mythril icon indicating copy to clipboard operation
mythril copied to clipboard

Published 20 hours ago verified publisher icon Consensys

Please support ꜱᴡᴄ 127

Open ytrezq opened this issue 5 years ago • 7 comments

Description :

Detects the possibility to ᴊᴜᴍᴘ at arbitrary address either because of low level functions used in source code or for well written and audited solidity code but with compiler bugs like OptimizerStateKnowledgeNotResetForJumpdest or OptimizerClearStateOnCodePathJoin and of course, not simply if they are in the code bug which input sequence to trigger them.

Note :

A better thing would be to leverage those issues in order to trigger more serious one like being able to withdraw ether or fire a token Transfer event without background checks.

Tests ;

For compiler bugs I couldn’t find the issue number in the GitHub project nor the commit which fixed them so I couldn’t get enough details for a test case.

ytrezq avatar Oct 26 '19 01:10 ytrezq

@ytrezq #1268 introduces this feature, would you like to test it?

muellerberndt avatar Nov 06 '19 16:11 muellerberndt

@b-mueller if it doesn’t detect almost arbitrary jumps from the call graph, then no I can’t. What I’m requesting doesn’t only require adding a module. It also requires adding the capability to Laser accordingly (otherwise it should detects only bugs from solidity code and not low level compiler bugs).

ytrezq avatar Nov 06 '19 17:11 ytrezq

otherwise it should detects only bugs from solidity code and not low level compiler bugs Hey, mythril is a bytecode analyzer, it doesn't know the difference between solidity source code and bytecode, so there is no need to change anything in laser. Also #1269 is the arbitrary jump feature.

norhh avatar Nov 06 '19 19:11 norhh

@norhh yes, but based on a call graph. If the call graph say that a jump is static whereas it could be dynamic then nothing will happen.

ytrezq avatar Nov 07 '19 00:11 ytrezq

What I am checking is that if the jump destination is a symbol rather than a concrete value then a multilocation jump is possible.

norhh avatar Nov 07 '19 01:11 norhh

We don’t have a minimal example of OptimizerClearStateOnCodePathJoin and OptimizerStateKnowledgeNotResetForJumpdest. My test case are taking days.

Any ideas of their bug number in https://github.com/ethereum/solidity/issues?

ytrezq avatar Nov 07 '19 01:11 ytrezq

Ok, here’s the test cases : https://github.com/ethereum/solidity/issues/692 (the former being harder to trigger but should be possible with https://gist.github.com/chriseth/3514a465ab4b7d8168f53d786bd0df7c https://github.com/ethereum/solidity/pull/762/commits/ac0d1388008ed616ab7b35a5b3a27e7400decd46) and https://github.com/ethereum/solidity/issues/1416. But I don’t have my personal machines right now (nor in the future) so I can’t compile and run Mythril on those examples myself.

Those bugs are so rare and hard to trigger we might better to have them in the tests cases, isn’t it ?

ytrezq avatar Nov 13 '19 03:11 ytrezq