introduction
The leading vulnerabilities of smart contracts can cause serious security threats. This article shows how Wake’s manually induced fuzzy (MGF) is found using differential fujing techniques.
What is the manual fujing?
The manually -induced fuzzy (MGF) is the following type of differential purge.
- We analyze contract logic from various perspectives
- Using Python to test exclusive contracts to encourage new ways of thinking.
- Simplify the test using the legacy logic pattern
- It makes the test case more consistent and consistent.
Example 1: Salt Crash of Account Distribution
Let’s take a look at the vulnerabilities that can occur when you distribute contract2. When the salt calculation is manipulated, address collisions can be achieved.
The scenarios with multiple distribution paths are:
A vulnerability occurs when one deployment path can create the same salt as a different batch path, and the attacker can lead the placement.
Attack scenario
- The attacker uses a distribution path with a callback to observe the suspended transaction.
- The attacker calculates the same thing
creation_nonceDirect placement path - The attacker uses the path directly to the same address.
- Victims’ transactions fail (address already placed)
- Expected callbacks never run
Major insights for testing
- When testing the distribution function, always consider the leading scenario.
- Understand how salt is used in the contract deployment
- Remember
creation_nonceUser control - The distribution address depends only on salt (not the sender’s address) when using the same factory.
To find these vulnerabilities, manipulate variables and find similarities between other distribution paths.
For example, you can set Par1 creation_nonce It matches the salt calculation of PATH2.
Example 2: Full Run ERC-721 Pass Mining
Now let’s look at the ERC-721 pass contract used for user management.
Tokens cannot be transferred and anyone can call mint Function for all addresses. Therefore, if the address already has a pass, the mating fails.
This setting creates a leading driving opportunity. The attacker can cut a pass for his affiliate and the victim’s address, which blocks the victim and permanently connects the attacker’s affiliate fee.
Attack impact
- The attacker sees a peppermint transaction with a new member.
- Attackers take the lead as their own partner address.
- The victim’s transaction fails (already Inted)
- Victims are permanently connected to the attacker’s affiliates (because tokens cannot be transferred)
- The attacker receives a partnership fee from the victim’s activities.
Test insights in Wake
- Wake’s external perspective will help to reveal subtle immutability in the logic of contract.
- Testing “strange” immutability often can often find hidden vulnerabilities.
Best practices
To maximize the test, follow the following principles:
- Even if a contract is complicated, the model contract with the general Python data structure
- Verify the status variable with print door and assault
- Test the contract constant to understand the basic logic
Use this seventh step methodology.
- Focus on single transactions for each flow function
- Use an arbitrary value for the argument
- Model status with general data structure
- Expect an operating point including recovery
- Do not rely only on error outputs or events for branching.
- Even if it seems to be unnecessary immutability, it claims
- Compare all possible execution paths as possible
conclusion
Pushing manually along with Wake is a powerful way to find a full execution vulnerability.
MGF thinks like an attacker and systematically tests the edge case to help find security issues that can be missed.
Start manually with Wake today.