Skip to content

Attacker Contract Identifier Through Static Dataflow Analysis

License

Notifications You must be signed in to change notification settings

shuo-young/BlockWatchdog

Repository files navigation

Static Badge Static Badge Static Badge Documentation License: Apache GitHub Actions Workflow Status

News: A Rust implementation Lydia (>10% faster) is here.


Logo

BlockWatchdog

Table of Contents
  1. About The Project
  2. Prerequisites
  3. Usage
  4. Code Structure
  5. Features
  6. Publication
  7. License

About The Project

An attacker contract hunter for detecting premeditated attacks (reentrancy in this case) and other attack matrix.

Prerequisites

  • python >= 3.8

  • gigahorse-toolchain

    Refer to the gigahorse-toolchain repository for setup details.

Install

  1. Python dependencies installation.
conda create -n leslie python=3.8
conda activate leslie
pip3 install -r requirements.txt
  1. Or you can build or pull the docker image.
docker build -t BlockWatchdog:local .
docker pull ghcr.io/shuo-young/blockwatchdog:latest

Usage

Local

python3 blockwatchdog.py -la 0x10C509AA9ab291C76c45414e7CdBd375e1D5AcE8

Docker

For the docker image, run with the following command.

docker run ghcr.io/shuo-young/blockwatchdog:latest -la 0x10C509AA9ab291C76c45414e7CdBd375e1D5AcE8 -bp ETH -bn 16000000

Code Structure

  • gigahorse-toolchain: refer to Elipmoc, with a self-defined datalog file leslie.dl (named for memorizing Leslie Cheung). We now use the gigahorse version at commit 7d0faaa.
  • contract.py: fetch and decompile contract bytecode to extract flow information (e.g., function external calls) during intra-procedure analysis.
  • flow_analysis.py: trace all possible call chains in the call graph, and identify possible reentrancy path and reentrancy call target.
  • graph/call_graph.py: construct call graph and print it.
  • global_params.py: global params for analysis.
  • blockwatchdog.py: interfaces for input and output.

Features

  • Recover all possible (and available) call chains originated from the attacker contract (each public function).
  • Report critical attack semantics, e.g., call in hook functions, selfdestruct, use randomnumer, contract creation (sole and multi) etc.
  • Locating call sites that could perform reentrancy and possible reentrancy targets (victims).

Publication

This repository was proposed in the ICSE'24 paper: Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts, and we would really appreciate for your citation if this repo helps you.

License

Copyright © 2024 Shuo Yang.
This project is Apache licensed.