search

acuarica / evm

A Symbolic Ethereum Virtual Machine (EVM) bytecode interpreter, parser and decompiler, along with several other utils for programmatically extracting information from EVM bytecode.
https://acuarica.github.io/evm/
MIT License
62 stars 9 forks source link

Check whether selector `0x00000000` is properly detected #54

Closed acuarica closed 8 months ago

acuarica commented 11 months ago

It seems sevm fails to detect 0x00000000 selector, for example see contract https://etherscan.io/address/0x000000000000Df8c944e775BDe7Af50300999283, and it seems to detect some extraneous selectors instead.

See https://github.com/shazow/whatsabi/pull/62#issuecomment-1767386478 for details.

Thanks @shazow for reporting this.

acuarica commented 8 months ago

This should be fixed in sevm v0.6.8. @shazow please let me know how it goes.

The issue was that Solidity uses the bytecode sequence selector|ISZERO to determine whether selector is 00000000 when the contract is optimized. However, when the contract is not optimized, the sequence it generates is selector|PUSH1 0x00|EQ. This is the pattern sevm looks for.

cded77e extends the lookup pattern to also look for the sequence selector|ISZERO.

acuarica commented 8 months ago

@shazow also you mentioned in https://github.com/shazow/whatsabi/pull/62#issuecomment-1767386478 that it "finds two extraneous selectors for that one example"

  Array [
-   "0x00000000",
+   "0x83197ef0",
+   "0xcc066bb8",
    "0xf04f2707",
  ]

would you be able to confirm that? do you have the Solidity source code for that example? That way would be easy to debug.

shazow commented 8 months ago

I don't have source code for random MEV bots unfortunately, but there's lots of them (just look for zero selector calls in recent transactions). My approach is either to manually trace the bytecode or to use a disassembler like https://ethervm.io/decompile/0x000000000000Df8c944e775BDe7Af50300999283

Keep in mind that this particular example uses selfdestruct to reinitialize its code fairly regularly, so it doesn't stay static.

acuarica commented 8 months ago

The output of this decompiler, https://library.dedaub.com/ethereum/address/0x000000000000df8c944e775bde7af50300999283/abi shows the 3 functions detected by sevm (but not the 0 selector). So not sure which one is the correct one.

shazow commented 8 months ago

Actually looking closer at the bytecode, I think the full set of discovered selectors is correct (including the zero selector).

Here's my approach: image

So I believe the result should be

[
   "0x00000000",
   "0x83197ef0",
   "0xcc066bb8",
   "0xf04f2707",
]
acuarica commented 8 months ago

Agree, well that's great to hear.