Skip to content

Latest commit

 

History

History
32 lines (25 loc) · 2.28 KB

README.md

File metadata and controls

32 lines (25 loc) · 2.28 KB

Not your Type! Detecting Storage Collision Vulnerabilities in Ethereum Smart Contracts

ubuntu python

This repository contains the code used for our NDSS 2024 paper Not your Type! Detecting Storage Collision Vulnerabilities in Ethereum Smart Contracts. Our system, crush, can be used to find exploitable storage collision vulnerabilities on the Ethereum blockchain.

⚠️ Disclaimer

For ethical reasons, we are not releasing a fully automated "push-one-button" solution for the identification and automatic exploitation of vulnerable smart contracts. We instead open-source all the necessary scripts to demonstrate the approach presented in our paper. Interested researchers will have all the necessary code to replicate our work. In case something does not click, please reach out to us :)

Dependencies

To run crush, you will need:

  • To install greed -- our symbolic execution engine for EVM smart contract binaries.
  • For some of the analyses, you will need access to an Ethereum (archive) node (e.g., go-ethereum, erigon).
  • For some of the analyses, you will need a database of historical (internal) transactions. We maintain our own (private) database, but you can also use other existing serivces (e.g., ether-sql).

Usage

# you can run the individual analyses in crush with:
# ./crush.py interactions <ADDRESS>    # needs postgres
# ./crush.py lifespan <ADDRESS>        # needs postgres, web3
# ./crush.py type <ADDRESS>
# ./crush.py collision <ADDRESS>
# ./crush.py impact <ADDRESS>
# ./crush.py exploit <ATTACK REQUEST>  # needs web3

# some analyses however depend on the results of others, so we provide a script to run all analyses at once:
./crush.sh --proxy 0x4DEcA517D6817B6510798b7328F2314d3003AbAC --data-path ./data.example