def _run_test_case_on_contract(self, contract_code, conc_txs): m2 = ManticoreEVM() owner_account = m2.create_account( balance=10**10, name="owner", address=self._main_evm.accounts.get('owner').address) attacker_account = m2.create_account( balance=10**10, name="attacker", address=self._main_evm.accounts.get('attacker').address) try: call_args = get_argument_from_create_transaction( self._main_evm, conc_txs[0]) create_value = m2.make_symbolic_value() m2.constrain(create_value == conc_txs[0].value) contract_account = solidity_create_contract_with_zero_price( m2, contract_code, owner=owner_account, args=call_args, balance=create_value, gas=0, ) except Exception as e: return m2 for conc_tx in conc_txs[1:]: try: m2.transaction( caller=conc_tx.caller, address=contract_account, value=conc_tx.value, data=conc_tx. data, # data has all needed metadata like function id ([:4]) and argument passed to function gas=0, price=0) except Exception as e: return m2 return m2
source_code = f.read() # Create one user account # And deploy the contract user_account = m.create_account(balance=1000) #tmp_account1 = m.create_account(balance=1000) #tmp_account2 = m.create_account(balance=1000) #print(hex(int(user_account))) #print(hex(int(tmp_account1))) #print(hex(int(tmp_account2))) #print("-------\n") from_account = m.make_symbolic_value() to_account = m.make_symbolic_value() m.constrain(from_account != to_account) #print(hex(int(user_account))) #print(hex(int(from_account))) #print(hex(int(to_account))) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0) contract_account.balanceOf(to_account, caller=user_account) contract_account.balanceOf(from_account, caller=user_account) contract_account.balanceOf(user_account, caller=user_account) symbolic_val1 = m.make_symbolic_value() #m.constrain(symbolic_val1 > 100) contract_account.transfer(to_account, symbolic_val1, caller=from_account) contract_account.balanceOf(user_account, caller=user_account)
def manticore_verifier( source_code, contract_name, maxfail=None, maxt=3, maxcov=100, deployer=None, senders=None, psender=None, propre=r"crytic_.*", compile_args=None, outputspace_url=None, timeout=100, ): """ Verify solidity properties The results are dumped to stdout and to the workspace folder. $manticore-verifier property.sol --contract TestToken --smt.solver yices --maxt 4 # Owner account: 0xf3c67ffb8ab4cdd4d3243ad247d0641cd24af939 # Contract account: 0x6f4b51ac2eb017600e9263085cfa06f831132c72 # Sender_0 account: 0x97528a0c7c6592772231fd581e5b42125c1a2ff4 # PSender account: 0x97528a0c7c6592772231fd581e5b42125c1a2ff4 # Found 2 properties: crytic_test_must_revert, crytic_test_balance # Exploration will stop when some of the following happens: # * 4 human transaction sent # * Code coverage is greater than 100% meassured on target contract # * No more coverage was gained in the last transaction # * At least 2 different properties where found to be breakable. (1 for fail fast) # * 240 seconds pass # Starting exploration... Transactions done: 0. States: 1, RT Coverage: 0.0%, Failing properties: 0/2 Transactions done: 1. States: 2, RT Coverage: 55.43%, Failing properties: 0/2 Transactions done: 2. States: 8, RT Coverage: 80.48%, Failing properties: 1/2 Transactions done: 3. States: 30, RT Coverage: 80.48%, Failing properties: 1/2 No coverage progress. Stopping exploration. Coverage obtained 80.48%. (RT + prop) +-------------------------+------------+ | Property Named | Status | +-------------------------+------------+ | crytic_test_balance | failed (0) | | crytic_test_must_revert | passed | +-------------------------+------------+ Checkout testcases here:./mcore_6jdil7nh :param maxfail: stop after maxfail properties are failing. All if None :param maxcov: Stop after maxcov % coverage is obtained in the main contract :param maxt: Max transaction count to explore :param deployer: (optional) address of account used to deploy the contract :param senders: (optional) a list of calles addresses for the exploration :param psender: (optional) address from where the property is tested :param source_code: A filename or source code :param contract_name: The target contract name defined in the source code :param propre: A regular expression for selecting properties :param outputspace_url: where to put the extended result :param timeout: timeout in seconds :return: """ # Termination condition # Exploration will stop when some of the following happens: # * MAXTX human transaction sent # * Code coverage is greater than MAXCOV meassured on target contract # * No more coverage was gained in the last transaction # * At least MAXFAIL different properties where found to be breakable. (1 for fail fast) # Max transaction count to explore MAXTX = maxt # Max coverage % to get MAXCOV = maxcov # Max different properties fails MAXFAIL = maxfail config.get_group("smt").timeout = 120 config.get_group("smt").memory = 16384 config.get_group("evm").ignore_balance = True config.get_group("evm").oog = "ignore" print("# Welcome to manticore-verifier") # Main manticore manager object m = ManticoreEVM() # avoid all human level tx that are marked as constant (have no effect on the storage) filter_out_human_constants = FilterFunctions(regexp=r".