Need help with ethereum-security?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

fergarrui
129 Stars 16 Forks GNU General Public License v3.0 28 Commits 2 Opened issues

Description

Security issues in Ethereum demonstrated in mocha tests. The fix is also demonstrated

Services available

!
?

Need anything else?

Contributors list

# 131,558
Shell
solidit...
Android
ethereu...
26 commits

ethereum-security

:exclamation: :warning: DO NOT USE THE CONTRACTS IN THIS REPOSITORY. THEY ARE VULNERABLE TO SECURITY BUGS. :warning: :exclamation:

Repository with some Ethereum security bugs. The bugs and fixes are demonstrated using Mocha tests.

Bugs added so far:

  • Overflow
  • Underflow
  • Reentrancy (DAO hack)
  • Delegatecall (Parity hack style)
  • DOS (e.g. stay as an Auction leader forever)
  • DOS (unbounded array loop)
  • Force ether (relying on the invariant this.balance == 0)
  • Tx.origin
  • Unchecked send() output
  • Storage override (commonly used in honeypots - or genuine bugs)
  • Array storage override (length underflow - storage override)
  • extcodesize
    bypassed when used to check if the caller is a contract

Run:

truffle test

To debug or run the test suite in more detail:

  1. Modify
    truffle.js
    with:
module.exports = {
  networks: {
    development: {
      host: "localhost",
      port: 8545,
      network_id: "*", // Match any network id
      gas : 4000000
    }
  }
};

This will run the tests in a local test blockchain. Then

testrpc
&
truffle console
or just
truffle develop
can be run to have an interactive console and be able to see the RPC methods that have been called in the process, and therefore, the transaction hashes (if there was a transaction).

Once you know the transaction hash you want to inspect in more detail, it can be debugged running

truffle debug 
. See the transaction with
web3.eth.getTransaction("")
or the transaction receipt:
web3.eth.getTransactionReceipt("")

Also, an individual test can be run using:

truffle test test//.js

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.