Contract flattening
faizzaidi opened this issue · comments
hi @gsalzer:
Kindly find this issue with reference to #143 (comment)
I have added the original and flattened files below. I am currently playing with SPACE ID Tokens, but I am getting similar responses in the scanner.
Note: Due to file upload restrictions have changed the file extension form .sol to .text
Also, I have included the results below for you.
Note: All scans have failed.
PFA
results.zip
Original Files.zip
Kindly let me know if you need anything else.
Thanks,
Faiz
If you try to compile flatten.sol by hand, you will see the error
Error: Multiple SPDX license identifiers found in source file. Use "AND" or "OR" to combine multiple licenses. Please see https://spdx.org for more information.
--> flatten.solThe tool that you used to flatten the file left all SPDX comments (= license) in the file. There should be only a single one (except if you join the licenses by AND or OR, as the compiler message explains). If I remove all SPDX comments but the first, the file compiles and SmartBugs is able to analyze the contract.
Check whether your tool for flattening has an option to handle the SPDX comments automatically, or just remove them (except for the first one) by hand.
Hi @monperrus,
I am exploring the tools and will let you know if I got any good flattening tools.
Hi @gsalzer, is it possible for you to share the flattened file and smart bug command which you are using? I assume I am still doing something wrong and not getting the proper results.
@faizzaidi Under Unix/Linux, the following command removes all license statements except the first one:
awk '/^\/\/ SPDX-License-Identifier:/{c+=1;if(c>1){next}}{print}' flatten.txt > flatten2.sol
The resulting file is
flatten2.sol.txt
The following command runs Mythril on this file:
./smartbugs -t mythril -f flatten2.sol --json
By default, the results end up in results/mythril/<timestamp>:
results.zip
The results for this single run can be found in results/mythril-0.23.15/20230628_0835/flatten2.sol/ and consist of result.log (the raw output of Mythril), smartbugs.json (meta-data of the run), and result.json (standardized output of the run). For this run, results.json as follows:
{
"errors": [],
"fails": [],
"findings": [
{
"address": 12,
"contract": "Counters",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Low"
},
{
"address": 12,
"contract": "ECDSA",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Low"
},
{
"address": 12,
"contract": "EnumerableSet",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Low"
},
{
"address": 12,
"contract": "Math",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Low"
},
{
"address": 12,
"contract": "Strings",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Low"
},
{
"address": 13,
"contract": "ERC20",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"line": 1597,
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Medium"
},
{
"address": 14,
"contract": "SpaceIDToken",
"exploit": { ... },
"filename": "flatten2.sol",
"function": "constructor",
"line": 2517,
"message": ...,
"name": "Exception State (SWC 110)",
"severity": "Medium"
}
],
"infos": [],
"parser": {
"id": "mythril-0.23.15",
"mode": "solidity",
"version": "2023/01/20"
}
}