Add additional analysis modules (#1836)

* Update z3

* Add analysis modules

* Modify test

Author: norhh

mythril/analysis/module/loader.py

@@ -14,12 +14,17 @@
 from mythril.analysis.module.modules.external_calls import ExternalCalls
 from mythril.analysis.module.modules.integer import IntegerArithmetics
 from mythril.analysis.module.modules.multiple_sends import MultipleSends
+from mythril.analysis.module.modules.requirements_violation import RequirementsViolation
 from mythril.analysis.module.modules.state_change_external_calls import (
     StateChangeAfterCall,
 )
 from mythril.analysis.module.modules.suicide import AccidentallyKillable
+from mythril.analysis.module.modules.transaction_order_dependence import (
+    TransactionOrderDependence,
+)
 from mythril.analysis.module.modules.unchecked_retval import UncheckedRetval
 from mythril.analysis.module.modules.user_assertions import UserAssertions
+from mythril.analysis.module.modules.unexpected_ether import UnexpectedEther
 
 from mythril.analysis.module.base import EntryPoint
 
@@ -90,19 +95,22 @@ def get_detection_modules(
     def _register_mythril_modules(self):
         self._modules.extend(
             [
+                AccidentallyKillable(),
                 ArbitraryJump(),
                 ArbitraryStorage(),
                 ArbitraryDelegateCall(),
-                PredictableVariables(),
-                TxOrigin(),
                 EtherThief(),
                 Exceptions(),
                 ExternalCalls(),
                 IntegerArithmetics(),
                 MultipleSends(),
+                PredictableVariables(),
+                RequirementsViolation(),
                 StateChangeAfterCall(),
-                AccidentallyKillable(),
+                TransactionOrderDependence(),
+                TxOrigin(),
                 UncheckedRetval(),
+                UnexpectedEther(),
                 UserAssertions(),
             ]
         )

mythril/analysis/module/modules/requirements_violation.py

@@ -0,0 +1,85 @@
+"""This module contains the detection code for requirement violations in a call"""
+import logging
+
+from mythril.analysis import solver
+from mythril.analysis.module.base import DetectionModule
+from mythril.analysis.report import Issue
+from mythril.analysis.issue_annotation import IssueAnnotation
+from mythril.laser.smt import And
+from mythril.analysis.swc_data import REQUIREMENT_VIOLATION
+from mythril.exceptions import UnsatError
+from mythril.laser.ethereum.state.global_state import GlobalState
+
+from typing import List
+
+log = logging.getLogger(__name__)
+
+
+class RequirementsViolation(DetectionModule):
+    """This module detects transaction order dependence"""
+
+    name = "Requirement Violation"
+    swc_id = REQUIREMENT_VIOLATION
+    description = "Checks whether any requirements violate in a call."
+    entrypoint = "callback"
+    pre_hooks = ["REVERT"]
+    plugin_default_enabled = True
+
+    def _execute(self, state: GlobalState) -> List[Issue]:
+        """
+
+        :param state:
+        :return:
+        """
+        issues = self._analyze_state(state)
+        for issue in issues:
+            self.cache.add((issue.source_location, issue.bytecode_hash))
+        return issues
+
+    def _analyze_state(self, state) -> List[Issue]:
+        """
+
+        :param state:
+        :return:
+        """
+
+        if len(state.transaction_stack) < 2:
+            return []
+
+        try:
+            address = state.get_current_instruction()["address"]
+            description_head = "A requirement was violated in a nested call and the call was reverted as a result."
+            description_tail = "Make sure valid inputs are provided to the nested call (for instance, via passed arguments)."
+            transaction_sequence = solver.get_transaction_sequence(
+                state, state.world_state.constraints
+            )
+            issue = Issue(
+                contract=state.environment.active_account.contract_name,
+                function_name=state.environment.active_function_name,
+                address=address,
+                swc_id=REQUIREMENT_VIOLATION,
+                title="requirement violation",
+                severity="Medium",
+                description_head=description_head,
+                description_tail=description_tail,
+                bytecode=state.environment.code.bytecode,
+                transaction_sequence=transaction_sequence,
+                gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used),
+            )
+            state.annotate(
+                IssueAnnotation(
+                    conditions=[And(*state.world_state.constraints)],
+                    issue=issue,
+                    detector=self,
+                )
+            )
+
+            return [issue]
+
+        except UnsatError:
+            log.debug("no model found")
+
+        return []
+
+
+detector = RequirementsViolation()

mythril/analysis/module/modules/transaction_order_dependence.py

@@ -0,0 +1,138 @@
+"""This module contains the detection code for transaction order dependence."""
+
+from mythril.analysis import solver
+from mythril.analysis.potential_issues import (
+    PotentialIssue,
+    get_potential_issues_annotation,
+)
+from mythril.analysis.swc_data import TX_ORDER_DEPENDENCE
+from mythril.laser.ethereum.transaction.symbolic import ACTORS
+from mythril.analysis.module.base import DetectionModule
+from mythril.laser.smt import Or, Bool
+from mythril.laser.ethereum.state.global_state import GlobalState
+from mythril.exceptions import UnsatError
+import logging
+
+log = logging.getLogger(__name__)
+
+DESCRIPTION = """
+
+Search for calls whose value depends on balance or storage.
+
+"""
+
+
+class BalanceAnnotation:
+    def __init__(self, caller):
+        self.caller = caller
+
+
+class StorageAnnotation:
+    def __init__(self, caller):
+        self.caller = caller
+
+
+class TransactionOrderDependence(DetectionModule):
+    """This module detects transaction order dependence."""
+
+    name = "Transaction Order Dependence"
+    swc_id = TX_ORDER_DEPENDENCE
+    description = DESCRIPTION
+    entrypoint = "callback"
+    pre_hooks = ["CALL"]
+    post_hooks = ["BALANCE", "SLOAD"]
+    plugin_default_enabled = True
+
+    def _execute(self, state: GlobalState) -> None:
+        """
+
+        :param state:
+        :return:
+        """
+        potential_issues = self._analyze_state(state)
+
+        annotation = get_potential_issues_annotation(state)
+        annotation.potential_issues.extend(potential_issues)
+
+    @staticmethod
+    def annotate_balance_storage_vals(state, opcode):
+        val = state.mstate.stack[-1]
+        if opcode == "BALANCE":
+            annotation = BalanceAnnotation
+        else:
+            annotation = StorageAnnotation
+        if len(val.get_annotations(annotation)) == 0:
+            state.mstate.stack[-1].annotate(annotation(state.environment.sender))
+        return []
+
+    def _analyze_state(self, state: GlobalState):
+        """
+
+        :param state:
+        :return:
+        """
+        opcode = state.get_current_instruction()["opcode"]
+        if opcode != "CALL":
+            opcode = state.environment.code.instruction_list[state.mstate.pc - 1][
+                "opcode"
+            ]
+        if opcode in ("BALANCE", "SLOAD"):
+            self.annotate_balance_storage_vals(state, opcode)
+            return []
+
+        value = state.mstate.stack[-3]
+        if (
+            len(value.get_annotations(StorageAnnotation))
+            + len(value.get_annotations(BalanceAnnotation))
+            == 0
+        ):
+            return []
+        callers = []
+
+        storage_annotations = value.get_annotations(StorageAnnotation)
+        if len(storage_annotations) == 1:
+            callers.append(storage_annotations[0].caller)
+        balance_annotations = value.get_annotations(BalanceAnnotation)
+        if len(balance_annotations) == 1:
+            callers.append(balance_annotations[0].caller)
+
+        address = state.get_current_instruction()["address"]
+        call_constraint = Bool(False)
+        for caller in callers:
+            call_constraint = Or(call_constraint, ACTORS.attacker == caller)
+
+        try:
+            constraints = state.world_state.constraints + [call_constraint]
+
+            solver.get_transaction_sequence(state, constraints)
+
+            description_head = (
+                "The value of the call is dependent on balance or storage write"
+            )
+            description_tail = (
+                "This can lead to race conditions. An attacker may be able to run a transaction after our transaction "
+                "which can change the value of the call"
+            )
+
+            issue = PotentialIssue(
+                contract=state.environment.active_account.contract_name,
+                function_name=state.environment.active_function_name,
+                address=address,
+                swc_id=TX_ORDER_DEPENDENCE,
+                title="Transaction Order Dependence",
+                bytecode=state.environment.code.bytecode,
+                severity="Medium",
+                description_head=description_head,
+                description_tail=description_tail,
+                constraints=constraints,
+                detector=self,
+            )
+
+        except UnsatError:
+            log.debug("[Transaction Order Dependence] No model found.")
+            return []
+
+        return [issue]
+
+
+detector = TransactionOrderDependence()