search

nevillegrech / MadMax

Ethereum Static Vulnerability Detector for Gas-Focussed Vulnerabilities
BSD 3-Clause "New" or "Revised" License
130 stars 16 forks source link

UnboundedMassOperation vulnerability not detected? #2

Closed mmathys closed 4 years ago

mmathys commented 4 years ago

Hello, I have this example contract which has an unbounded mass operation vulnerability.

pragma solidity >=0.4.22 <0.6.0;
contract NaiveBank {
  struct Account {
    address addr;
    uint balance;
  }

  Account[] accounts;

  function applyInterest() public returns (uint) {
    for (uint i = 0; i < accounts.length; i++) {
      // apply 5 percent interest
      accounts[i].balance = accounts [i].balance * 105 / 100;
    }
    return accounts.length;
  }

  function createAccount() public {
    accounts.push(Account(msg.sender, 0));
  }
}

When I try to run ./tools/analyser/analyse.rb tools/bulk_analyser/spec.dl vulnerability.hex, the script does not return that the contract is vulnerable to an unbounded mass operation vulnerability.

What am I doing wrong?

Thanks in advance.

nevillegrech commented 4 years ago

What command line arguments were used for compilation in solc? Did you produce runtime code?

mmathys commented 4 years ago

Yes, I think I produced runtime code.

Repro steps:

Solidity source is in unbounded.sol.

  1. Compiling: 
    solc --bin-runtime unbounded.sol | tail -n 1 > unbounded.hex

Now the bytecode is in unbounded.hex.

  1. Analysing
./tools/analyser/analyse.rb tools/bulk_analyser/spec.dl unbounded.hex

This command gives the output:

unbounded.hex,ArrayIdToStorageIndex,AssertAliasing,FlowsFrom,InStructuredLoop,InductionVariable,KeyToOffset,LoopExitCond,PossibleArrayIterator,StorageDynamicBound

However, the output should contain Vulnerability_UnboundedMassOp, right?🤔

mmathys commented 4 years ago

I am wondering whether I used the right spec file and used the right analysis script, or the code might just be not production optimized.

nevillegrech commented 4 years ago

Hi @mmathys. I've tried the code with the latest version of MadMax that runs on contract-library.com and it produces the following output:

Array iterator at 0xd961d190() may be susceptible to DoS by increasing storage requirements at createAccount()

The version running on contract-library.com uses a newer decompiler called Gigahorse.

If you want to use that version just upload the smart contract to a testnet and the results will be automatically posted on contract-library.com within a few seconds.

mmathys commented 4 years ago

Thanks