search

Consensys / mythril

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.
https://mythx.io/
MIT License
3.88k stars 741 forks source link

Failed to detect SWC-120: Weak Sources of Randomness from Chain Attributes #1432

Closed Mikerah closed 4 years ago

Mikerah commented 4 years ago

Description

I ran Mythril on a contract with address 0x3582f0e90a11d1e021b48e70421770a063cc9e57 for which the bytecode and contract source code are available on etherscan.io. This smart contract makes use of the BLOCKHASH opcode i.e. makes a call to blockhash in such a way that I think is an instance of SWC-120: Weak Sources of Randomness from Chain Attributes. As such, I believe Mythril has failed to detect this particular violation of SWC-120.

How to Reproduce

I ran myth analyze -a 0x3582f0e90a11d1e021b48e70421770a063cc9e57 and got The analysis was completed successfully. No issues were detected.

Expected behavior

I expected to at least see the output showing that the smart contract at that address is a violation of SWC-120.

Environment

Mythril version: 0.22.9 Solidity compiler and version: solc version 0.6.7+commit.b8d736ae.Linux.g++ Python version: 3.8.5 OS and Version: Fedora 32

norhh commented 4 years ago

Can you try increasing the solver-timeout, as that maybe a reason, default timeout might be a bit low this for contract.

Mikerah commented 4 years ago

I increased the solver-timeout to 10000, 100000 and 1000000 from the default 10000 and it still doesn't detect it.

Mikerah commented 4 years ago

I increased the max_depth of the MythrilAnalyzer and it correctly detected SWC-120 in the contract.