Write a custom catalog title here
Introduction to mythril
mythril is the official smart contract vulnerability detection tool of Ethereum, which can detect a large number of smart contract security issues, such as integer overflow, arbitrary address writing, timestamp dependence and other 14 vulnerability detection tools. Regular loopholes can be found, but business logic problems of a contract cannot be found. The main idea is to use symbolic execution to explore all possible unsafe paths.
Related prerequisites
This article is just a record of my own learning. If you feel a bit verbose, you can go directly to the place where docker is installed and running, hehe
Remote server related knowledge
Since most people's computers are windows systems, if you use the WMware virtual machine, install linux system or centos startup will be super invincible, and reinstall the system is very troublesome, so renting Alibaba Cloud servers is a good choice , The essence of the server is a remote computer that does not shut down. Using Xshell software to achieve secure terminal simulation, so we can mess around (no), using XFTP to upload and download files, it can be almost as local.
Centos system related knowledge
Centos is a distribution version based on the Linux kernel. There is also a distribution version Redhat, but why don't we choose redhat because it costs money (not).
On the server, centos is more stable than Ubuntu, and Ubuntu is generally used in desktop applications on local computers.
docker related
Our mythril is installed using docker, let's briefly talk about what docker is.
For the development, operation and maintenance of a product, the environment configuration is very troublesome. Here is a saying that programmers often say, this works well on my computer, how can it not work on your computer, There is often a problem with the environment configuration.
At this time docker appeared. Docker is essentially a container idea, an application container engine, that is, a tool for creating containers. Pack all the environment and tools we need into our container, just build it once and use it everywhere.
Install mythril using docker
# Pull the latest release of mythril/myth
docker pull mythril/myth
Run smart contracts to detect vulnerabilities
View help commands
#查看帮助命令
docker run mythril/myth -h
#可以选用的参数有
analyze (a),分析智能合约
disassemble (d),拆解合约,返回合约对应的Opcodes
pro (p),使用Mythril 专业版(收费)
list-detectors,列出可用的安全检测模型
read-storage,通过rpc读取指定地址的存储插槽
leveldb-search,从本地leveldb中检索
function-to-hash,计算合约方法的函数标识码
hash-to-address,将hash转换为以太坊地址
version,版本号
Download smart contract
Download the contract and save it in sol format
Analyze smart contracts
# 分析root文件夹地下的1.sol文件,solidity编译器的版本号是0.4.24
docker run -v $(pwd):/root mythril/myth analyze /root/1.sol --solv 0.4.24
l
Analysis results
The vulnerability is No. 101, which may cause integer overflow vulnerability
If you analyze the smart contract on the chain, you can use INFURA or manually configure RPC
Since I was writing a blog for the first time, I hope you will point out some mistakes and make corrections humbly.