This repository introduces our research in source code verifier, including PoC, related issues implementation code and other content.
The following table shows the PoC of the source code fraud attack and the credit.
| Attack Item | (PoC)Victim or Normal Contract | (PoC)Attack Contract | Related implementations | Fix |
|---|---|---|---|---|
| (R1)Exploitable Compiler Features | Victim in Etherscan | Attack Contract in Etherscan | -- | Report via private channel |
| (R2)Unchecked Simulated Execution | Normal Contract in Etherscan | Attacked Contract in Sourcify | L196-L256 | credit |
| (R3)Incomplete Bytecode Validation | Normal Contract in Etherscan | Attacked Contract in Sourcify | L280-L286 | credit |
| (R4)Unreliable Client Node | Etherscan Waring | sourcify PoC,Blockscout PoCEtherscan PoC | -- | confirm |
| (R5)Unverified Linked | -- | Attack Contract in Etherscan | -- | confirm |
| (R6 PoC#1) Mislabeled Bytecode | Normal Contract in Etherscan | Attack Contract in Blockscout | L100-L121 | credit |
| (R6PoC#2) Mislabeled Bytecode | Normal Contract in Etherscan | Attack Contract in Sourcify | L383-L411 | credit |
| (R7)Path Traversal Risk | SimToken Contract In Etherscan | Sourcify PoC | -- | credit |
| (R8)Inadequate Information Disclosure | -- | etherscan PoC,blockscout PoC | -- | confirm |
Here, we demonstrate crytic-compile-based vulnerabilities such as Slither as well as Echidna, which exploit malicious source code verification results to achieve overwriting of locally arbitrary files.
Q1. Whether Etherscan performs source code verification based on runtime code, bytecode, or even both of them;
Q2. How Etherscan handles immutable variables in M3;
Q3. How Etherscan flags metadata code, and whether it can handle multiple pieces of metadata code in M4;
Q4. Does Etherscan require users to provide specific values for constructor parameters in M4;
Q5. What database does Etherscan use to store source code verification results in M5;
We didn't find any indication in the documentation that Etherscan uses decentralized storage.
Q6. Does Etherscan have shortcut
Based on 0xb1405.. contract, we confirmed the existence of a shortcut for the same runtime code in Etherscan.
Many thanks to Sourcify and to Blockscout for their fantastic open source work. Without them, we wouldn't have been able to get an open source, trusted source code verification service. We were very very impressed by their responsible and professional technical skills in our interaction with them. We were also blown away by the speed with which they fixed the problem, all within 12 hours of our report. Thanks very very much to the help of related security expert samczsun, who made our research more fulfilling.