An Analysis Tool for Smart Contracts
A container with the dependencies set up can be found here.
To open the container, install docker and run:
docker pull luongnguyen/oyente && docker run -i -t luongnguyen/oyente
To evaluate the greeter contract inside the container, run:
cd /oyente/oyente && python oyente.py -s greeter.sol
and you are done!
Note - If need the version of Oyente referred to in the paper, run the container from here
Install Oyente via pip:
$ pip2 install oyente
$ sudo add-apt-repository ppa:ethereum/ethereum
$ sudo apt-get update
$ sudo apt-get install solc
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository -y ppa:ethereum/ethereum
$ sudo apt-get update
$ sudo apt-get install ethereum
Download the source code of version z3-4.5.0
Install z3 using Python bindings
$ python scripts/mk_make.py --python
$ cd build
$ make
$ sudo make install
pip install requests
pip install web3
#evaluate a local solidity contract
python oyente.py -s <contract filename>
#evaluate a local solidity with option -a to verify assertions in the contract
pyhon oyente.py -a -s <contract filename>
#evaluate a local evm contract
python oyente.py -s <contract filename> -b
#evaluate a remote contract
python oyente.py -ru https://gist.githubusercontent.com/loiluu/d0eb34d473e421df12b38c12a7423a61/raw/2415b3fb782f5d286777e0bcebc57812ce3786da/puzzle.sol
And that's it! Run python oyente.py --help for a list of options.
The accompanying paper explaining the bugs detected by the tool can be found here.
A collection of the utilities that were developed for the paper are in misc_utils. Use them at your own risk - they have mostly been disposable.
generate-graphs.py - Contains a number of functions to get statistics from contracts.get_source.py - The get_contract_code function can be used to retrieve contract source from EtherScantransaction_scrape.py - Contains functions to retrieve up-to-date transaction information for a particular contract.Note: This is an improved version of the tool used for the paper. Benchmarks are not for direct comparison.
To run the benchmarks, it is best to use the docker container as it includes the blockchain snapshot necessary.
In the container, run batch_run.py after activating the virtualenv. Results are in results.json once the benchmark completes.
The benchmarks take a long time and a lot of RAM in any but the largest of clusters, beware.
Some analytics regarding the number of contracts tested, number of contracts analysed etc. is collected when running this benchmark.
Checkout out our contribution guide and the code structure here.
FAQs
An analysis tool for smart contracts
We found that oyente demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.
Research
Security News
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
Security News
Company News
Socket is joining TC54 to help develop standards for software supply chain security, contributing to the evolution of SBOMs, CycloneDX, and Package URL specifications.