Skip to content

test_tx_selfdestruct_balance_bug()

Documentation for tests/paris/security/test_selfdestruct_balance_bug.py::test_tx_selfdestruct_balance_bug@[email protected].

Generate fixtures for these test cases for Constantinople with:

Constantinople only: 

fill -v tests/paris/security/test_selfdestruct_balance_bug.py::test_tx_selfdestruct_balance_bug --fork=Constantinople --evm-bin=/path/to/evm-tool-dev-version

For all forks up to and including Constantinople: 

fill -v tests/paris/security/test_selfdestruct_balance_bug.py::test_tx_selfdestruct_balance_bug --until=Constantinople

Test that the vulnerability is not present by checking the balance of the 0xaa contract after executing specific transactions:

  1. Start with contract 0xaa which has initial balance of 3 wei. 0xaa contract code simply performs a self-destruct to itself.

  2. Send a transaction (tx 1) to invoke caller contract 0xcc (which has a balance of 1 wei), which in turn invokes 0xaa with a 1 wei call.

  3. Store the balance of 0xaa after the first transaction is processed. 0xaa self-destructed. Expected outcome: 0 wei.

  4. Send another transaction (tx 2) to call 0xaa with 5 wei.

  5. Store the balance of 0xaa after the second transaction is processed. No self-destruct. Expected outcome: 5 wei.

  6. Verify that:

    • Call within tx 1 is successful, i.e 0xaa self-destructed.
    • The balances of 0xaa after each tx are correct.
    • During tx 2, code in 0xaa does not execute, hence self-destruct mechanism does not trigger.

TODO: EOF - This test could be parametrized for EOFCREATE

Source code in tests/paris/security/test_selfdestruct_balance_bug.py 
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
@pytest.mark.valid_from("Constantinople")
def test_tx_selfdestruct_balance_bug(blockchain_test: BlockchainTestFiller, pre: Alloc):
    """
    Test that the vulnerability is not present by checking the balance of the
    `0xaa` contract after executing specific transactions:

    1. Start with contract `0xaa` which has initial balance of 3 wei.
        `0xaa` contract code simply performs a self-destruct to itself.

    2. Send a transaction (tx 1) to invoke caller contract `0xcc` (which
        has a balance of 1 wei), which in turn invokes `0xaa` with a 1 wei call.

    3. Store the balance of `0xaa` after the first transaction
        is processed. `0xaa` self-destructed. Expected outcome: 0 wei.

    4. Send another transaction (tx 2) to call 0xaa with 5 wei.

    5. Store the balance of `0xaa` after the second transaction
        is processed. No self-destruct. Expected outcome: 5 wei.

    6. Verify that:
        - Call within tx 1 is successful, i.e `0xaa` self-destructed.
        - The balances of `0xaa` after each tx are correct.
        - During tx 2, code in `0xaa` does not execute,
            hence self-destruct mechanism does not trigger.

    TODO: EOF - This test could be parametrized for EOFCREATE
    """
    deploy_code = Switch(
        default_action=Op.REVERT(0, 0),
        cases=[
            CalldataCase(
                value=0,
                action=Op.SELFDESTRUCT(Op.ADDRESS),
            ),
            CalldataCase(
                value=1,
                action=Op.SSTORE(0, Op.SELFBALANCE),
            ),
        ],
    )
    aa_code = Initcode(
        deploy_code=deploy_code,
    )
    cc_code = (
        Op.CALLDATACOPY(size=Op.CALLDATASIZE)
        + Op.MSTORE(
            0,
            Op.CREATE(
                value=3,  # Initial balance of 3 wei
                offset=0,
                size=Op.CALLDATASIZE,
            ),
        )
        + Op.SSTORE(0xCA1101, Op.CALL(gas=100000, address=Op.MLOAD(0), value=0))
        + Op.CALL(gas=100000, address=Op.MLOAD(0), value=1)
    )

    cc_address = pre.deploy_contract(cc_code, balance=1000000000)
    aa_location = compute_create_address(address=cc_address, nonce=1)
    balance_code = Op.SSTORE(0xBA1AA, Op.BALANCE(aa_location))
    balance_address_1 = pre.deploy_contract(balance_code)
    balance_address_2 = pre.deploy_contract(balance_code)

    sender = pre.fund_eoa()

    blocks = [
        Block(
            txs=[
                # Sender invokes caller, caller invokes 0xaa:
                # calling with 1 wei call
                Transaction(
                    sender=sender,
                    to=cc_address,
                    data=aa_code,
                    gas_limit=1000000,
                ),
                # Dummy tx to store balance of 0xaa after first TX.
                Transaction(
                    sender=sender,
                    to=balance_address_1,
                    gas_limit=100000,
                ),
                # Sender calls 0xaa with 5 wei.
                Transaction(
                    sender=sender,
                    to=aa_location,
                    gas_limit=100000,
                    value=5,
                ),
                # Dummy tx to store balance of 0xaa after second TX.
                Transaction(
                    sender=sender,
                    to=balance_address_2,
                    gas_limit=100000,
                ),
            ],
        ),
    ]

    post = {
        # Check call from caller has succeeded.
        cc_address: Account(nonce=2, storage={0xCA1101: 1}),
        # Check balance of 0xaa after tx 1 is 0 wei, i.e self-destructed.
        # Vulnerable versions should return 1 wei.
        balance_address_1: Account(storage={0xBA1AA: 0}),
        # Check that 0xaa exists and balance after tx 2 is 5 wei.
        # Vulnerable versions should return 6 wei.
        balance_address_2: Account(storage={0xBA1AA: 5}),
        aa_location: Account(storage={0: 0}),
    }

    blockchain_test(pre=pre, post=post, blocks=blocks)