ran mythos and added output

2019-06-04 15:53:57 -04:00 · 2019-06-04 15:53:57 -04:00 · 9fec5550b8
parent 8a687e37de
commit 9fec5550b8
5 changed files with 28289 additions and 12359 deletions
--- a/analyzers/mythos/issues-8976cea1-3887-4f54-b22e-c384a36edf45.json
+++ b/analyzers/mythos/issues-8976cea1-3887-4f54-b22e-c384a36edf45.json
@ -0,0 +1,113 @@
+{
+    "elapsed": 135604,
+    "issues": [
+        {
+            "issues": [],
+            "sourceType": "solidity-file",
+            "sourceFormat": "unknown",
+            "sourceList": [],
+            "meta": {
+                "logs": [
+                    {
+                        "level": "error",
+                        "msg": "Maru:TypeError: Cannot read property 'nodeType' of null"
+                    }
+                ],
+                "selectedCompiler": "Unknown"
+            }
+        },
+        {
+            "issues": [
+                {
+                    "swcID": "SWC-107",
+                    "swcTitle": "Reentrancy",
+                    "description": {
+                        "head": "A call to a user-supplied address is executed.",
+                        "tail": "The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state."
+                    },
+                    "severity": "Medium",
+                    "locations": [
+                        {
+                            "sourceMap": "11625:35:4"
+                        }
+                    ],
+                    "extra": {
+                        "testCases": null
+                    }
+                },
+                {
+                    "swcID": "SWC-110",
+                    "swcTitle": "Assert Violation",
+                    "description": {
+                        "head": "A reachable exception has been detected.",
+                        "tail": "It is possible to trigger an exception (opcode 0xfe). Exceptions can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. Note that explicit `assert()` should only be used to check invariants. Use `require()` for regular input checking."
+                    },
+                    "severity": "Low",
+                    "locations": [
+                        {
+                            "sourceMap": "9158:14:4"
+                        }
+                    ],
+                    "extra": {
+                        "testCases": null
+                    }
+                },
+                {
+                    "swcID": "SWC-110",
+                    "swcTitle": "Assert Violation",
+                    "description": {
+                        "head": "A reachable exception has been detected.",
+                        "tail": "It is possible to trigger an exception (opcode 0xfe). Exceptions can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. Note that explicit `assert()` should only be used to check invariants. Use `require()` for regular input checking."
+                    },
+                    "severity": "Low",
+                    "locations": [
+                        {
+                            "sourceMap": "12544:33:4"
+                        }
+                    ],
+                    "extra": {
+                        "testCases": null
+                    }
+                }
+            ],
+            "sourceType": "solidity-file",
+            "sourceFormat": "text",
+            "sourceList": [
+                "./contracts/status/sticker-market/StickerMarket.sol",
+                "./contracts/token/NonfungibleToken.sol",
+                "./contracts/token/ERC20Token.sol",
+                "./contracts/token/ApproveAndCallFallBack.sol",
+                "./contracts/common/Controlled.sol",
+                "./contracts/token/ERC721.sol",
+                "./contracts/token/ERC721Receiver.sol",
+                "./contracts/common/SafeMath.sol",
+                "./contracts/common/Address.sol",
+                "./contracts/common/Introspective.sol"
+            ],
+            "meta": {
+                "coveredInstructions": 0,
+                "coveredPaths": 0,
+                "logs": [
+                    {
+                        "level": "info",
+                        "msg": "skipped automated fuzz testing due to incompatible bytecode input"
+                    }
+                ]
+            }
+        }
+    ],
+    "status": {
+        "apiVersion": "v1.4.18",
+        "clientToolName": "mythos",
+        "harveyVersion": "0.0.23",
+        "maestroVersion": "1.2.16",
+        "maruVersion": "0.4.8",
+        "mythrilVersion": "0.20.8",
+        "queueTime": 11604,
+        "runTime": 94299,
+        "status": "Finished",
+        "submittedAt": "2019-06-04T19:24:01.511Z",
+        "submittedBy": "5cf6c23f5b7afd001944d1a4",
+        "uuid": "8976cea1-3887-4f54-b22e-c384a36edf45"
+    }
+}
--- a/analyzers/mythos/output.txt
+++ b/analyzers/mythos/output.txt
@ -0,0 +1,62 @@
+$ mythos analyze ./contracts/status/sticker-market/StickerMarket.sol StickerMarket --mythxEthAddress=0x2942577508e060ea092c0cd7802ae42c1cea2bae --mythxPassword=<supersecretpassword>
+Reading contract ./contracts/status/sticker-market/StickerMarket.sol... done
+Compiling with Solidity version: v0.5.6+commit.b259423e
+Compiling contract ./contracts/status/sticker-market/StickerMarket.sol... done
+Analyzing contract StickerMarket... done
+
+UUID: 8976cea1-3887-4f54-b22e-c384a36edf45
+API Version: v1.4.18
+Harvey Version: 0.0.23
+Maestro Version: 1.2.16
+Maru Version: 0.4.8
+Mythril Version: 0.20.8
+
+Report found: 0 issues
+Covered instructions: undefined
+Covered paths: undefined
+Selected compiler version: vUnknown
+
+Covered instructions: 0
+Covered paths: 0
+Selected compiler version: vundefined
+
+Title: (SWC-107) Reentrancy
+Severity: Medium
+Head: A call to a user-supplied address is executed.
