Skip to main content

No project description provided

Project description

Karl

License: MIT CircleCI Codacy Badge PyPI Code style: black

A monitor for smart contracts that checks for security vulnerabilities

Install

$ pip install --user karl

Will make karl available in your shell.

Description

Karl will allow you to monitor a blockchain for vulnerable smart contracts that are being deployed.

It connects to the blockchain, monitors for new blocks and runs mythril for every new smart contract deployed.

The output can be displayed in the console or POSTed to a URL.

Help message

$ karl --help
usage: karl [-h]
            [--rpc HOST:PORT / ganache / infura-{mainnet, rinkeby, kovan, ropsten}]
            [--rpctls RPCTLS] [--output Can be one of: stdout, posturl]
            [--posturl POSTURL]

Smart contract monitor using Mythril to find exploits

optional arguments:
  -h, --help            show this help message and exit

RPC options:
  --rpc HOST:PORT / ganache / infura-{mainnet, rinkeby, kovan, ropsten}
                        Custom RPC settings
  --rpctls RPCTLS       RPC connection over TLS

Output:
  --output Can be one of: stdout, posturl
                        Where to send results
  --posturl POSTURL     Send results to a RESTful url

Mythril modules enabled

  • ether_thief
  • suicide

Examples

Running against the main net

$ karl --rpc infura-mainnet --rpctls true      
Stdout initialized
Running
Scraping block 6745471
Scraping block 6745472
Scraping block 6745473
Analyzing 0xf8c065bB1DafC99eE5476a2b675FAC4a036a4B07
Scraping block 6745474
Analyzing 0xC9e044D76f211E84bA651b30BBA86758ca8017c7
Scraping block 6745475
Scraping block 6745476
Scraping block 6745477
Analyzing 0x19427b8FD32dfEc78393517Da416bC5C583E6065

Running against ganache with standard output enabled

$ karl --rpc ganache --output=stdout
Stdout initialized
Running
Scraping block 5
Analyzing 0x4b8e80acaE3F0db32e5d35925EfaA97D477dBb70
Found 1 issues for 0x4b8e80acaE3F0db32e5d35925EfaA97D477dBb70
==== Ether thief ====
SWC ID: 105
Type: Warning
Contract: 0x4b8e80acaE3F0db32e5d35925EfaA97D477dBb70
Function name: withdrawfunds()
PC address: 722
Estimated Gas Usage: 1138 - 1749
Arbitrary senders other than the contract creator can withdraw ETH from the contract account without previously having sent an equivalent amount of ETH to it. This is likely to be a vulnerability.
--------------------
--------------------
DEBUGGING INFORMATION:

Transaction Sequence: {'1': {'calldata': '0x56885cd8', 'call_value': '0x0', 'caller': '0xaaaaaaaabbbbbbbbbcccccccddddddddeeeeeeee'}, '4': {'calldata': '0x6c343ffe', 'call_value': '0x0', 'caller': '0xaaaaaaaabbbbbbbbbcccccccddddddddeeeeeeee'}}

Running against ganache with posturl enabled

$ karl --rpc ganache --output=posturl --posturl=http://localhost:8080
Posturl initialized
Running
Scraping block 5
Analyzing 0x4b8e80acaE3F0db32e5d35925EfaA97D477dBb70

And it will send this to the listening service

POST / HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Content-Length: 725
Host: localhost:8080
User-Agent: Python-urllib/3.7
Connection: close

{"error": null, "issues": [{"address": 722, "contract": "0x4b8e80acaE3F0db32e5d35925EfaA97D477dBb70", "debug": "Transaction Sequence: {'1': {'calldata': '0x56885cd8', 'call_value': '0x0', 'caller': '0xaaaaaaaabbbbbbbbbcccccccddddddddeeeeeeee'}, '4': {'calldata': '0x6c343ffe', 'call_value': '0x0', 'caller': '0xaaaaaaaabbbbbbbbbcccccccddddddddeeeeeeee'}}", "description": "Arbitrary senders other than the contract creator can withdraw ETH from the contract account without previously having sent an equivalent amount of ETH to it. This is likely to be a vulnerability.", "function": "withdrawfunds()", "max_gas_used": 1749, "min_gas_used": 1138, "swc-id": "105", "title": "Ether thief", "type": "Warning"}], "success": true}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
karl-0.4.2.tar.gz (11.6 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page