Skip to content

tagomori: Security analysis tool for Ethereum smart contracts

License

Notifications You must be signed in to change notification settings

AsaiKen/tagomori

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

tagomori

Tagomori is a security analysis tool for Ethereum smart-contracts.

Tagomori has following features.

  • not need the source-code, only need the address of the contract.
  • detect unintended transfer of not only ETH but also ERC20 tokens.
  • detect vulnerabilities that fired via multiple transactions.
  • detect vulnerabilities that fired via multiple contracts.
  • refer data of real-time blockchain.
  • avoid false-positive by simulating detected vulnerabilities on real-time blockchain.
  • generate exploits automatically to proof vulnerabilities.
  • avoid false-positive by using "symbolic execution" technology.
  • utilize multi-cores to speed up scans.

Environments

  • Ubuntu 18.04 LTS
  • openjdk 1.8

Build

Run the following command.

$ sh build.sh

This generates executable files in the "./tagomori-1.0-SNAPSHOT" diractory.

Execute

Tagomori is a command-line tool, which has following command-line options.

--help                -- print this message
-sync                 -- if specified, start a scan after synchronize with Ethereum network. if first time, it takes about a day to finish synchronization.
-ropsten              -- if specified, scan for Ropsten network.
-mainnet              -- if specified, scan for Mainnet network.
-database <path>      -- specify the path of the blockchain database directory. if the directory does not exist, creates the directory.
-address <address>    -- specify the target contract address. <address> must be a hexadecimal string.
-guardian             -- if specified, keep synchronizing and scanning all the updated contracts in Ethereum network.

NOTICE: In open-source edition, "-mainnet" option is disabled to prevent misuses.

Examples

If you want to scan in the following conditions,

  • scan for Ropsten network
  • target contract address is A53514927D1a6a71f8075Ba3d04eb7379B04C588
  • refer real-time blockchain
  • use the "./database" directory for blockchain database

run the following command.

$ LD_LIBRARY_PATH=z3/lib/ tagomori-1.0-SNAPSHOT/bin/tagomori -ropsten -address A53514927D1a6a71f8075Ba3d04eb7379B04C588 -sync -database database

If you scan in the following conditions,

  • scan for Ropsten network
  • keep scanning all the updated contracts
  • use the "./database" directory for blockchain database

run the following command.

$ LD_LIBRARY_PATH=z3/lib/ tagomori-1.0-SNAPSHOT/bin/tagomori -ropsten -guardian -database database

If vulnerabilities exist, tagomori generates exploits in the JSON format in the "./result" directory.

Supported Vulnerabilities

  • unintended transfer of ETH by CALL instruction
    • includes "Reentrancy"
  • unintended transfer of ETH via arbitrary code execution by both instructions of CALLCODE and DELEGATECALL
  • unintended transfer of ETH by SELFDESTRUCT instruction
  • unintended transfer of ERC20 token

NOTICE: Tagomori checks whether the balance of the attacker account can increase or not in simulation phase, and then concludes whether a vulnerability exists or not. So if the balance of the target contract is 0, tagomori does not detect any vulnerabilities. I recommend to set more than 1 ETH to the target contract.

Others

  • Auto-getnerated exploits assumes that the attacker account address is 73E83E2Ab2ca3967db126F9534808C92320cbb90 and the balance of this account is more than 1 ETH. At this time, this attacker address is hard-coded. So if this account has been modified abnormally, tagomori can not work well.
  • Java binding of z3 library is unstable and sometimes halt abnormally. In such case, run the same command again.
  • When "-guardian" specified, tagomori only scan contracts which balance is more than 1 ETH.

LICENSE

tagomori is released under the LGPL-V3 license.

Releases

No releases published

Packages

No packages published

Languages