Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.

Stars: ✭ 1,968 (+1928.87%)

Mutual labels: ethereum, symbolic-execution

Etheno

Simplify Ethereum security analysis and testing

Stars: ✭ 77 (-20.62%)

Mutual labels: ethereum, symbolic-execution

Expose

A Dynamic Symbolic Execution (DSE) engine for JavaScript. ExpoSE is highly scalable, compatible with recent JavaScript standards, and supports symbolic modelling of strings and regular expressions.

Stars: ✭ 94 (-3.09%)

Mutual labels: symbolic-execution

Coincurve

Cross-platform Python bindings for libsecp256k1

Stars: ✭ 89 (-8.25%)

Mutual labels: ethereum

Ethereum Etl Airflow

Airflow DAGs for exporting, loading, and parsing the Ethereum blockchain data. What datasets do you want to be added to Ethereum ETL? Vote here: https://blockchain-etl.convas.io.

Stars: ✭ 89 (-8.25%)

Mutual labels: ethereum

Btle Sniffer

Passively scan for Bluetooth Low Energy devices and attempt to fingerprint them

Stars: ✭ 87 (-10.31%)

Mutual labels: security-scanner

Etherwalletkit

Ethereum Wallet Toolkit for iOS - You can implement an Ethereum wallet without a server and blockchain knowledge.

Stars: ✭ 96 (-1.03%)

Mutual labels: ethereum

Coinwink

Crypto Alerts, Watchlist and Portfolio Tracking App

Stars: ✭ 95 (-2.06%)

Mutual labels: ethereum

Abyss Daico

DAICO is an innovative fundraising model that merges some of the benefits of Decentralized Autonomous Organizations (DAOs), aimed at upgrading and making the initial ICO concept more transparent.

Stars: ✭ 94 (-3.09%)

Mutual labels: ethereum

Aira

Autonomous intelligent robot agent (AIRA) project implements the standard of economic interaction between human-robot and robot-robot.

Stars: ✭ 91 (-6.19%)

Mutual labels: ethereum

Merkle Tree Solidity

JS - Solidity sha3 merkle tree bridge. Generate proofs in JS; verify in Solidity.

Stars: ✭ 94 (-3.09%)

Mutual labels: ethereum

Plasma Chamber

Plasma Chamber is a DApps development framework that guarantees security, scalability, and usability utilizing Plasma technology.

Stars: ✭ 91 (-6.19%)

Mutual labels: ethereum

Myetherapi

An API by MyEtherWallet. ETH / Ropsten / JSON RPC / Web3

Stars: ✭ 95 (-2.06%)

Mutual labels: ethereum

Eltwallet

Non-custodial decentralized mobile wallet

Stars: ✭ 88 (-9.28%)

Mutual labels: ethereum

Rlp

Recursive Length Prefix Encoding in JavaScript

Stars: ✭ 93 (-4.12%)

Mutual labels: ethereum

0x Monorepo

0x protocol monorepo - includes our smart contracts and many developer tools

Stars: ✭ 1,328 (+1269.07%)

Mutual labels: ethereum

Deepblockchains

Deep Blockchains - reference implementation of Plasma, Stark, SMT and more

Stars: ✭ 93 (-4.12%)

Mutual labels: ethereum

Securify2

Securify v2.0

Stars: ✭ 92 (-5.15%)

Mutual labels: ethereum

View All Similar Projects ➔

Pakala

"ilo Pakala li pakala e mani sona"

Pakala is a tool to search for exploitable bugs in Ethereum smart contracts.
Pakala is a symbolic execution engine for the Ethereum Virtual Machine.

The intended public for the tool are security researchers interested by Ethereum / the EVM.

Installation

pip3 install pakala

It works only with python 3.

Usage

Let's look at 0xeBE6c7a839A660a0F04BdF6816e2eA182F5d542C: it has a transfer(address _to, uint256 _value) function. It is supposedly protected by a require(call.value - _value) >= 0 but that condition always holds because we are substracting two unsigned integers, so the result is also an unsigned integer.

Let's scan it:

pakala 0xeBE6c7a839A660a0F04BdF6816e2eA182F5d542C --force-balance="1 ether"

The contract balance being 0, we won't be able to have it send us some ethers. So we override the balance to be 1 ETH: then it has some "virtual" money to send us.

The tool with tell you a bug was found, and dump you a path of "states". Each state corresponds to a transaction, with constraints that needs to be respected for that code path to be taken, storage that has been read/written...

Advice: look at calldata[0] in the constraints to see the function signature for each transaction.

See pakala help for more complete usage information.

How does it works? What does it do?

See the introductory article for more information and a demo.

In a nutshell:

It's very good at finding simple bugs in simple contracts.
The false-positive rate is very low. If it flags your contract it's likely people can drain it.
It can exploit non-trivial bugs requiring to overwrite some storage keys with others (array size underflow...), has a good modeling of cryptographic hashes, and support chaining multiple transactions.

However, It only implements an "interesting" subset of the EVM. It doesn't handle:

gas,
precompiles,
or a contract interacting with other contracts (DELEGATECALL, STATICCALL...).

This means that CALL support is limited to sending ethers. Other tools like Manticore can do that much better, and the focus for Pakala was offensive vulnerability scanning of contracts en masse.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 97

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