search

Consensys / mythril

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.
https://mythx.io/
MIT License
3.89k stars 739 forks source link

Mythril Front Running Module #1162

Open FranzHuebner opened 5 years ago

FranzHuebner commented 5 years ago

Description

Mythril detection capabilities state in https://github.com/ConsenSys/mythril/wiki/Mythril-Detection-Capabilities that it schould find Front Running in a smart contract. That case is not given for the specific contract. Given is the contract from the swc-registry ported to 0.5

How to Reproduce

/*
 * @source: https://github.com/ConsenSys/evm-analyzer-benchmark-suite
 * @author: Suhabe Bugrara
 */

pragma solidity ^0.5.0;

contract EthTxOrderDependenceMinimal {
    address payable public owner;
    bool public claimed;
    uint public reward;

    constructor() public{
        owner = msg.sender;
    }

    function setReward() public payable {
        require (!claimed);

        require(msg.sender == owner);
        owner.transfer(reward);
        reward = msg.value;
    }

    function claimReward(uint256 submission) public{
        require (!claimed);
        require(submission < 10);

        msg.sender.transfer(reward);
        claimed = true;
    }
}

Expected behavior

mark possible Front Running in line 17

Environment

Tested under Ubuntu 16.04 with mythril docker with --max-depth 60 and --max-depth 120 aswell as no detection timeout

docker run -v "$(pwd)":/tmp mythril/myth analyze /tmp/eth_tx_order_dependence_minimal.sol --max-depth 120
The analysis was completed successfully. No issues were detected.
norhh commented 5 years ago

Hey @FranzHuebner thanks for the report. Currently we are not supporting transaction order dependence. We will support it soon. It's currently being tracked in #860 .