*", depth="human", mutability="constant", include=False) m.register_plugin(filter_out_human_constants) filter_out_human_constants.disable() # Avoid automatically exploring property filter_no_crytic = FilterFunctions(regexp=propre, include=False) m.register_plugin(filter_no_crytic) filter_no_crytic.disable() # Only explore properties (at human level) filter_only_crytic = FilterFunctions(regexp=propre, depth="human", fallback=False, include=True) m.register_plugin(filter_only_crytic) filter_only_crytic.disable() # And now make the contract account to analyze # User accounts. Transactions trying to break the property are send from one # of this senders = (None, ) if senders is None else senders user_accounts = [] for n, address_i in enumerate(senders): user_accounts.append( m.create_account(balance=10**10, address=address_i, name=f"sender_{n}")) # the address used for deployment owner_account = m.create_account(balance=10**10, address=deployer, name="deployer") # the target contract account contract_account = m.solidity_create_contract( source_code, owner=owner_account, contract_name=contract_name, compile_args=compile_args, name="contract_account", ) # the address used for checking porperties checker_account = m.create_account(balance=10**10, address=psender, name="psender") print(f"# Owner account: 0x{int(owner_account):x}") print(f"# Contract account: 0x{int(contract_account):x}") for n, user_account in enumerate(user_accounts): print(f"# Sender_{n} account: 0x{int(user_account):x}") print(f"# PSender account: 0x{int(checker_account):x}") properties = {} md = m.get_metadata(contract_account) for func_hsh in md.function_selectors: func_name = md.get_abi(func_hsh)["name"] if re.match(propre, func_name): properties[func_name] = [] print( f"# Found {len(properties)} properties: {', '.join(properties.keys())}" ) if not properties: print("I am sorry I had to run the init bytecode for this.\n" "Good Bye.") return MAXFAIL = len(properties) if MAXFAIL is None else MAXFAIL tx_num = 0 # transactions count current_coverage = None # obtained coverge % new_coverage = 0.0 print(f"""# Exploration will stop when some of the following happens: # * {MAXTX} human transaction sent # * Code coverage is greater than {MAXCOV}% meassured on target contract # * No more coverage was gained in the last transaction # * At least {MAXFAIL} different properties where found to be breakable. (1 for fail fast) # * {timeout} seconds pass""") print("# Starting exploration...") print( f"Transactions done: {tx_num}. States: {m.count_ready_states()}, RT Coverage: {0.00}%, " f"Failing properties: 0/{len(properties)}") with m.kill_timeout(timeout=timeout): while not m.is_killed(): # check if we found a way to break more than MAXFAIL properties broken_properties = sum( int(len(x) != 0) for x in properties.values()) if broken_properties >= MAXFAIL: print( f"Found {broken_properties}/{len(properties)} failing properties. Stopping exploration." ) break # check if we sent more than MAXTX transaction if tx_num >= MAXTX: print(f"Max number of transactions reached ({tx_num})") break tx_num += 1 # check if we got enough coverage new_coverage = m.global_coverage(contract_account) if new_coverage >= MAXCOV: print( f"Current coverage({new_coverage}%) is greater than max allowed ({MAXCOV}%). Stopping exploration." ) break # check if we have made coverage progress in the last transaction if current_coverage == new_coverage: print(f"No coverage progress. Stopping exploration.") break current_coverage = new_coverage # Make sure we didn't time out before starting first transaction if m.is_killed(): print("Cancelled or timeout.") break # Explore all methods but the "crytic_" properties # Note: you may be tempted to get all valid function ids/hashes from the # metadata and to constrain the first 4 bytes of the calldata here. # This wont work because we also want to prevent the contract to call # crytic added methods as internal transactions filter_no_crytic.enable() # filter out crytic_porperties filter_out_human_constants.enable() # Exclude constant methods filter_only_crytic.disable( ) # Exclude all methods that are not property checks symbolic_data = m.make_symbolic_buffer(320) symbolic_value = m.make_symbolic_value() caller_account = m.make_symbolic_value(160) args = tuple( (caller_account == address_i for address_i in user_accounts)) m.constrain(OR(*args, False)) m.transaction( caller=caller_account, address=contract_account, value=symbolic_value, data=symbolic_data, ) # check if timeout was requested during the previous transaction if m.is_killed(): print("Cancelled or timeout.") break m.clear_terminated_states() # no interest in reverted states m.take_snapshot() # make a copy of all ready states print( f"Transactions done: {tx_num}. States: {m.count_ready_states()}, " f"RT