+Description: The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.
+Source code:
+
+./contracts/status/sticker-market/StickerMarket.sol 356:8
+--------------------------------------------------
+token.transfer(controller, balance)
+--------------------------------------------------
+
+==================================================
+
+Title: (SWC-110) Assert Violation
+Severity: Low
+Head: A reachable exception has been detected.
+Description: It is possible to trigger an exception (opcode 0xfe). Exceptions can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. Note that explicit `assert()` should only be used to check invariants. Use `require()` for regular input checking.
+Source code:
+
+./contracts/status/sticker-market/StickerMarket.sol 273:8
+--------------------------------------------------
+state = _state
+--------------------------------------------------
+
+==================================================
+
+Title: (SWC-110) Assert Violation
+Severity: Low
+Head: A reachable exception has been detected.
+Description: It is possible to trigger an exception (opcode 0xfe). Exceptions can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. Note that explicit `assert()` should only be used to check invariants. Use `require()` for regular input checking.
+Source code:
+
+./contracts/status/sticker-market/StickerMarket.sol 393:17
+--------------------------------------------------
+availablePacks[_category][_index]
+--------------------------------------------------
+
+==================================================
+
+Done
--- a/analyzers/mythos/output_mitigations.md
+++ b/analyzers/mythos/output_mitigations.md
@ -0,0 +1,47 @@
+# Steps take to mitigate issues found in output.txt
+
+## output.txt line 23 `Title: (SWC-107) Reentrancy`
+**description:**
+```
+Severity: Medium
+Head: A call to a user-supplied address is executed.
+Description: The callee address of an external message call can be set by the caller. Note that the callee can contain arbitrary code and may re-enter any function in this contract. Review the business logic carefully to prevent averse effects on the contract state.
+Source code:
+
+./contracts/status/sticker-market/StickerMarket.sol 356:8
+--------------------------------------------------
+token.transfer(controller, balance)
+--------------------------------------------------
+```
+**mitigation:**  
+None.  This is an `ownlyOwner` modified function.  The owner will not use a re-entrancy attack in this context.  It is benign. 
+
+## output.txt line 36 `Title: (SWC-110) Assert Violation`
+**description:**
+```
+Severity: Low
+Head: A reachable exception has been detected.
+Description: It is possible to trigger an exception (opcode 0xfe). Exceptions can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. Note that explicit `assert()` should only be used to check invariants. Use `require()` for regular input checking.
+Source code:
+
+./contracts/status/sticker-market/StickerMarket.sol 273:8
+--------------------------------------------------
+state = _state
+--------------------------------------------------
+**mitigation:**
+None.  This is an `ownlyOwner` modified function.  We can assume that the owner controlled functions will be called with the correct state. 
+```
+## output.txt line 49: `Title: (SWC-110) Assert Violation`
+**description:**
+```
+Severity: Low
+Head: A reachable exception has been detected.
+Description: It is possible to trigger an exception (opcode 0xfe). Exceptions can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. Note that explicit `assert()` should only be used to check invariants. Use `require()` for regular input checking.
+Source code:
+
+./contracts/status/sticker-market/StickerMarket.sol 393:17
+--------------------------------------------------
+availablePacks[_category][_index]
+--------------------------------------------------
+```
+**mitigation:**
--- a/crytic-export/contracts-embark.json
+++ b/crytic-export/contracts-embark.json
--- a/embark.json
+++ b/embark.json
@ -14,7 +14,13 @@
    "ipfs-api": "17.2.4"
  },
  "plugins": {
-    "embarkjs-connector-web3": {}
+    "embarkjs-connector-web3": {},
+    "embark-mythx": {
+      "ignore": ["Ownable", "Migrations"]
+    },
+    "@trailofbits/embark-contract-info": {
+      "flags": ""
+    }
  },
  "options": {
    "solc": {