Static analyzers are good at detecting certain types of security vulnerabilities. However, one place that static analysis often falls short is in the detection of authorization bugs. This is because authorization tends to be a “business logic” problem. How would an analyzer know what functionality should be off-limits to normal users? One can infer based on semantics (looking for words like “admin”), but such clear-cut cases are rare.
A couple of days ago I wrote about Parity’s multi-sig contract vulnerability. Because there was nothing inherently wrong with the vulnerable functions, aside from the lack the authorization checks, it is unlikely that a static analyzer would have flagged these issues.
If I had to take a guess at the culprit behind this vulnerability getting missed, it would probably be a lack of effective manual code review. Manual code review is a tedious, time-consuming task, but it is often the only way to find certain types of bugs. In this particular case, a human looking at a list of the contract’s functions would have hopefully noticed several suspicious looking public functions.
As far as I know, there are no public tools for Solidity to profile a contract’s functions. That is why today I would like to release a tool called the Solidity Function Profiler.
The tool uses ConsenSys’ solidity parser library to generate an AST of the contract being analyzed. It then “walks” the AST and finds function declarations, taking note of what each function’s signature, visibility, return values, and modifiers are. Finally, it returns a human-consumable report. Being able to quickly gather this kind of information about a contract is very useful in understanding how it can be interacted with. My hope is that it will help prevent future vulnerabilities like the one exploited in the multi-sig contract attack.
You can find the tool here.