Coverage: {m.global_coverage(contract_account):3.2f}%, " f"Failing properties: {broken_properties}/{len(properties)}") # check if timeout was requested while we were taking the snapshot if m.is_killed(): print("Cancelled or timeout.") break # And now explore all properties (and only the properties) filter_no_crytic.disable() # Allow crytic_porperties filter_out_human_constants.disable( ) # Allow them to be marked as constants filter_only_crytic.enable( ) # Exclude all methods that are not property checks symbolic_data = m.make_symbolic_buffer(4) m.transaction(caller=checker_account, address=contract_account, value=0, data=symbolic_data) for state in m.all_states: world = state.platform tx = world.human_transactions[-1] md = m.get_metadata(tx.address) """ A is _broken_ if: * is normal property * RETURN False OR: * property name ends with 'revert' * does not REVERT Property is considered to _pass_ otherwise """ N = constrain_to_known_func_ids(state) for func_id in map(bytes, state.solve_n(tx.data[:4], nsolves=N)): func_name = md.get_abi(func_id)["name"] if not func_name.endswith("revert"): # Property does not ends in "revert" # It must RETURN a 1 if tx.return_value == 1: # TODO: test when property STOPs return_data = ABI.deserialize( "bool", tx.return_data) testcase = m.generate_testcase( state, f"property {md.get_func_name(func_id)} is broken", only_if=AND(tx.data[:4] == func_id, return_data == 0), ) if testcase: properties[func_name].append(testcase.num) else: # property name ends in "revert" so it MUST revert if tx.result != "REVERT": testcase = m.generate_testcase( state, f"Some property is broken did not reverted.(MUST REVERTED)", only_if=tx.data[:4] == func_id, ) if testcase: properties[func_name].append(testcase.num) m.clear_terminated_states( ) # no interest in reverted states for now! m.goto_snapshot() else: print("Cancelled or timeout.") m.clear_terminated_states() m.clear_ready_states() m.clear_snapshot() if m.is_killed(): print("Exploration ended by CTRL+C or timeout") print(f"Coverage obtained {new_coverage:3.2f}%. (RT + prop)") x = PrettyTable() x.field_names = ["Property Named", "Status"] for name, testcases in sorted(properties.items()): result = "passed" if testcases: result = f"failed ({testcases[0]})" x.add_row((name, result)) print(x) m.clear_ready_states() workspace = os.path.abspath(m.workspace)[len(os.getcwd()) + 1:] print(f"Checkout testcases here:./{workspace}")
from manticore.core.smtlib import Operators from manticore.core.smtlib.solver import Z3Solver from manticore.core.manticore import ManticoreBase #ManticoreBase.verbosity(5) m = ManticoreEVM() solver = Z3Solver.instance() with open('AP2.sol') as f: source_code = f.read() user_account = m.create_account(balance=1000) spender_account = m.make_symbolic_value() m.constrain(spender_account != user_account) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0, args=None) #contract_account.balanceOf(spender_account, caller=user_account) contract_account.balanceOf(user_account, caller=user_account) for state in m.ready_states: val = state.platform.transactions[-1].return_data val = ABI.deserialize("uint", val) symbolic_val = m.make_symbolic_value() m.constrain(symbolic_val > val)
from manticore.ethereum import ManticoreEVM from manticore.core.smtlib import Operators from manticore.core.smtlib import solver m = ManticoreEVM() # initiate the blockchain with open('contract.sol', 'rb') as f: contract_src = f.read() user_account = m.create_account(balance=1000) attacker_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(contract_src, owner=user_account, balance=0) sym_arg = m.make_symbolic_value(name='arg1') contract_account.method(sym_arg, caller=user_account) cond = sym_arg < 10 cond2 = sym_arg > 5 m.constrain(cond) m.constrain(cond2) # States # [m.all_states, m.running_states, m.terminated_states] counter = 0 for state in m.running_states: state.generate_testcase('test{}'.format(counter)) counter += 1
m = ManticoreEVM() solver = Z3Solver.instance() with open('test08.sol') as f: source_code = f.read() # Create one user account # And deploy the contract user_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0) symbolic_val = m.make_symbolic_value() m.constrain(symbolic_val > 0) m.constrain(symbolic_val < 100) symbolic_spender = m.make_symbolic_value(name="ADDRESS") m.constrain(symbolic_spender != user_account) contract_account.allowance(user_account, symbolic_spender) contract_account.approve(symbolic_spender, symbolic_val, caller=user_account) contract_account.allowance(user_account, symbolic_spender) #print("TEST21! see {}".format(m.workspace)) for state in m.all_states: state.constrain(symbolic_spender != user_account) if solver.check(state.constraints): print("TEST21! see {}".format(m.workspace)) m.generate_testcase(state, name="TEST21")
