-
Notifications
You must be signed in to change notification settings - Fork 740
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to get the selector in a analysis module #1858
Comments
EVM hashes the function uniswapV3SwapCallback and encodes it in the first 4 bytes of the call data.
|
You can access the calldata by directly indexing the indices 0, 1, 2, and 3 |
It is not meant to contain concrete calldata. You have to add it as a constraint and run the solver to check if you are executing the desired function. |
I misunderstood the information given in the debug like "If(2_calldatasize <= 0, 0, 2_calldata[0])", and then I directly made an equal operation on the BitVec, it worked! Thanks for your patience. |
Hi, another issue. I have write a module.there are two cases, one is detected as expected, another is not.
for the second constraint, mainly refer the function "is_unique_jumpdest" of "ArbitraryJump" module core logic
test case malicious contract
Whether there is "require(msg.sender == lp_address)" or not, detect result in my expection. And also apply a modifier also work well too.
variable "pool0" could be controlled arbitrary from the malicious CALLER lp contract, at that point "msg.sender" could be any one.
|
Mythril restricts the user addresses to the list of |
Description
In the Defi protocol, it is very common to use "uniswapV3SwapCallback" like interface function to receive the callbak from LP, However some implementation of uniswapV3SwapCallback has no premission controll. Just as the uniswap official give the caution:
You can also check the background in my article here:
refer:https://medium.com/@zhanchihu/watch-your-back-while-you-want-to-do-aribitrage-with-uniswap-flashloan-f456e4f3e99d
Tests
todo
Implementation details
I want to implement a module to hook the CALL instruction, and give the constraint like
Now, my problem is how can I get the selector in the current CALL instruction. I have checked the "state.environment.calldata", and will to extract the selector, but in debug mode it look like this
Is there any convient way for me to get selector?
The text was updated successfully, but these errors were encountered: