Skip to content

DetectReentrancyAdvanced false positive on 2300-gas transfer causes ethereum_bench failure (eth_tx_order_dependence_multitx_1) #2680

New issue
New issue
Open
Open
DetectReentrancyAdvanced false positive on 2300-gas transfer causes ethereum_bench failure (eth_tx_order_dependence_multitx_1)#2680
Labels
bugethereum
@dguido

Description

@dguido
dguido
opened on Aug 23, 2025

Title: DetectReentrancyAdvanced false positive on 2300-gas transfer causes ethereum_bench failure (eth_tx_order_dependence_multitx_1)

Summary
The ConsenSys benchmark test eth_tx_order_dependence_multitx_1 fails due to a false-positive reentrancy finding from DetectReentrancyAdvanced. The contract uses address.transfer(...) (2300 gas stipend), which is not reentrancy-capable, but the detector flags “Reentrancy multi-million ether bug”. The test expects no findings.

Affected Test

  • tests/ethereum_bench/test_consensys_benchmark.py::EthBenchmark::test_eth_tx_order_dependence_multitx_1

Expected

  • No reentrancy finding for 2300-gas transfer/send calls.

Actual

  • DetectReentrancyAdvanced reports ("Reentrancy multi-million ether bug", False), causing the assertion to fail. Logs show repeated warnings:
    • Reentrancy multi-million ether bug

Root Cause Hypothesis

  • In manticore/ethereum/detectors.py, DetectReentrancyAdvanced.did_close_transaction_callback uses a greater-or-equal threshold for gas:
    • Current: state.can_be_true(Operators.UGE(tx.gas, 2300))
    • Correct: state.can_be_true(Operators.UGT(tx.gas, 2300)) (strictly greater than 2300)
  • DetectReentrancySimple already uses Operators.UGT(gas, 2300), which matches the EVM reality that 2300-gas stipends (transfer/send) can’t perform state-changing re-entrancy.

Proposed Fix

  • File: manticore/ethereum/detectors.py
  • Change:
    • if state.can_be_true(Operators.UGE(tx.gas, 2300)):
  • To:
    • if state.can_be_true(Operators.UGT(tx.gas, 2300)):

Rationale

  • Align advanced detector with simple detector and EVM semantics (>2300 gas).
  • Remove false positives for transfer/send while preserving detection for call.value(...).gas(...) patterns.

Reproduction

  • Run the single test:
    • pytest -xvs tests/ethereum_bench/test_consensys_benchmark.py::EthBenchmark::test_eth_tx_order_dependence_multitx_1 -q
  • Or run the suite:
    • pytest -xvs tests/ethereum_bench -q

Acceptance Criteria

  • test_eth_tx_order_dependence_multitx_1 passes (no finding).
  • Other reentrancy-related benchmarks continue to pass:
    • test_reentrancy_dao
    • test_reentrancy_dao_fixed
    • test_reentrancy_nostateeffect

Temporary Mitigation

  • We’ve marked test_eth_tx_order_dependence_multitx_1 as skipped with a reason referencing this issue to keep CI green while the fix is implemented.

Labels

  • bug, ethereum, detectors, false-positive, benchmarks

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugethereum

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions