rattle
rattle copied to clipboard
Published
20 hours ago •
crytic
crytic
Rattle never finishes for some contracts
I tried analyzing the wallet contract from RealWorldCTF, but rattle never output anything or finished running. It appears to be stuck in some kind of infinite loop.
I ran the contract with python3.6 rattle-cli.py --input ./inputs/multisig.bin
Here is the contract with only the seemingly important parts left that cause the hang (removing either public function causes the hang to go away):
pragma solidity ^0.4.24;
contract MultiSigWallet {
struct Transaction{
address target; // 3
uint amount; // 4
bool isDelegate; // 5
bytes data; // 6
}
Transaction[] transactions;
mapping(address => bool) isOwner;
mapping(address => bool) isTrusted;
Transaction tx;
constructor() public{
isOwner[msg.sender] = true;
}
// ...
function deleteTransaction(uint id) public{
for (uint i = id; i < transactions.length-1; i++){
transactions[i] = transactions[i+1];
}
popTransaction();
}
// ...
// there's no pop impl in solidity, sad :(
function popTransaction() internal {
require(transactions.length >= 0);
transactions.length --;
}
function submitTransaction(address target, uint amount, bool isDelegate, bytes data) public returns(uint){
tx = Transaction(target, amount, isDelegate, data);
if (isOwner[msg.sender]) {
transactions.push(tx);
}
return transactions.length-1;
}
// ...
}
Here is the runtime bin:
YIBgQFJgBDYQYQBLV2AANXwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAEY/////8WgGLp
wAYUYQBQV4BjxqxT/RRhAH1XW2AAgP1bNIAVYQBcV2AAgP1bUGEAe2AEgDYDgQGQgIA1kGAgAZCS
kZBQUFBhATBWWwBbNIAVYQCJV2AAgP1bUGEBGmAEgDYDgQGQgIA1c///////////////////////
////FpBgIAGQkpGQgDWQYCABkJKRkIA1FRWQYCABkJKRkIA1kGAgAZCCAYA1kGAgAZCAgGAfAWAg
gJEEAmAgAWBAUZCBAWBAUoCTkpGQgYFSYCABg4OAgoQ3ggGRUFBQUFBQkZKRkpBQUFBhAmVWW2BA
UYCCgVJgIAGRUFBgQFGAkQOQ81tgAIGQUFtgAWAAgFSQUAOBEBVhAllXYABgAYIBgVSBEBUVYQFY
V/5bkGAAUmAgYAAgkGAEAgFgAIKBVIEQFRVhAXVX/luQYABSYCBgACCQYAQCAWAAggFgAJBUkGEB
AAqQBHP//////////////////////////xaBYAABYABhAQAKgVSBc///////////////////////
////AhkWkINz//////////////////////////8WAheQVVBgAYIBVIFgAQFVYAKCAWAAkFSQYQEA
CpAEYP8WgWACAWAAYQEACoFUgWD/AhkWkIMVFQIXkFVQYAOCAYFgAwGQgFRgAYFgARYVYQEAAgMW
YAKQBGECSJKRkGEEvlZbUJBQUICAYAEBkVBQYQE2VlthAmFhBJJWW1BQVltgAGCAYEBRkIEBYEBS
gIZz//////////////////////////8WgVJgIAGFgVJgIAGEFRWBUmAgAYOBUlBgA2AAggFRgWAA
AWAAYQEACoFUgXP//////////////////////////wIZFpCDc///////////////////////////
FgIXkFVQYCCCAVGBYAEBVWBAggFRgWACAWAAYQEACoFUgWD/AhkWkIMVFQIXkFVQYGCCAVGBYAMB
kIBRkGAgAZBhAzCSkZBhBUVWW1CQUFBgAWAAM3P//////////////////////////xZz////////
//////////////////8WgVJgIAGQgVJgIAFgACBgAJBUkGEBAAqQBGD/FhVhBH9XYABgA5CAYAGB
VAGAglWAkVBQkGABggOQYABSYCBgACCQYAQCAWAAkJGSkJGQkVBgAIIBYACQVJBhAQAKkARz////
//////////////////////8WgWAAAWAAYQEACoFUgXP//////////////////////////wIZFpCD
c///////////////////////////FgIXkFVQYAGCAVSBYAEBVWACggFgAJBUkGEBAAqQBGD/FoFg
AgFgAGEBAAqBVIFg/wIZFpCDFRUCF5BVUGADggGBYAMBkIBUYAGBYAEWFWEBAAIDFmACkARhBHqS
kZBhBL5WW1BQUFBbYAFgAIBUkFADkFCUk1BQUFBWW2AAgIBUkFAQFRUVYQSmV2AAgP1bYACAVICR
kGABkANhBLuRkGEFxVZbUFZbgoBUYAGBYAEWFWEBAAIDFmACkASQYABSYCBgACCQYB8BYCCQBIEB
koJgHxBhBPdXgFSFVWEFNFZbgoABYAEBhVWCFWEFNFdgAFJgIGAAIJFgHwFgIJAEggFbgoERFWEF
M1eCVIJVkWABAZGQYAEBkGEFGFZbW1CQUGEFQZGQYQX3VltQkFZbgoBUYAGBYAEWFWEBAAIDFmAC
kASQYABSYCBgACCQYB8BYCCQBIEBkoJgHxBhBYZXgFFg/xkWg4ABF4VVYQW0VluCgAFgAQGFVYIV
YQW0V5GCAVuCgREVYQWzV4JRglWRYCABkZBgAQGQYQWYVltbUJBQYQXBkZBhBfdWW1CQVluBVIGD
VYGBERVhBfJXYAQCgWAEAoNgAFJgIGAAIJGCAZEBYQXxkZBhBhxWW1tQUFBWW2EGGZGQW4CCERVh
BhVXYACBYACQVVBgAQFhBf1WW1CQVluQVlthBouRkFuAghEVYQaHV2AAgIIBYABhAQAKgVSQc///
////////////////////////AhkWkFVgAYIBYACQVWACggFgAGEBAAqBVJBg/wIZFpBVYAOCAWAA
YQZ+kZBhBo5WW1BgBAFhBiJWW1CQVluQVltQgFRgAYFgARYVYQEAAgMWYAKQBGAAglWAYB8QYQa0
V1BhBtNWW2AfAWAgkASQYABSYCBgACCQgQGQYQbSkZBhBfdWW1tQVgChZWJ6enIwWCAbe61E3sWJ
0c6/B9JA0mzBEzjnj+NdskoxZ3jjn6YVtwAp
With 301b80b, rattle completes now but it's ugly. The functions aren't identified and split off, so the graph is huge and confusing. Sorry, I'll have to look into a better solution.
