In this workshop we'll practice detecting & preventing common bugs in Solidity/EVM smart contracts. We'll solve challenges from CaptureTheEther and OpenZeppelin Ethernaut and learn how to use MythX during development to prevent security bugs and verify security properties.
Here's how to get set up for the workshop. First, you need a web3 capable browser and some testnet ETH. You probably also have both, but if not, get Metamask and grab some ETH from the Ropsten faucets:
The workshop exercises are hosted in an separate repo. Get a local copy by cloning the repo:
$ git clone https://github.com/ConsenSys/mythx-playground/
If you run into insurmountable problems ask the instructors for help.
Head to the MythX website and sign up for a free account to generate your API key. In this workshop we'll be using the Remix plugin.
In the first part of this workshop we'll be looking at different ways of identifying, fixing and preventing vulnerabilities during development.
Let's start with something easy to get warmed up! Ethereum is a public ledger and nothing you put on this ledger is really private.
Target Contract:
Some of the worst incidents so far were caused by critical functions that were inadvertently exposed to attackers. Remember Parity WalletLibrary?
Target Contracts:
Antoher common source of bugs are integer overflows and underflows. We'll cover them im the next two examples. Hint: The best way to prevent integer arithmetic bugs is by using SafeMath.
The infamous TheDAO was exploited by reentrancy in 2016. Although the community is more aware of it, reentrancy struck back in October 2018.
Let's look at a simplified example of the DAO bug.
It is impossible to create truly random numbers using Solidity. Let's see what happens if we rely on things like blocknumbers and blockhashes for randomness.
Target Contract:
The Solidity assert()
statement is used to specify conditions that are expected to always hold. If you want to prove certain assumptions about your code, you can put them into asserts and use Mythril's symbolic execution engine to do all the hard work for you.
In thus exercise we'll write and check and invariant for Etherbank.
Catching bugs early during the development lifecycle saves a lot of pain. In this section we'll have a look at Truffle and CI integration.
$ npm install truffle-security
Created by ConsenSys Diligence and the Mythril team. Special thanks to Mick Ayzenberg (Security Innovation), Trail of Bits, Steve Marx of CaptureTheEther and ConsenSys fame and Zeppelin Solutions for vulnerable contract samples and challenges. Also, kudos to the Truffle and Guardrails teams for working with us on Mythril Platform integration.