Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

how to detect the callee of a function #2590

Open
alexanderhawl opened this issue Oct 11, 2024 · 3 comments
Open

how to detect the callee of a function #2590

alexanderhawl opened this issue Oct 11, 2024 · 3 comments

Comments

@alexanderhawl
Copy link

I wanna know how to detect a callee in a function. For example

// SPDX-License-Identifier: GPL-3.0
// Docgen-SOLC: 0.8.25

pragma solidity ^0.8.25;

interface IERC20{
    function transfer(address to,uint amount) external returns(bool);
}

contract Test{
    mapping(address => mapping(address => uint256)) public claimableAssets;

    function claimWithdrawal(address asset, address receiver) external {
        uint256 amount = claimableAssets[asset][receiver];
        claimableAssets[asset][receiver] = 0;
    
        IERC20(asset).transfer(receiver, amount);
    
        
    }
}


There is a transfer function in the claimWithdrawal, But the callee 'asset' is controlled by user, So How can I get the calle(asset) by using slither?

@smonicas
Copy link
Collaborator

I'm not sure to understand what do you mean with "to get the calle(asset)". As you said the asset is user controlled and slither is a static analysis tool so we don't know the actual value the user will use. However you can know that the destination of the high level call is the asset argument by looking at slithIR, which is slither intermediate representation. To see how it looks like run slither with --print slithir, the IR for that operation is an HighLevelCall and the destination will have the asset variable. You can also know if a variable is user controlled by using the is_tainted function.

@alexanderhawl
Copy link
Author

I tried the destination, but the return value is TMP_0, not the asset argument.

@smonicas
Copy link
Collaborator

What do you want to do precisely? To know if it can be controlled by the user you can use the is_tainted function with just ir.destination and would work. For example see how it's done in the controlled delegate call detector,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@alexanderhawl @smonicas and others