Mythril 是可以對Solidity 程式碼及EVM 字節碼的安全分析工具,使用符號執行等方式檢測合約,可以幫助開發和安全人員發現合約中潛在的漏洞和弱點。
Mythril是由ConsenSys Diligence所開發,檢測為乙太坊、Hedera、Quorum、Vechain、Roostock、Tron 和其他與 EVM 兼容的區塊鏈構建的智慧合約中的安全漏洞,目前為免費的開源工具,可以在GitHub找到相關的原始碼。
安裝方式:
docker
docker pull mythril/mythpip
pip3 install mythril其他安裝方式可以查看文件。
使用docker 運行mythril並分析本地合約的方式:
docker run -v $(pwd): (path) mythril/myth analyze /(path)/(contract name).sol這邊提供一個有重入漏洞的合約範例:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
contract EtherStore {
mapping(address => uint) public balances;
function deposit() public payable {
balances[msg.sender] += msg.value;
}
function withdraw() public {
uint bal = balances[msg.sender];
require(bal > 0);
(bool sent, ) = msg.sender.call{value: bal}("");
require(sent, "Failed to send Ether");
balances[msg.sender] = 0;
}
// Helper function to check the balance of this contract
function getBalance() public view returns (uint) {
return address(this).balance;
}
}
完整掃描結果如下:
==== External Call To User-Supplied Address ====
SWC ID: 107
Severity: Low
Contract: EtherStore
Function name: withdraw()
PC address: 368
Estimated Gas Usage: 7278 - 62222
A call to a user-supplied address is executed.
An external message call to an address specified by the caller is executed. Note that the callee account might contain arbitrary code and could re-enter any function within this contract. Reentering the contract in an intermediate state may lead to unexpected behaviour. Make sure that no state modifications are executed after this call and/or reentrancy guards are in place.
--------------------
In file: /Downloads/reentrancy.sol:42
msg.sender.call{value: bal}("")
--------------------
Initial State:
Account: [CREATOR], balance: 0x21000537b4, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x20200000000000000, nonce:0, storage:{}
Transaction Sequence:
Caller: [CREATOR], calldata: , value: 0x0
Caller: [ATTACKER], function: deposit(), txdata: 0xd0e30db0, value: 0x1
Caller: [ATTACKER], function: withdraw(), txdata: 0x3ccfd60b, value: 0x0
==== State access after external call ====
SWC ID: 107
Severity: Medium
Contract: EtherStore
Function name: withdraw()
PC address: 556
Estimated Gas Usage: 7278 - 62222
Write to persistent state following external call
The contract account state is accessed after an external call to a user defined address. To prevent reentrancy issues, consider accessing the state only before the call, especially if the callee is untrusted. Alternatively, a reentrancy lock can be used to prevent untrusted callees from re-entering the contract in an intermediate state.
--------------------
In file: /Downloads/reentrancy.sol:45
balances[msg.sender] = 0
--------------------
Initial State:
Account: [CREATOR], balance: 0x21200082d2d9, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x4801000000228c000, nonce:0, storage:{}
Transaction Sequence:
Caller: [CREATOR], calldata: , value: 0x0
Caller: [ATTACKER], function: deposit(), txdata: 0xd0e30db0, value: 0x1
Caller: [ATTACKER], function: withdraw(), txdata: 0x3ccfd60b, value: 0x0
掃描鏈上合約:
mythril可以藉由設定rpc掃描鏈上的智慧合約。
掃描主網(mainnet)合約
Mythril 默認會嘗試查詢infura,因此需要前往infura註冊帳號。
Step 1 : create new api key
Step 2 : manage key
Step 3 : api key
docker run --rm mythril/myth analyze -a [contract address] --rpc infura-mainnet https://mainnet.infura.io/v3/0df6422189fd41f7bf22587cb3d9bda2 --rpctls True --infura-id [yourApiKey]掃描BSC(Binance Smart Chain)合約
docker run --rm mythril/myth analyze -a [contract address] --rpc bsc-dataseed1.binance.org:443 --rpctls True --infura-id [yourApiKey]掃描本地鏈上的合約 (以下以Ganache舉例)
在docker中使用時,與文件有些許不同,需要使用以下指令。
Step 1 : 下載Ganache並在Remix上設定環境
Step 2 : 發布合約後執行以下指令
docker run --rm mythril/myth analyze -a [contract address] --rpc host.docker.internal:[portNumber]輸出格式
Mythril預設將掃描結果呈現在終端機,可以使用 -o 修改輸出格式。
輸出的檔案格式為text、markdown、json和jsonv2。
結論
Mythril旨在發現常見漏洞,並無法精確發現應用程序業務邏輯中的問題,自動化工具有助於檢查常見的 Solidity 漏洞或缺少的智慧合約最佳實踐的案例,檢測工具容易受到誤報的影響,需要藉由手動驗證進行協助。
作者Alice目前為區塊鏈安全從業人員,將來也會持續在Vocus以及medium上分享相關的研究,如果喜歡我的文章歡迎追蹤我的帳號喔!
另外,我已經加入由趨勢科技防詐達人所成立的方格子專題-《區塊鏈生存守則》,在那裡我會跟其他優質的創作者一起帶大家深入瞭解區塊鏈,並隨時向大家更新區塊鏈資安事件
> 追蹤《區塊鏈生存守則》學習如何在區塊鏈的世界保護自己
> 關注防詐達人獲得其他最新詐騙情報
