-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathTBPoolJoinExit.py
64 lines (46 loc) · 2.22 KB
/
TBPoolJoinExit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from manticore.ethereum import ManticoreEVM, ABI
from manticore.core.smtlib import Operators, Z3Solver
from manticore.utils import config
from manticore.core.plugin import Plugin
m = ManticoreEVM()
# Disable the gas tracking
consts_evm = config.get_group("evm")
consts_evm.oog = "ignore"
# Increase the solver timeout
config.get_group("smt").defaultunsat = False
config.get_group("smt").timeout = 3600
ETHER = 10 ** 18
user = m.create_account(balance=1 * ETHER)
# This plugin is used to speed up the exploration and skip the require(false) paths
# It won't be needed once https://github.com/trailofbits/manticore/issues/1593 is added
class SkipRequire(Plugin):
def will_evm_execute_instruction_callback(self, state, instruction, arguments):
world = state.platform
if state.platform.current_transaction.sort != 'CREATE':
if instruction.semantics == "JUMPI":
potential_revert = world.current_vm.read_code(world.current_vm.pc + 4)
if potential_revert[0].size == 8 and potential_revert[0].value == 0xfd:
state.constrain(arguments[1] == True)
print(f'controller: {hex(user.address)}')
skipRequire = SkipRequire()
m.register_plugin(skipRequire)
TestBpool = m.solidity_create_contract('./manticore/contracts/TBPoolJoinExit.sol',
contract_name='TestJoinExit',
owner=user)
print(f'TBPoolJoinExit deployed {hex(TestBpool.address)}')
# Call joinAndExitPool with symbolic values
poolAmountOut = m.make_symbolic_value()
poolAmountIn = m.make_symbolic_value()
poolTotal = m.make_symbolic_value()
_records_t_balance = m.make_symbolic_value()
TestBpool.joinAndExitPool(poolAmountOut, poolAmountIn, poolTotal, _records_t_balance)
print(f'joinAndExitPool Called')
for state in m.ready_states:
m.generate_testcase(state, name="BugFound")
# Look over the 10**i, and try to generate more free tokens
for i in range(0, 18):
print(i)
add_value = 10**i
condition = Operators.AND(poolAmountOut > poolAmountIn + add_value, poolAmountIn + add_value > poolAmountIn)
m.generate_testcase(state, name=f"BugFound{add_value}", only_if=condition)
print(f'Results are in {m.workspace}')