Skip to main content

An EVM symbolic execution tool and vulnerability scanner

Project description

Pakala

PyPI Build States

"ilo Pakala li pakala e mani sona"

  • Pakala is a tool to search for exploitable bugs in Ethereum smart contracts.
  • Pakala is a symbolic execution engine for the Ethereum Virtual Machine.

The intended public for the tool are security researchers interested by Ethereum / the EVM.

Installation

pip3 install pakala

It works only with python 3.

Usage

Let's look at 0xeBE6c7a839A660a0F04BdF6816e2eA182F5d542C: it has a transfer(address _to, uint256 _value) function. It is supposedly protected by a require(call.value - _value) >= 0 but that condition always holds because we are substracting two unsigned integers, so the result is also an unsigned integer.

Let's scan it:

pakala 0xeBE6c7a839A660a0F04BdF6816e2eA182F5d542C --force-balance="1 ether"

The contract balance being 0, we won't be able to have it send us some ethers. So we override the balance to be 1 ETH: then it has some "virtual" money to send us.

The tool with tell you a bug was found, and dump you a path of "states". Each state corresponds to a transaction, with constraints that needs to be respected for that code path to be taken, storage that has been read/written...

Advice: look at calldata[0] in the constraints to see the function signature for each transaction.

See pakala help for more complete usage information.

How does it works? What does it do?

See the introductory article for more information and a demo.

In a nutshell:

  • It's very good at finding simple bugs in simple contracts.
  • The false-positive rate is very low. If it flags your contract it's likely people can drain it.
  • It can exploit non-trivial bugs requiring to overwrite some storage keys with others (array size underflow...), has a good modeling of cryptographic hashes, and support chaining multiple transactions.

However, It only implements an "interesting" subset of the EVM. It doesn't handle:

  • gas,
  • precompiles,
  • or a contract interacting with other contracts (DELEGATECALL, STATICCALL...).

This means that CALL support is limited to sending ethers. Other tools like Manticore can do that much better, and the focus for Pakala was offensive vulnerability scanning of contracts en masse.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pakala-1.1.10.tar.gz (36.5 kB view details)

Uploaded Source

Built Distribution

pakala-1.1.10-py3-none-any.whl (53.0 kB view details)

Uploaded Python 3

File details

Details for the file pakala-1.1.10.tar.gz.

File metadata

  • Download URL: pakala-1.1.10.tar.gz
  • Upload date:
  • Size: 36.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/2.0.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/45.2.0 requests-toolbelt/0.9.1 tqdm/4.41.0 CPython/3.8.1

File hashes

Hashes for pakala-1.1.10.tar.gz
Algorithm Hash digest
SHA256 85b5f78ba79bf3dc2f0fd2e664b40fa3a80b3a7ba0572a09c4396a8849aedbc0
MD5 4e878d435ba49ce319032c678f8c1f7c
BLAKE2b-256 2823139e7dadd86f31180eb9f706c23173c487ef7fc09740c85d33434a3d4d67

See more details on using hashes here.

File details

Details for the file pakala-1.1.10-py3-none-any.whl.

File metadata

  • Download URL: pakala-1.1.10-py3-none-any.whl
  • Upload date:
  • Size: 53.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/2.0.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/45.2.0 requests-toolbelt/0.9.1 tqdm/4.41.0 CPython/3.8.1

File hashes

Hashes for pakala-1.1.10-py3-none-any.whl
Algorithm Hash digest
SHA256 bbde8ac563a8ca4e952f3a7ff382876c5cc836db7d45194ef5b8537e45ef2554
MD5 d8599f9fd1071fd569f8a115392b86ec
BLAKE2b-256 4c714ee11d4341c0ea9d1aaeed8089d61fa0ccf30d19d9fe837094de91ef1422

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page