search

enzymefinance / oyente

An Analysis Tool for Smart Contracts
GNU General Public License v3.0
1.32k stars 309 forks source link

UNKNOWN INSTRUCTION: SHL #437

Closed mrx23dot closed 2 years ago

mrx23dot commented 2 years ago

Running latest Oyente on contract: https://etherscan.io/address/0xe681f80966a8b1ffadecf8068bd6f99034791c95#code extracted binary via etherscan API: 0xe681f80966a8b1ffadecf8068bd6f99034791c95.txt

Many other contracts pass this way.

cmd docker start oyente_cont && docker exec -i oyente_cont python /oyente/oyente/oyente.py --compilation-error --depthlimit 4 --looplimit 100 -s 0xe681f80966a8b1ffadecf8068bd6f99034791c95.txt -b

fails with 

WARNING:root:You are using evm version 1.8.2. The supported version is 1.7.3
WARNING:root:You are using solc version 0.4.21, The latest supported version is 0.4.19
incomplete push instruction at 522
INFO:symExec:   ============ Results ===========
Traceback (most recent call last):
  File "/oyente/oyente/oyente.py", line 221, in <module>
    main()
  File "/oyente/oyente/oyente.py", line 210, in main
    exit_code = analyze_bytecode()
  File "/oyente/oyente/oyente.py", line 72, in analyze_bytecode
    result, exit_code = symExec.run(disasm_file=inp['disasm_file'])
  File "/oyente/oyente/symExec.py", line 2457, in run
    analyze()
  File "/oyente/oyente/symExec.py", line 2440, in analyze
    run_build_cfg_and_analyze(timeout_cb=timeout_cb)
  File "/oyente/oyente/symExec.py", line 2397, in run_build_cfg_and_analyze
    build_cfg_and_analyze()
  File "/oyente/oyente/symExec.py", line 228, in build_cfg_and_analyze
    full_sym_exec()  # jump targets are constructed on the fly
  File "/oyente/oyente/symExec.py", line 547, in full_sym_exec
    return sym_exec_block(params, 0, 0, 0, -1, 'fallback')
  File "/oyente/oyente/symExec.py", line 612, in sym_exec_block
    sym_exec_ins(params, block, instr, func_call, current_func_name)
  File "/oyente/oyente/symExec.py", line 2054, in sym_exec_ins
    raise Exception('UNKNOWN INSTRUCTION: ' + opcode)
Exception: UNKNOWN INSTRUCTION: SHL

Was compiled with v0.7.6+commit.7338295f according to etherscan

gsalzer commented 2 years ago

Oyente was designed before the fork Byzantium (block 7,280,000 on the main chain, 28 Feb 2019) that introduced the instruction SHL, and apparently has never been upgraded by the semantics of newer instructions. Oyente does not handle the operations SHR, SAR, EXTCODEHASH, CHAINID, SELFBALANCE, BASEFEE and CREATE2 (same or later fork). Oyente even uses the opcode for CREATE2 internally for a different purpose. Not being able to handle SHL is particularly painful, as this instruction appears, since quite some time, near the beginning of every bytecode generated by the Solidity compiler, to dissect the call data to obtain the four byte signature of the called method.

mrx23dot commented 2 years ago

Thanks for the detailed answer!