Learning how to use security tooling to find bugs!

• About
• Getting Started
  • Requirements
  • Quickstart
• Let's use tools to find bugs!
  • Manul Review
  • Test Suite
  • Static Analysis
    • Prerequisites
  • Fuzzing
  • Stateful fuzzing (invariants)
  • Formal Verification (SMT Checker)

Please install the following:

• Git
  • You'll know you've done it right if you can run git --version
• Foundry / Foundryup
  • This will install forge, cast, and anvil
  • You can test you've installed them right by running forge --version and get an output like: forge 0.2.0 (f016135 2022-07-04T00:15:02.930499Z)
  • To get the latest of each, just run foundryup

git clone https://github.com/PatrickAlphaC/denver-security
cd denver-security
forge install

Then, run our test suite, lots of stuff fails!!

forge test

In CaughtWithManualReview.sol we see doMath should add 2 instead of one! We were only able to know this because we read the documentation associated with the function.

CaughtWithTest.sol's setNumber should set number to the input parameter, but it doesn't!

To catch this, we write a test for our expected output, and run:

forge test -m testSetNumber -vv

• Python
  • You'll know you've installed python right if you can run:
    • python --version or python3 --version and get an output like: Python x.x.x
• pipx
  • pipx is different from pip
  • You may have to close and re-open your terminal
  • You'll know you've installed it right if you can run:
    • pipx --version and see something like x.x.x.x

We recommend installing slither with pipx instead of pip. Feel free to use the slither documentation if you prefer.

pipx install slither-analyzer

To run slither, run:

slither . --exclude-dependencies

See what it outputs!

CaughtWithFuzz.sol's doMoreMath should never return 0... but how can we make sure of this? We can pass random data to it!

To catch this, we write a test for our expected output, and run:

forge test -m testFuzz -vv

Our CaughtWithStatefulFuzz contract's doMoreMathAgain should never return 0... and looking at it, a regular fuzz test wouldn't work!

You can run:

forge test -m testFuzzPasses

And no matter what, it'll always pass! We need to call setValue first, and then we can get it to revert! Invariant/Stateful Fuzzing tests do random data input combined with random function calls.

Run:

forge test -m invariant_testMathDoesntReturnZero -vv

And you'll see the 2 calls made to fail!

In foundry.toml uncomment the profile.default.model_checker section.

Then, just run: forge build

Our solidity modeled our functionOneSymbolic to be a math equation, and then, solved for the math!