No project description provided
Project description
Theo
Theo is a great hacker showing the other script kiddies how things should be done.
He knows Karl from work.
Theo's purpose is to fight script kiddies that try to be leet hackers. He can listen to them trying to exploit his honeypots and make them lose their funds, for his own gain.
"You didn't bring me along for my charming personality."
Install
$ git clone https://github.com/cleanunicorn/theo
$ cd theo
$ pip install -r requirements.txt
It's recommended to use virtualenv if you're familiar with it.
Requirements:
- Python 3.5 or higher
- An Ethereum node with RPC available
- Accounts unlocked to be able to send transactions
Demo
Scrooge McEtherface tries to exploit a contract but Theo is able to successfully frontrun him.
Usage
Help screen
It's a good idea to check the help screen first.
$ python ./theo.py --help
usage: theo.py [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS]
[--rpc-ipc RPC_IPC] [--account ACCOUNT] [--contract ADDRESS]
[--txs {mythril,file}] [--txs-file FILE]
{tx-pool}
Monitor contracts for balance changes or tx pool.
positional arguments:
{tx-pool} Choose between: balance (not implemented: monitor
contract balance changes), tx-pool (if any
transactions want to call methods).
optional arguments:
-h, --help show this help message and exit
--contract ADDRESS Contract to monitor
Monitor transaction pool:
--rpc-http RPC_HTTP Connect to this HTTP RPC
--rpc-ws RPC_WS Connect to this WebSockets RPC
--rpc-ipc RPC_IPC Connect to this IPC RPC
--account ACCOUNT Use this account to send transactions from
Transactions to wait for:
--txs {mythril,file} Choose between: mythril (find transactions
automatically with mythril), file (use the
transactions specified in a JSON file).
--txs-file FILE The file which contains the transactions to frontrun
Symbolic execution
A list of expoits is automatically identified using mythril.
Start a session by running:
$ python ./theo.py tx-pool --account=<your unlocked account> --contract=<honeypot>
It will analyze the contract and will find a list of available exploits.
$ python theo.py tx-pool --account=0xffcf8fdee72ac11b5c542428b35eef5769c409f0 --contract=0xd833215cbcc3f914bd1c9ece3ee7bf8b14f841bb
Scanning for exploits in contract: 0xd833215cbcc3f914bd1c9ece3ee7bf8b14f841bb
Found exploit(s) [Exploit: (txs=[Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}])]
Python 3.7.3 (default, Jun 24 2019, 04:54:02)
[GCC 9.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>>
You can see the available exploits found. In this case one exploit was found. Each exploit is an Exploit object, having a list of transactions to exploit a bug.
>>> exploits[0]
Exploit: (txs=[Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}])
You can start the frontrunning monitor to listen for other hackers (script kiddies really) trying to exploit his honeypots.
Use .frontrun()
to start listening for the exploit and when found send a transaction with a higher gas price.
>>> exploits[0].frontrun()
Waiting for a victim to reach into the honey jar.
Listening for Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}.
Found pending tx: 0x74eb78557b4659f27e7a8b82804ae97be9d0adfefd6a5652a097045f6de77a0b from: 0x1df62f291b2e969fb0849d99d9ce41e2f137006e.
Frontrunning with tx: {'from': '0xffcf8fdee72ac11b5c542428b35eef5769c409f0', 'to': '0xd833215cbcc3f914bd1c9ece3ee7bf8b14f841bb', 'gasPrice': '0x3b9aca01', 'input': '0xcf7a8965', 'gas': '0x4c4b40', 'value': '0xde0b6b3a7640000'}
Mined transaction: 0x0b5e7ceedd600eaf013ca8bc74900e6d29b25ed422baaa776f42bec01870a288
"Oh, my God! The quarterback is toast!"
This works very well for some specially crafted contracts or some other vulnerable contracts, as long as you make sure frontrunning is in your favor.
Load transactions from file
Instead of identifying the exploits with mythril, you can specify the list of exploits yourself.
Create a file that looks like this input-tx.json:
[
[
{
"input": "0x4e71e0c8",
"value": "0xde0b6b3a7640000"
},
{
"input": "0x2e64cec1",
"value": "0x0"
}
],
[
{
"input": "0x4e71e0c8",
"value": "0xde0b6b3a7640000"
}
]
]
This one defines 2 exploits, the first one has 2 transactions and the second one only 1 transaction. After the exploits are loaded, frontrunning is the same.
$ python ./theo.py --txs=file --contract=0xe78a0f7e598cc8b0bb87894b0f60dd2a88d6a8ab --account=0xffcf8fdee72ac11b5c542428b35eef5769c409f0 --txs-file=./test/input-tx.json tx-pool 130 ↵
Found exploits(s) [Exploit: (txs=[Transaction: {'input': '0x4e71e0c8', 'value': '0xde0b6b3a7640000'}, Transaction: {'input': '0x2e64cec1', 'value': '0x0'}]), Exploit: (txs=[Transaction: {'input': '0x4e71e0c8', 'value': '0xde0b6b3a7640000'}])]
Python 3.7.3 (default, Jun 24 2019, 04:54:02)
[GCC 9.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> exploits[0].frontrun()
Waiting for a victim to reach into the honey jar.
Listening for Transaction: {'input': '0x4e71e0c8', 'value': '0xde0b6b3a7640000'}.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.