Detector for ecrecover return value validation and use of nonces #2015

tuturu-tech · 2023-06-30T11:59:26Z

Used #1516 as a starting point, related to issue #1950

Detects the usage of ecrecover and checks if the signer address is validated against the zero address.
If a function uses ecrecover, checks if a nonce is present in any of the hashes.

Currently does so via string comparisons and naively checks any hash for a nonce, so it could have a lot of FPs

Bump version

readme updates for 0.9.4 release

Align with dev

Revert formatting change

0xalpharush · 2023-06-30T12:30:42Z

slither/detectors/statements/ecrecover.py

+            if SolidityFunction("keccak256(bytes)") in node.solidity_calls:
+                for ir in node.irs:
+                    if isinstance(ir, SolidityCall) and ir.function == SolidityFunction(
+                        "keccak256(bytes)"
+                    ):
+                        if "nonce" not in str(ir.expression):
+                            nonce_results.append(node)


Some APIs will require that a hash is passed in and I think this would cause FPs. You may have to explore all paths starting from functions_entry_points and find the union of values not hashed but passed to ecrecover

Like this

slither/slither/detectors/statements/msg_value_in_loop.py

Lines 13 to 31 in 3d4f934

def detect_msg_value_in_loop(contract: Contract) -> List[Node]:

results: List[Node] = []

for f in contract.functions_entry_points:

if f.is_implemented and f.payable:

msg_value_in_loop(f.entry_point, 0, [], results)

return results

def msg_value_in_loop(

node: Optional[Node], in_loop_counter: int, visited: List[Node], results: List[Node]

) -> None:

if node is None:

return

if node in visited:

return

# shared visited

visited.append(node)

0xalpharush · 2023-06-30T12:32:04Z

slither/detectors/statements/ecrecover.py

+def _zero_address_validation(var: LocalVariable, function: Function) -> bool:
+    for node in function.nodes:
+        if node.contains_if() or node.contains_require_or_assert():
+            for ir in node.irs:
+                expression = str(ir.expression)
+                if isinstance(ir, Binary) and str(var) in expression:
+                    if (
+                        ir.type == BinaryType.NOT_EQUAL or ir.type == BinaryType.EQUAL
+                    ) and "address(0)" in expression:
+                        return True
+    return False


Not sure if it's helpful but there were some improvements desired in the missing-zero-check outlined in #1544 that may be relevant here

godsangsoo and others added 15 commits December 20, 2022 16:03

ecrecover

0eb745b

0.9.4

0e86f3d

Merge pull request #1991 from crytic/bump-version

f8cf5d6

Bump version

Merge pull request #2000 from crytic/dev

38ff279

readme updates for 0.9.4 release

Merge branch 'master' into detect/ecrecover

b148fd1

remove deprecated test detectors folder

472030b

added nonce and zero address checks

70e23e9

slightly improved nonce detection

a297307

Merge branch 'dev' into detect/ecrecover

f36be5b

Align with dev

clean up detector and unrelated changes

24490f0

formatting

f383fb6

revert setup.py change

a47c60b

Update type_based_tautology.py

122596a

Revert formatting change

Update naming_convention.py

fc679bf

Revert formatting change

Update naming_convention.py

ab6939c

Revert formatting change

0xalpharush reviewed Jun 30, 2023

View reviewed changes

This was referenced Nov 27, 2023

Improper usage of ecrecover() detector with improvements #2246

Closed

Improper usage of ecrecover() detector with improvements #2248

Closed

Improper usage of ecrecover() detector with improvements #2249

Open

montyly mentioned this pull request Oct 24, 2024

In implement of signature, no return check and no use nonce. #1516

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Detector for ecrecover return value validation and use of nonces #2015

Detector for ecrecover return value validation and use of nonces #2015

tuturu-tech commented Jun 30, 2023

0xalpharush Jun 30, 2023

0xalpharush Jun 30, 2023

0xalpharush Jun 30, 2023

	def detect_msg_value_in_loop(contract: Contract) -> List[Node]:
	results: List[Node] = []
	for f in contract.functions_entry_points:
	if f.is_implemented and f.payable:
	msg_value_in_loop(f.entry_point, 0, [], results)
	return results


	def msg_value_in_loop(
	node: Optional[Node], in_loop_counter: int, visited: List[Node], results: List[Node]
	) -> None:

	if node is None:
	return

	if node in visited:
	return
	# shared visited
	visited.append(node)

Detector for ecrecover return value validation and use of nonces #2015

Are you sure you want to change the base?

Detector for ecrecover return value validation and use of nonces #2015

Conversation

tuturu-tech commented Jun 30, 2023

0xalpharush Jun 30, 2023

Choose a reason for hiding this comment

0xalpharush Jun 30, 2023

Choose a reason for hiding this comment

0xalpharush Jun 30, 2023

Choose a reason for hiding this comment