search

FuzzingLabs / octopus

Security Analysis tool for WebAssembly module (wasm) and Blockchain Smart Contracts (BTC/ETH/NEO/EOS)
https://fuzzinglabs.com/
MIT License
479 stars 83 forks source link

UnboundLocalError when using dynamic analysis #10

Open muellerberndt opened 5 years ago

muellerberndt commented 5 years ago

Some EVM bytecode inputs result in an UnboundLocalError exception. For example:

$ python octopus_eth_evm.py -g -r "6080604052348015600f57600080fd5b506004361060465760003560e01c80632f576f2014604b57806381b36467146067578063a0ef91df14606f578063bcb4ab0e146077575b600080fd5b6051607f565b6040518082815260200191505060405180910390f35b606d6088565b005b60756094565b005b607d60f3565b005b60008054905090565b6001600014609257fe5b565b3373ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f1935050505015801560f0573d6000803e3d6000fd5b50565b600160008190555056fea165627a7a7230582097b073d8789a43fedeb6be6929b92747b0ddbcfd568d5c737d90ea40ce8efe9f0029"
Traceback (most recent call last):
  File "octopus_eth_evm.py", line 186, in <module>
    main()
  File "octopus_eth_evm.py", line 164, in main
    octo_cfg = EthereumCFG(octo_bytecode)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/cfg.py", line 9, in __new__
    return EvmCFG(bytecode, analysis=evm_analysis)
  File "/Users/bernhardmueller/Projects/octopus/octopus/arch/evm/cfg.py", line 160, in __init__
    self.run_dynamic_analysis()
  File "/Users/bernhardmueller/Projects/octopus/octopus/arch/evm/cfg.py", line 173, in run_dynamic_analysis
    emul.emulate()
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 122, in emulate
    halt = self.emulate_one_instruction(instr, state, depth)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 168, in emulate_one_instruction
    halt = self.ssa_stack_memory_storage_flow_instruction(instr, state, depth)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 433, in ssa_stack_memory_storage_flow_instruction
    self.emulate(new_state, depth=depth + 1)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 122, in emulate
    halt = self.emulate_one_instruction(instr, state, depth)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 168, in emulate_one_instruction
    halt = self.ssa_stack_memory_storage_flow_instruction(instr, state, depth)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 400, in ssa_stack_memory_storage_flow_instruction
    self.emulate(new_state, depth=depth + 1)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 122, in emulate
    halt = self.emulate_one_instruction(instr, state, depth)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 148, in emulate_one_instruction
    self.emul_comparaison_logic_instruction(instr, state)
  File "/Users/bernhardmueller/Projects/octopus/octopus/platforms/ETH/emulator.py", line 261, in emul_comparaison_logic_instruction
    instr.name, args=args)
UnboundLocalError: local variable 'args' referenced before assignment

The bytecode was generated with solc 0.5.7 from the following source:

pragma solidity ^0.5.0;

contract Test {

    uint256 myinteger;

    function doNothing() public view returns (uint256) {
        return myinteger;
    }

    function write() public {
        myinteger = 1;
    }

    function alwaysfail() public {
        assert(0 == 1);
    }

    function withdrawEth() public {
        msg.sender.transfer(address(this).balance);
    }
}
muellerberndt commented 5 years ago

Interestingly this happens only with bytecode compiled with newer solc version. Octopus processes the same contract when compiled with 0.4.24 but fails with 0.5.7.

pragma solidity ^0.5.0;

contract Test {
    uint256[] public myinteger;
}

0.4.24:

608060405260043610603f576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680637c4e2261146044575b600080fd5b348015604f57600080fd5b50606c600480360381019080803590602001909291905050506082565b6040518082815260200191505060405180910390f35b600081815481101515609057fe5b9060005260206000200160009150905054815600a165627a7a72305820a1f21cb8e5428cf6d0898a479fa2441da1ee73de1679e0b316a1dea027a843d70029

0.5.7:

6080604052348015600f57600080fd5b506004361060285760003560e01c80637c4e226114602d575b600080fd5b605660048036036020811015604157600080fd5b8101908080359060200190929190505050606c565b6040518082815260200191505060405180910390f35b60008181548110607857fe5b90600052602060002001600091509050548156fea165627a7a7230582076100799af5e6466edc3d544d4782bc2c30d0684ce8cb4c0f2bb710f1ef1e6630029
pventuzelo commented 5 years ago

Thanks Bernhard ;) i will try to take a look asap

fiercef3l1n3 commented 5 years ago

I am experiencing the same issue when trying to construct a dynamic control flow graph.

webthethird commented 2 years ago

@pventuzelo I am having this same issue 3 years later, trying to construct a CFG. I see that this repo has not been updated in the past 2 years... is there any chance that this will be fixed?

pventuzelo commented 2 years ago

Sorry, I'm not planning to fix this at the moment. You might be interested in using https://github.com/crytic/evm_cfg_builder