echidna icon indicating copy to clipboard operation
echidna copied to clipboard

Published 20 hours ago verified publisher icon crytic

Feature Request: Add Support for Contracts That Use delegatecall in the fallback Function

Open man715 opened this issue 3 years ago • 4 comments

The simplest example that I can give is Ethernaut challenge 06 Delegate. For ease of description, I will just call them contract A and contract B. Contract A has some functions that contract B needs to be able to call which it does by delegatecall in the fallback function. As of right now, the only way to access the function in contract A through contract B is to create a function wrapper in the test contract. For this particular example, it is not a big deal as there really is only one function that needs to be wrapped. However, contract A can have an arbitrary number of functions that the user may want to fuzz.

In that case, it would be helpful if the user can identify an ABI or interface for echidna to use to call functions on contract B even though those functions are not part of its ABI.

man715 avatar May 08 '22 21:05 man715

For reference, this is part of the Challenge:

contract Delegation {

  address public owner;
  Delegate delegate;

  constructor(address _delegateAddress) public {
    delegate = Delegate(_delegateAddress);
    owner = msg.sender;
  }

  fallback() external {
    (bool result,) = address(delegate).delegatecall(msg.data);
    if (result) {
      this;
    }
  }
}

In order to solve this challenge, first Echidna should be able to identify:

  1. When a fallback functions is explicitly defined.
  2. When a function uses msg.data

After that, adding the selector of pwn() into the corpus, should be enough to solve this challenge.

For (1), we already have a slither printer that shows when fallback is detected, but for (2), I don't think we have anything. Are you interested to take a look to our slither printer for echidna so we can implement this?

gustavo-grieco avatar May 09 '22 07:05 gustavo-grieco

I can take a look if you can point me in the right direction. I'm am a novice but would love to help if I can.

I'm not sure how slither printers work or how the interaction between echidna and slither works.

man715 avatar May 09 '22 13:05 man715

Great, the first step is to open issue in the slither issue tracker describing this issue, and the information we need to extract: functions that use msg.data. Then we can continue the discussion there.

gustavo-grieco avatar May 09 '22 13:05 gustavo-grieco

Sounds good. I have created the issue: https://github.com/crytic/slither/issues/1202

man715 avatar May 09 '22 14:05 man715