solver = Z3Solver.instance() with open('test08.sol') as f: source_code = f.read() # Create one user account # And deploy the contract user_account = m.create_account(balance=100) symbolic_spender = m.create_account(balance=101) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0) contract_account.balanceOf(user_account) for state in m.ready_states: val = state.platform.transactions[-1].return_data val = ABI.deserialize("uint", val) symbolic_val = m.make_symbolic_value() m.constrain(symbolic_val > 0) m.constrain(symbolic_val <= val) contract_account.allowance(user_account,symbolic_spender) contract_account.approve(symbolic_spender, symbolic_val, caller=user_account) contract_account.allowance(user_account,symbolic_spender) for state in m.all_states: print("TEST21! see {}".format(m.workspace)) m.generate_testcase(state, name="TEST21")
from manticore import config from manticore.ethereum import ManticoreEVM, ABI m = ManticoreEVM() config.get_group("smt").timeout = 3600 config.get_group("evm").oog = "ignore" controller = m.create_account(balance=1 * 10**18) contract = m.solidity_create_contract('.', contract_name='ManticoreTest', owner=controller, compile_args={'ignore_compile': True}) underlying = m.make_symbolic_value() exchangeRate = m.make_symbolic_value() roundUp = m.make_symbolic_value(8) #All arguments nonzero m.constrain(underlying != 0) m.constrain(exchangeRate != 0) #roundUp true m.constrain(roundUp != 0) #Execute the transaction contract.fromUnderlying(underlying, exchangeRate, roundUp) #You can replace that with concrete values to reproduce it if a bug is found #contract.fromUnderlying(1,14474011154664523624477350999513853985339507749031138909263555379280740351999,0) #Now Check that the result is nonzero in all possible states for st in m.ready_states: assert (len(st.platform.human_transactions) == 2 ), "All ready states must have executed 2 human transactions" assert (st.platform.human_transactions[-1].result == "RETURN" ), "All ready states must have a successful last tx"
m = ManticoreEVM() solver = Z3Solver.instance() with open('test10.sol') as f: source_code = f.read() # Create one user account # And deploy the contract user_account = m.create_account(balance=100) to_account = m.create_account(balance=101) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0) contract_account.balanceOf(to_account) contract_account.balanceOf(user_account) for state in m.ready_states: val = state.platform.transactions[-1].return_data val = ABI.deserialize("uint", val) symbolic_val = m.make_symbolic_value() m.constrain(symbolic_val > val) contract_account.transfer(to_account, symbolic_val, caller=user_account) for state in m.all_states: print("TEST10! see {}".format(m.workspace)) m.generate_testcase(state, name="TEST10")
from manticore.core.smtlib import Operators from manticore.core.smtlib.solver import Z3Solver from manticore.core.manticore import ManticoreBase #ManticoreBase.verbosity(5) m = ManticoreEVM() solver = Z3Solver.instance() with open('AP2.sol') as f: source_code = f.read() user_account = m.create_account(balance=1000) spender_account = m.make_symbolic_value() m.constrain(spender_account != user_account) symbolic_to = m.make_symbolic_value() m.constrain(symbolic_to != user_account) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0, args=None) #contract_account.balanceOf(spender_account, caller=user_account) contract_account.balanceOf(user_account, caller=user_account) contract_account.allowance(user_account, spender_account) symbolic_approve = m.make_symbolic_value() contract_account.approve(spender_account,
Log("Got something else"); } } } ''' user_account = m.create_account(balance=1000, name='user_account') print "[+] Creating a user account", user_account.name contract_account = m.solidity_create_contract(source_code, owner=user_account, name='contract_account') print "[+] Creating a contract account", contract_account.name contract_account.named_func(1) print "[+] Now the symbolic values" symbolic_data = m.make_symbolic_buffer(320) symbolic_value = m.make_symbolic_value(name="VALUE") symbolic_address = m.make_symbolic_value(name="ADDRESS") m.constrain( Operators.OR(symbolic_address == contract_account, symbolic_address == user_account)) m.transaction(caller=user_account, address=symbolic_address, data=symbolic_data, value=symbolic_value) #Let seth know we are not sending more transactions m.finalize() print "[+] Look for results in %s" % m.workspace
from manticore.core.smtlib.solver import Z3Solver ###### Initialization ###### m = ManticoreEVM() solver = Z3Solver.instance() with open('test22.sol') as f: source_code = f.read() # Create one user account # And deploy the contract user_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0) symbolic_spender = m.make_symbolic_value(name="ADDRESS") m.constrain(symbolic_spender != user_account) symbolic_val = m.make_symbolic_value() contract_account.allowance(user_account, symbolic_spender) contract_account.approve(symbolic_spender, symbolic_val, caller=user_account) contract_account.allowance(user_account, symbolic_spender) print("TEST23! see {}".format(m.workspace)) for state in m.all_states: m.generate_testcase(state, name="TEST23")