(user_account)
for state in m.ready_states:
val = state.platform.transactions[-1].return_data
val = ABI.deserialize("uint", val)
symbolic_val = m.make_symbolic_value()
m.constrain(symbolic_val > 0)
m.constrain(symbolic_val <= val)
contract_account.allowance(user_account,symbolic_spender)
contract_account.approve(symbolic_spender, symbolic_val, caller=user_account)
contract_account.allowance(user_account,symbolic_spender)
for state in m.all_states:
print("TEST21! see {}".format(m.workspace))
m.generate_testcase(state, name="TEST21")
from manticore import config
from manticore.ethereum import ManticoreEVM, ABI
m = ManticoreEVM()
config.get_group("smt").timeout = 3600
config.get_group("evm").oog = "ignore"
controller = m.create_account(balance=1 * 10**18)
contract = m.solidity_create_contract('.',
contract_name='ManticoreTest',
owner=controller,
compile_args={'ignore_compile': True})
underlying = m.make_symbolic_value()
exchangeRate = m.make_symbolic_value()
roundUp = m.make_symbolic_value(8)
#All arguments nonzero
m.constrain(underlying != 0)
m.constrain(exchangeRate != 0)
#roundUp true
m.constrain(roundUp != 0)
#Execute the transaction
contract.fromUnderlying(underlying, exchangeRate, roundUp)
#You can replace that with concrete values to reproduce it if a bug is found
#contract.fromUnderlying(1,14474011154664523624477350999513853985339507749031138909263555379280740351999,0)
#Now Check that the result is nonzero in all possible states
for st in m.ready_states:
assert (len(st.platform.human_transactions) == 2
), "All ready states must have executed 2 human transactions"
assert (st.platform.human_transactions[-1].result == "RETURN"
), "All ready states must have a successful last tx"
m = ManticoreEVM()
solver = Z3Solver.instance()
with open('test10.sol') as f:
source_code = f.read()
# Create one user account
# And deploy the contract
user_account = m.create_account(balance=100)
to_account = m.create_account(balance=101)
contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0)
contract_account.balanceOf(to_account)
contract_account.balanceOf(user_account)
for state in m.ready_states:
val = state.platform.transactions[-1].return_data
val = ABI.deserialize("uint", val)
symbolic_val = m.make_symbolic_value()
m.constrain(symbolic_val > val)
contract_account.transfer(to_account, symbolic_val, caller=user_account)
for state in m.all_states:
print("TEST10! see {}".format(m.workspace))
m.generate_testcase(state, name="TEST10")
from manticore.core.smtlib import Operators
from manticore.core.smtlib.solver import Z3Solver
from manticore.core.manticore import ManticoreBase
#ManticoreBase.verbosity(5)
m = ManticoreEVM()
solver = Z3Solver.instance()
with open('AP2.sol') as f:
source_code = f.read()
user_account = m.create_account(balance=1000)
spender_account = m.make_symbolic_value()
m.constrain(spender_account != user_account)
symbolic_to = m.make_symbolic_value()
m.constrain(symbolic_to != user_account)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0,
args=None)
#contract_account.balanceOf(spender_account, caller=user_account)
contract_account.balanceOf(user_account, caller=user_account)
contract_account.allowance(user_account, spender_account)
symbolic_approve = m.make_symbolic_value()
contract_account.approve(spender_account,
Log("Got something else");
}
}
}
'''
user_account = m.create_account(balance=1000, name='user_account')
print "[+] Creating a user account", user_account.name
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
name='contract_account')
print "[+] Creating a contract account", contract_account.name
contract_account.named_func(1)
print "[+] Now the symbolic values"
symbolic_data = m.make_symbolic_buffer(320)
symbolic_value = m.make_symbolic_value(name="VALUE")
symbolic_address = m.make_symbolic_value(name="ADDRESS")
m.constrain(
Operators.OR(symbolic_address == contract_account,
symbolic_address == user_account))
m.transaction(caller=user_account,
address=symbolic_address,
data=symbolic_data,
value=symbolic_value)
#Let seth know we are not sending more transactions
m.finalize()
print "[+] Look for results in %s" % m.workspace
from manticore.core.smtlib.solver import Z3Solver
###### Initialization ######
m = ManticoreEVM()
solver = Z3Solver.instance()
with open('test22.sol') as f:
source_code = f.read()
# Create one user account
# And deploy the contract
user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(source_code,
owner=user_account,
balance=0)
symbolic_spender = m.make_symbolic_value(name="ADDRESS")
m.constrain(symbolic_spender != user_account)
symbolic_val = m.make_symbolic_value()
contract_account.allowance(user_account, symbolic_spender)
contract_account.approve(symbolic_spender, symbolic_val, caller=user_account)
contract_account.allowance(user_account, symbolic_spender)
print("TEST23! see {}".format(m.workspace))
for state in m.all_states:
m.generate_testcase(state, name="TEST23")
