Do-Not-Reenter is an abstract interpretation based tool to detect possible re-entrancy weaknesses in solidity contracts.
Ensure nodejs is installed
# clone the repository
$ git clone https://github.com/the-elves/do-not-reenter
# change into repository directory
$ cd do-not-reenter
# install dependencies
$ npm install
The arguments to npm scripts run using npm run
(defined in package.json) are provided after --
on the commandline.
usage:
$ npm run do-not-reenter -- -h
-i, --inputs string[] Files to analyze
-h, --help Prints this usage guide
To analyze a file run
npm run do-not-reenter -- -i <path to file1> ... <path to file n>
Following is the basic working of the tool
- This tool uses solc-typed-ast to compile solidty files into AST
- It then analyzes ast to generate a control flow graph for each function.
- Analyze every function (Control flow graph representation) in the contracts.
The control flow graphs are dumped to cfg-outs directory in project root. The cfg file names are named
"cfg-outs/<contract-filename.sol>:<functionName.sol>.cfg"
Abstract interpretation is a powerful technique to analyze programs. It works by working on abstract representation of state of the program Abstract interpretation calculates these abstract values at every program point.
To refresh an abstract value is associated with every location in program.
The abstract value used here encodes if an external function may be called on any path reaching the given program location.
This is the lattice of abstract values
top
/\
/ \
/ \
yes no
\ /
\ /
\/
bot
├── Analyzer - Analyzer code
│ ├── FunctionAnalyzer.ts - kildall and err report
│ └── State.ts - Abs state
├── CFG
│ ├── ASTHelper.ts - helpers for common ast tasks
│ ├── CFGBuilder.ts - build cfg from ast
│ ├── CFGEdge.ts
│ ├── CFGNode.ts
│ └── CFG.ts
├── main.ts - Program entry point
Right now the interprocedural part of anlysis is performed as follows.
Intraprocedural analysis is attempted on all functions. For the function that are succesfully analyzed, analysis is stored for later use (abstract values for each program location).
If during the analysis a function call is encountered, and
-
if the callee is already analyzed, then if callee calls an external function, consider this function call also calls external function
-
if the callee is not analyzed yet, abort and reanlyze this function after all other remaining function are analyzed. see caveat
To determine if callee calls an external function the following property is used.
If any any porgram location in the callee's control flow graph has an abstract value of YES consider callee calls an external function