hf_exploit

Contract Deployment and Duplicate Detection Utility

Overview

The purpose of this utility is to ensure the integrity and security of Ethereum smart contracts by detecting duplicates. Duplicate contracts can pose security risks, and identifying them can prevent exploits similar to the one that occurred with Hundred Finance. This utility facilitates the deployment of contracts, local validation of contract similarities, and detection of duplicates on the Ethereum testnet.

Purpose

I built this app to provide a robust solution for detecting duplicate smart contracts on the Ethereum blockchain. By ensuring that no identical contracts are deployed, we can prevent potential exploits and maintain the security and integrity of decentralized applications.

Features

Connects to the Ethereum Sepolia testnet via Infura.
Compiles and deploys Solidity contracts.
Verifies and detects duplicate contracts based on bytecode.
Handles common deployment errors and retries if necessary.
Scans and analyzes deployed contracts from the blockchain.

System Requirements

Python 3.6 or higher
pip (Python package installer)

Installation

Clone the repository:

git clone https://github.com/Mav55/hf_exploit.git
cd hf_exploit

Install required Python packages:
```
pip install web3 solcx eth-utils
```
Install Solidity compiler version 0.8.0:
```
python -m solcx.install 0.8.0
```

Configuration

Create a config.json file in the project root directory with the following structure:

{
  "project_id": "your_infura_project_id",
  "private_key": "your_ethereum_private_key",
  "contract_name": "YourContractName"
}

Place your Solidity contracts in the contracts directory.

Usage

Deployment Script

The deploy.py script is used to deploy Solidity contracts to the Sepolia testnet.

Run the deployment script:
```
python deploy.py
```
The script will:
- Connect to the Ethereum Sepolia testnet.
- Compile all Solidity contracts in the contracts directory.
- Deploy each contract and log the deployed addresses to deployed_contracts.txt.

Local Validation Script

The validate.py script checks for duplicate contracts locally before deployment.

Run the local validation script:
```
python validate.py
```
The script will:
- Compile all Solidity contracts in the contracts directory.
- Calculate bytecode hashes for each contract.
- Detect and print duplicate contracts based on their bytecode hashes.

Blockchain Duplicate Detection Script

The scan.py script scans the Ethereum testnet for duplicate contracts based on their bytecode.

Run the duplicate detection script:
```
python scan.py
```
The script will:
- Load deployed contract addresses from deployed_contracts.txt.
- Fetch bytecode for each contract from the blockchain.
- Normalize bytecode by removing appended metadata.
- Compare bytecode of each pair of contracts using a similarity ratio.
- Print detected duplicate contracts.

Example Output

Deploy

Account Address: 0xYourAccountAddress
Account Balance: 1.0 ETH
Compiled Contracts Keys:
contracts/YourContract.sol:YourContractName
Deployed contracts/YourContract.sol at 0xDeployedContractAddress
Deployment completed, addresses saved to deployed_contracts.txt

Validate

Duplicate contracts detected for hash <hash_value>:
- contracts/ContractA.sol
- contracts/ContractB.sol
No duplicate contracts found.

Scan

Connected to sepolia network
Fetched bytecode for 0x9AfE558De273293e0e538E12053Eeee5368796cF: 6080604052...
Fetched bytecode for 0x2E2Ec3A786511b741B3B4089fc529d24351F888a: 6080604052...
Fetched bytecode for 0x4E477BAE5B0276460e8C86377aF454f470CE21B4: 6080604052...
Fetched bytecode for 0x085B942A9B3b182a82A4F51Ed9554a8DB3B9163B: 6080604052...
Fetched bytecode for 0x81045D3185de3cf70FE80419f5F20192a117Bd78: 6080604052...
Duplicate Contracts Detected:
Duplicate contracts: 0x9AfE558De273293e0e538E12053Eeee5368796cF and 0xB716895AA2ef5FBc0472B71f4395c5F8DBA5D167

Architectural Design and Limitations

The app is architected to validate look for duplicates deployed to the ethereum blockchain.

Deployment Script (deploy.py): Focuses on deploying contracts to the testnet, ensuring they are correctly compiled and uploaded.
Local Validation Script (validate.py): Validates contract bytecodes locally before deployment to catch duplicates early in the development process.
Blockchain Duplicate Detection Script (scan.py): Scans the blockchain for duplicates among deployed contracts to maintain the integrity of the live environment.

Limitations

Static List of Contracts: Currently, the duplicate detection script relies on a static list of deployed contract addresses from deployed_contracts.txt. For large-scale deployments, a more dynamic approach involving querying the blockchain in a multithreaded manner to analyze contracts based on deployment order and relevance is recommended.
Manual Update of config.json: Users need to manually update the config.json file with their Infura project ID, private key, and contract name.

Future Enhancements

Implementing multithreaded querying for analyzing large numbers of contracts.
Enhancing the deployment script to handle more complex deployment scenarios.
Improving error handling and reporting mechanisms.

Author

Cariel Cohen

License

This project is licensed under the MIT License - see the LICENSE file for details.

mav55 / hf_exploit Goto Github PK

hf_exploit's Introduction