CMDB>> ethereum-security>> 返回
项目作者: fergarrui

项目描述 :
Security issues in Ethereum demonstrated in mocha tests. The fix is also demonstrated
高级语言: JavaScript
项目地址: git://github.com/fergarrui/ethereum-security.git
创建时间: 2018-02-01T19:43:34Z
项目社区:https://github.com/fergarrui/ethereum-security
开源协议:GNU General Public License v3.0
下载


ethereum-security

:exclamation: :warning: DO NOT USE THE CONTRACTS IN THIS REPOSITORY. THEY ARE VULNERABLE TO SECURITY BUGS. :warning: :exclamation:

Repository with some Ethereum security bugs.
The bugs and fixes are demonstrated using Mocha tests.

Bugs added so far:

  • Overflow
  • Underflow
  • Reentrancy (DAO hack)
  • Delegatecall (Parity hack style)
  • DOS (e.g. stay as an Auction leader forever)
  • DOS (unbounded array loop)
  • Force ether (relying on the invariant this.balance == 0)
  • Tx.origin
  • Unchecked send() output
  • Storage override (commonly used in honeypots - or genuine bugs)
  • Array storage override (length underflow - storage override)
  • extcodesize bypassed when used to check if the caller is a contract

Run:

  1. truffle test

To debug or run the test suite in more detail:

  1. Modify truffle.js with:
  1. module.exports = {
  2.   networks: {
  3.     development: {
  4.       host: "localhost",
  5.       port: 8545,
  6.       network_id: "*", // Match any network id
  7.       gas : 4000000
  8.     }
  9.   }
  10. };

This will run the tests in a local test blockchain. Then testrpc & truffle console or just truffle develop can be run to have an interactive console and be able to see the RPC methods that have been called in the process, and therefore, the transaction hashes (if there was a transaction).

Once you know the transaction hash you want to inspect in more detail, it can be debugged running truffle debug <tx_hash>.
See the transaction with web3.eth.getTransaction("<tx_hash>") or the transaction receipt: web3.eth.getTransactionReceipt("<tx_hash>")

Also, an individual test can be run using:
truffle test test/<test_folder>/<test_name>.js