What is and why Oyente?
Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. Recently there’s been a steady adoption for Ethereum smart contracts. As the primary smart contract language, Solidity was influenced by C++, Python and JavaScript and is designed to target the Ethereum Virtual Machine (EVM). But these smart contracts are vulnerable to certain attacks.
Oyente, a smart contract auto-auditing tool, analyse smart contracts and returns possible bug attacks on it including the famous DAO attack. This was developed by researchers from National University of Singapore in Jan 2016. You can refer the paper presented on 23rd ACM CCS conference here.
In this article, we will demonstrate how to install and use Oyente with and without docker.
Most common error encountered during installing oyente tool is web3 requires Python ‘≥3.5, <4’ but the running python is 2.7.*
You may have tried changing pyhton versions, installing 3.7-dev but still you’ll encounter the above error.
But here we discuss, how to install without any errors. For development purposes, running oyente source code will be better option compared to dockerised oyente. Anyhow we will discuss both the ways.
Installing with docker:
Installing with docker is easiest method since docker itself creates the environment required for running Oyente.
To open container, install docker and run
sudo apt-get updatesudo apt install docker.iodocker pull luongnguyen/oyentedocker run -i -t luongnguyen/oyente
To evaluate the greeter contract inside the container, run
cd /oyente/oyentepython oyente.py -s greeter.sol
and you’re done.
But every time you evaluate a new smart contract you’ve to create a file in the container using unix commands and run the last command. You can install vim in the docker container, still it’s a hectic task to create and edit files.
Installing without docker:
Oyente tool requires the following dependencies:
- Solc
- Geth and evm
- Z3
- Python
There are two methods for this, both methods need the following commands to be run
If you haven’t installed python in your system, run the following commands
sudo apt install software-properties-commonsudo add-apt-repository ppa:deadsnakes/ppasudo apt updatesudo apt-get install python3
Install z3. For this, download the file from this link here.
Extract files, move into the directory and run the following commands (this gonna take a while more than you expect):
python scripts/mk_make.py -pythoncd buildmakesudo make install
Note: If you’ve encountered with any MkException after executing first command, that can be due to missing packages which usually will be shipped with ubuntu. Try executing these commands and rerun all the above four commands.
sudo apt install binutils
sudo apt-get install build-essential
You need to install this library,
sudo apt-get install libz3-devInstalling the Oyente tool:
For this you need to install pip
sudo apt install python3-pipExectute the following commands:
sudo apt-get install solcsudo apt-get install evmpip install web3==3.7.0pip install oyente
The above command fails and returns an error in most of the cases, if it works you can use by running the below commands:
oyente -s <contract name>If you are getting compilation failed, even though your smart contracts run successfully in other tools that’s because of mismatch in the versions of solc and evm. Follow the steps in next methods to install proper versions of solc and evm.
Running the source code:
In this method, just like previous ones we create the required environment by downloading and installing dependencies. At the time this article has been written, oyente has been officially tested for solc version 0.4.19 and evm 1.7.3 however it’s better to use solc version 0.4.24 because of additional features.
Oyente tool has built based on solc version 0.4.19 and evm version 1.7.3. Using the tool with latest versions of dependencies will result in compilation failed.
Since downgrading to lower versions for these packages is not easy, it’s recommended to download the required version binary files and copy these files to /usr/bin directory
Download solc binary file. Link here.
If you need other versions, refer this.
Extract files and execute following commands
sudo cp solc /usr/bin/sudo cp lllc /usr/bin/
solc--version this command returns the version of solc.
Download geth tools here.
For other versions, refer this.
Extract and execute following commands
sudo cp geth /usr/bin/sudo cp evm /usr/bin/
Download the oyente project source code from here, locate to oyente directory and run the following commands:
python oyente.py -s <contract name>Note: Oyente project has been moved from this. Don’t download source code from here.
Using -ce flag after contract name will let you know the error you are facing.
If you’ve encountered an error stating unknown module z3 or something related to z3, then it is due to improper installation of z3 libraries. Go through the previous part where discussed installation of z3 dependency.
Check if output is something like the above. If yes, you’ve successfully installed the dependencies. You’re good to go!!!
Conclusion
Although Oyente helps in discovering possible vulnerabilities, it has been designed for solidity versions upto 0.4.24. Any solidity code greater than or equal to 0.5 will return errors. Oyente gives lesser false alarms compared to other auditing tools. Most of the users suggest to use auto-auditing only after a manual review instead of other way around.
