Contract verification made easier

Smart contract authors can now express security properties in the same language they use to write their code (Solidity) and our new tool, manticore-verifier, will automatically verify those invariants. Even better, Echidna and Manticore share the same format for specifying property tests.

In other words, smart contract authors can now write one property test and have it tested with fuzzing and verified by symbolic execution! Ultimately, manticore-verifier reduces the initial effort and cost involved in symbolic testing of arbitrary properties.

How it works

A smart contract’s behavior—and its potential bugs—are often unique and depend heavily on unspoken contract invariants. Let’s test a simple contract:

contract Ownership{    address owner = msg.sender;    function Owner() public{        owner = msg.sender;    }    modifier isOwner(){        require(owner == msg.sender);        _;    }}contract Pausable is Ownership{    bool is_paused;    modifier ifNotPaused(){        require(!is_paused);        _;    }    function paused() isOwner public{        is_paused = true;    }    function resume() isOwner public{        is_paused = false;    }}contract Token is Pausable{    mapping(address => uint) public balances;    function transfer(address to, uint value) ifNotPaused public{        balances[msg.sender] -= value;        balances[to] += value;    }}

This contract maintains a balance sheet and allows for simple transactions. Users can send their tokens to other users, but the total amount of tokens must remain fixed—in other words, tokens can’t be created after the contract has started. So under this invariant, a valid property could state: “If there are only 10,000 tokens, no user could own more than that.”

We can express this property as a Solidity method: “crytic_test_balance.”

import "token.sol";contract TestToken is Token {    constructor() public{        balances[msg.sender] = 10000;    }    // the property    function crytic_test_balance() view public returns(bool){        return balances[msg.sender] <= 10000;    }   }

The emulated world

ManticoreEVM compiles and then creates the contract in a fully emulated symbolic blockchain.

Different normal accounts are also created there to replicate real-world situations. A deployer account is used to deploy the contract, others are used to explore the contract and try to break the properties, and, finally, a potentially different account is used to test the properties.

ManticoreEVM detects the property type methods present in high-level source code and checks them after every combination of symbolic transactions. A normal property is considered failed if the method returns false.

The loop (exploration)

The deployer account initially creates the target contract via a CREATE transaction. Then manticore-verifier simulates all possible interleaving transactions originating from the contract testers until (for example) no more coverage is found. After each symbolic transaction, the properties are checked in the name of the property-checker account, and if anything looks broken, a report of the reproducible exploit trace is generated. Normal properties like crytic_test_balance() are expected to return true; any other result is reported as a problem.

manticore-verifier dapp.sol –contract TestToken

It’s a command–line-based tool

Several aspects of the exploration, the stopping condition, and the user accounts employed can be modified by command line arguments. Try $manticore-verifier –help for a thorough list. Here’s an excerpt of it in action:

$manticore-verifier dapp.sol  --contract TestToken# Owner account: 0x28e9eb58c2f5be87161a261f412a115eb85946d9# Contract account: 0x9384027ebe35100de8ef216cb401573502017f7# Sender_0 account: 0xad5e556d9699e9e35b3190d76f75c9bf9997533b# PSender account: 0xad5e556d9699e9e35b3190d76f75c9bf9997533b# Found 1 properties: crytic_test_balance# Exploration will stop when some of the following happens:# * 3 human transaction sent# * Code coverage is greater than 100% measured on target contract# * No more coverage was gained in the last transaction# * At least 1 different properties where found to be breakable. (1 for fail fast)# * 240 seconds pass# Starting exploration...Transaction 0. States: 1, RT Coverage: 0.0%, Failing properties: 0/1Transaction 1. States: 2, RT Coverage: 60.66%, Failing properties: 0/1Found 1/1 failing properties. Stopping exploration.60.66% EVM code covered +---------------------+------------+|    Property Named   |   Status   |+---------------------+------------+| crytic_test_balance | failed (0) |+---------------------+------------+Checkout testcases here:./mcore_kkgtybqb

Note that each failing property will have a test case number associated with it. More details can be found at the specified test case files: ./mcore_kkgtybqb/user_000000.tx

Bug Found!

In our example, manticore-verifier finds a way to break the specified property. When trying to transfer an incredibly large amount tokens, an internal integer representation exceeds its limits and makes it possible to boost the sender’s savings, i.e., create tokens out of thin air.

transfer(0,115792089237316195422001709574841237640532965826898585773776019699400460720238) -> STOP (*)

Conclusion: Interoperability = 101%

manticore-verifier lowers the initial cost to symbolically test arbitrary properties. It also allows our symbolic executor to work more tightly with Solidity, Echidna, and slither-prop.

The same methodology can be used with our Ethereum fuzzer, Echidna. As a result, you can write the properties once and test them with symbolic execution and fuzzing with no extra effort.

manticore-verifier can check automatically generated ERC20 properties. Moreover, slither-prop, our static analyzer, has detailed information about what an ERC20 contract should do, and can automatically produce properties for ERC20 that manticore-verifier can check, automatically.

So get your contract, add the property methods, and test with manticore-verifier at will. If you have any questions please join the Empire Hacking Slack.

*** This is a Security Bloggers Network syndicated blog from Trail of Bits Blog authored by Dan Guido. Read the original post at: