智慧合約檢測工具Mythril掃描合約教學以及如何安裝到docker
2023/03/14閱讀時間約 10 分鐘
Mythril 是可以對Solidity 程式碼及EVM 字節碼的安全分析工具,使用符號執行等方式檢測合約,可以幫助開發和安全人員發現合約中潛在的漏洞和弱點。
Mythril是由ConsenSys Diligence所開發,檢測為乙太坊、Hedera、Quorum、Vechain、Roostock、Tron 和其他與 EVM 兼容的區塊鏈構建的智慧合約中的安全漏洞,目前為免費的開源工具,可以在GitHub找到相關的原始碼。
安裝方式:
docker
docker pull mythril/myth
pip
pip3 install mythril
其他安裝方式可以查看文件。
使用docker 運行mythril並分析本地合約的方式:
使用docker 運行mythril並分析本地合約的方式:
docker run -v $(pwd): (path) mythril/myth analyze /(path)/(contract name).sol
這邊提供一個有重入漏洞的合約範例:
// SPDX-License-Identifier: MITpragma solidity ^0.8.13;contract EtherStore {mapping(address => uint) public balances;function deposit() public payable {balances[msg.sender] += msg.value;}function withdraw() public {uint bal = balances[msg.sender];require(bal > 0);(bool sent, ) = msg.sender.call{value: bal}("");require(sent, "Failed to send Ether");balances[msg.sender] = 0;}// Helper function to check the balance of this contractfunction getBalance() public view returns (uint) {return address(this).balance;}}
完整掃描結果如下:
==== External Call To User-Supplied Address ====SWC ID: 107Severity: LowContract: EtherStoreFunction name: withdraw()PC address: 368Estimated Gas Usage: 7278 - 62222A call to a user-supplied address is executed.An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place.--------------------In file: /Downloads/reentrancy.sol:42msg.sender.call{value: bal}("")--------------------Initial State:Account: [CREATOR], balance: 0x21000537b4, nonce:0, storage:{}Account: [ATTACKER], balance: 0x20200000000000000, nonce:0, storage:{}Transaction Sequence:Caller: [CREATOR], calldata: , value: 0x0Caller: [ATTACKER], function: deposit(), txdata: 0xd0e30db0, value: 0x1Caller: [ATTACKER], function: withdraw(), txdata: 0x3ccfd60b, value: 0x0==== State access after external call ====SWC ID: 107Severity: MediumContract: EtherStoreFunction name: withdraw()PC address: 556Estimated Gas Usage: 7278 - 62222Write to persistent state following external callThe contract account state is accessed after an external call to a user defined address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state.--------------------In file: /Downloads/reentrancy.sol:45balances[msg.sender] = 0--------------------Initial State:Account: [CREATOR], balance: 0x21200082d2d9, nonce:0, storage:{}Account: [ATTACKER], balance: 0x4801000000228c000, nonce:0, storage:{}Transaction Sequence:Caller: [CREATOR], calldata: , value: 0x0Caller: [ATTACKER], function: deposit(), txdata: 0xd0e30db0, value: 0x1Caller: [ATTACKER], function: withdraw(), txdata: 0x3ccfd60b, value: 0x0
掃描鏈上合約:
mythril可以藉由設定rpc掃描鏈上的智慧合約。
掃描主網(mainnet)合約
Mythril 默認會嘗試查詢infura,因此需要前往infura註冊帳號。
Step 1 : create new api key
Step 2 : manage key
Step 3 : api key
docker run --rm mythril/myth analyze -a [contract address] --rpc infura-mainnet https://mainnet.infura.io/v3/0df6422189fd41f7bf22587cb3d9bda2 --rpctls True --infura-id [yourApiKey]
掃描BSC(Binance Smart Chain)合約
docker run --rm mythril/myth analyze -a [contract address] --rpc bsc-dataseed1.binance.org:443 --rpctls True --infura-id [yourApiKey]
掃描本地鏈上的合約 (以下以Ganache舉例)
在docker中使用時,與文件有些許不同,需要使用以下指令。
Step 2 : 發布合約後執行以下指令
docker run --rm mythril/myth analyze -a [contract address] --rpc host.docker.internal:[portNumber]
輸出格式
Mythril預設將掃描結果呈現在終端機,可以使用 -o 修改輸出格式。
輸出的檔案格式為text、markdown、json和jsonv2。
結論
Mythril旨在發現常見漏洞,並無法精確發現應用程序業務邏輯中的問題,自動化工具有助於檢查常見的 Solidity 漏洞或缺少的智慧合約最佳實踐的案例,檢測工具容易受到誤報的影響,需要藉由手動驗證進行協助。
另外,我已經加入由趨勢科技防詐達人所成立的方格子專題-《區塊鏈生存守則》,在那裡我會跟其他優質的創作者一起帶大家深入瞭解區塊鏈,並隨時向大家更新區塊鏈資安事件
> 追蹤《區塊鏈生存守則》學習如何在區塊鏈的世界保護自己
> 關注防詐達人獲得其他最新詐騙情報
留言0
查看全部
