The purpose of this utility is to ensure the integrity and security of Ethereum smart contracts by detecting duplicates. Duplicate contracts can pose security risks, and identifying them can prevent exploits similar to the one that occurred with Hundred Finance. This utility facilitates the deployment of contracts, local validation of contract similarities, and detection of duplicates on the Ethereum testnet.
I built this app to provide a robust solution for detecting duplicate smart contracts on the Ethereum blockchain. By ensuring that no identical contracts are deployed, we can prevent potential exploits and maintain the security and integrity of decentralized applications.
- Connects to the Ethereum Sepolia testnet via Infura.
- Compiles and deploys Solidity contracts.
- Verifies and detects duplicate contracts based on bytecode.
- Handles common deployment errors and retries if necessary.
- Scans and analyzes deployed contracts from the blockchain.
- Python 3.6 or higher
pip
(Python package installer)
-
Clone the repository:
git clone https://github.com/Mav55/hf_exploit.git cd hf_exploit
-
Install required Python packages:
pip install web3 solcx eth-utils
-
Install Solidity compiler version 0.8.0:
python -m solcx.install 0.8.0
-
Create a
config.json
file in the project root directory with the following structure:{ "project_id": "your_infura_project_id", "private_key": "your_ethereum_private_key", "contract_name": "YourContractName" }
-
Place your Solidity contracts in the
contracts
directory.
The deploy.py
script is used to deploy Solidity contracts to the Sepolia testnet.
-
Run the deployment script:
python deploy.py
-
The script will:
- Connect to the Ethereum Sepolia testnet.
- Compile all Solidity contracts in the
contracts
directory. - Deploy each contract and log the deployed addresses to
deployed_contracts.txt
.
The validate.py
script checks for duplicate contracts locally before deployment.
-
Run the local validation script:
python validate.py
-
The script will:
- Compile all Solidity contracts in the
contracts
directory. - Calculate bytecode hashes for each contract.
- Detect and print duplicate contracts based on their bytecode hashes.
- Compile all Solidity contracts in the
The scan.py
script scans the Ethereum testnet for duplicate contracts based on their bytecode.
-
Run the duplicate detection script:
python scan.py
-
The script will:
- Load deployed contract addresses from
deployed_contracts.txt
. - Fetch bytecode for each contract from the blockchain.
- Normalize bytecode by removing appended metadata.
- Compare bytecode of each pair of contracts using a similarity ratio.
- Print detected duplicate contracts.
- Load deployed contract addresses from
Account Address: 0xYourAccountAddress
Account Balance: 1.0 ETH
Compiled Contracts Keys:
contracts/YourContract.sol:YourContractName
Deployed contracts/YourContract.sol at 0xDeployedContractAddress
Deployment completed, addresses saved to deployed_contracts.txt
Duplicate contracts detected for hash <hash_value>:
- contracts/ContractA.sol
- contracts/ContractB.sol
No duplicate contracts found.
Connected to sepolia network
Fetched bytecode for 0x9AfE558De273293e0e538E12053Eeee5368796cF: 6080604052...
Fetched bytecode for 0x2E2Ec3A786511b741B3B4089fc529d24351F888a: 6080604052...
Fetched bytecode for 0x4E477BAE5B0276460e8C86377aF454f470CE21B4: 6080604052...
Fetched bytecode for 0x085B942A9B3b182a82A4F51Ed9554a8DB3B9163B: 6080604052...
Fetched bytecode for 0x81045D3185de3cf70FE80419f5F20192a117Bd78: 6080604052...
Duplicate Contracts Detected:
Duplicate contracts: 0x9AfE558De273293e0e538E12053Eeee5368796cF and 0xB716895AA2ef5FBc0472B71f4395c5F8DBA5D167
The app is architected to validate look for duplicates deployed to the ethereum blockchain.
- Deployment Script (
deploy.py
): Focuses on deploying contracts to the testnet, ensuring they are correctly compiled and uploaded. - Local Validation Script (
validate.py
): Validates contract bytecodes locally before deployment to catch duplicates early in the development process. - Blockchain Duplicate Detection Script (
scan.py
): Scans the blockchain for duplicates among deployed contracts to maintain the integrity of the live environment.
- Static List of Contracts: Currently, the duplicate detection script relies on a static list of deployed contract addresses from
deployed_contracts.txt
. For large-scale deployments, a more dynamic approach involving querying the blockchain in a multithreaded manner to analyze contracts based on deployment order and relevance is recommended. - Manual Update of
config.json
: Users need to manually update theconfig.json
file with their Infura project ID, private key, and contract name.
- Implementing multithreaded querying for analyzing large numbers of contracts.
- Enhancing the deployment script to handle more complex deployment scenarios.
- Improving error handling and reporting mechanisms.
- Cariel Cohen
This project is licensed under the MIT License - see the LICENSE file for details.