├── contracts ├── InjectedAssert │ ├── IERC20.opcode │ ├── IERC20.bin-runtime │ ├── InjectedAssert.sol │ ├── InjectedAssert.bin-runtime │ └── InjectedAssert.opcode ├── DarkForestGetter │ ├── IGetter.opcode │ ├── IPool.opcode │ ├── IGetter.bin-runtime │ ├── IPool.bin-runtime │ ├── DarkForestGetter.sol │ ├── Getter.bin-runtime │ └── Getter.opcode ├── DarkForestGetterInjected │ ├── IPool.opcode │ ├── IWETH.opcode │ ├── IGetter.opcode │ ├── IPool.bin-runtime │ ├── IWETH.bin-runtime │ ├── IGetter.bin-runtime │ ├── DarkForestGetterInjected.sol │ ├── Getter.bin-runtime │ └── Getter.opcode ├── DarkForestGetterInjectedV2 │ ├── IGetter.bin-runtime │ ├── IPool.bin-runtime │ ├── IWETH.bin-runtime │ ├── DarkForestGetterInjectedV2.sol │ └── Getter.bin-runtime └── InjectedAssertETH │ ├── InjectedAssertETH.sol │ └── InjectedAssertETH.bin-runtime ├── research_report.pdf ├── scripts ├── hevm_symbolic.sh └── hevm_exec.sh ├── DeployedGetter.bin-runtime ├── .gitignore ├── BytecodeInjectorOutput.bin-runtime ├── run.py ├── README.md ├── DeployedRandom.bin-runtime └── BytecodeInjectorRandom.bin-runtime /contracts/InjectedAssert/IERC20.opcode: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetter/IGetter.opcode: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetter/IPool.opcode: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/InjectedAssert/IERC20.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetter/IGetter.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetter/IPool.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/IPool.opcode: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/IWETH.opcode: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/IGetter.opcode: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/IPool.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/IWETH.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/IGetter.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjectedV2/IGetter.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjectedV2/IPool.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjectedV2/IWETH.bin-runtime: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /research_report.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chi-research/symbolic-searcher/HEAD/research_report.pdf -------------------------------------------------------------------------------- /contracts/InjectedAssertETH/InjectedAssertETH.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity >=0.8.17; 3 | 4 | contract InjectedAssertETH { 5 | function get() public { 6 | assert(address(0xE462Eae2AEF5deFbcDdc43995b7f593e6F0ae22F).balance <= 574999214123497918071); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /scripts/hevm_symbolic.sh: -------------------------------------------------------------------------------- 1 | CONTRACT_ADDR=0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6 2 | 3 | # SYMBOLIC 4 | hevm symbolic \ 5 | --rpc $ETH_RPC_URL \ 6 | --address $CONTRACT_ADDR \ 7 | --sig "get()"\ 8 | --get-models \ 9 | --show-tree \ 10 | --storage-model ConcreteS \ 11 | --code $(cat BytecodeInjectorOutput.bin-runtime) \ 12 | --block 10741412 \ 13 | -------------------------------------------------------------------------------- /scripts/hevm_exec.sh: -------------------------------------------------------------------------------- 1 | TXHASH=0x93b1a493e9d871b9d3f553996653c4d2f50bf6a2c744ce31e8de89956472863e 2 | 3 | # EXEC DEBUGGER 4 | hevm exec \ 5 | --caller $(seth tx $TXHASH from) \ 6 | --address $(seth tx $TXHASH to) \ 7 | --calldata 0x6d4ce63c \ 8 | --rpc $ETH_RPC_URL \ 9 | --block 10741412 \ 10 | --gas 1000000000 \ 11 | --code $(cat BytecodeInjectorOutput.bin-runtime) \ 12 | --debug 13 | -------------------------------------------------------------------------------- /contracts/InjectedAssert/InjectedAssert.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity >=0.8.17; 3 | 4 | interface IERC20 { 5 | function balanceOf(address owner) external view returns (uint); 6 | } 7 | 8 | contract InjectedAssert { 9 | function get() public { 10 | assert(IERC20(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2).balanceOf(0xe87e7073eC3021866553F0CdD73067A5AECc8e50) <= 0); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /contracts/InjectedAssertETH/InjectedAssertETH.bin-runtime: -------------------------------------------------------------------------------- 1 | 6080604052348015600f57600080fd5b506004361060285760003560e01c80636d4ce63c14602d575b600080fd5b60336035565b005b681f2bb792c4d7dd8e7773e462eae2aef5defbcddc43995b7f593e6f0ae22f73ffffffffffffffffffffffffffffffffffffffff1631111560775760766079565b5b565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052600160045260246000fdfea2646970667358221220260e435d80dc28da7b0e4a0de411627e9986babbdd6bb7ade334a76287b78c9d64736f6c63430008110033 -------------------------------------------------------------------------------- /contracts/DarkForestGetter/DarkForestGetter.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity >=0.8.17; 3 | 4 | interface IGetter { 5 | function set(bool) external; 6 | } 7 | 8 | interface IPool { 9 | function burn(address to) external returns (uint amount0, uint amount1); 10 | } 11 | 12 | contract Getter is IGetter { 13 | IPool private pool; 14 | address private setter; 15 | address private getter; 16 | address private dest; 17 | bool private on; 18 | 19 | constructor(address pool_, address setter_, address getter_, address dest_) public { 20 | pool = IPool(pool_); 21 | setter = setter_; 22 | getter = getter_; 23 | dest = dest_; 24 | } 25 | 26 | function set(bool on_) public override { 27 | require(msg.sender == setter, "no-setter"); 28 | on = on_; 29 | } 30 | 31 | function get() public { 32 | require(msg.sender == getter, "no-getter"); 33 | require(on == true, "no-break"); 34 | pool.burn(dest); 35 | } 36 | } -------------------------------------------------------------------------------- /contracts/InjectedAssert/InjectedAssert.bin-runtime: -------------------------------------------------------------------------------- 1 | 608060405234801561001057600080fd5b506004361061002b5760003560e01c80636d4ce63c14610030575b600080fd5b61003861003a565b005b600073c02aaa39b223fe8d0a0e5c4f27ead9083c756cc273ffffffffffffffffffffffffffffffffffffffff166370a0823173e87e7073ec3021866553f0cdd73067a5aecc8e506040518263ffffffff1660e01b815260040161009d9190610130565b602060405180830381865afa1580156100ba573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906100de9190610186565b11156100ed576100ec6101b3565b5b565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b600061011a826100ef565b9050919050565b61012a8161010f565b82525050565b60006020820190506101456000830184610121565b92915050565b600080fd5b6000819050919050565b61016381610150565b811461016e57600080fd5b50565b6000815190506101808161015a565b92915050565b60006020828403121561019c5761019b61014b565b5b60006101aa84828501610171565b91505092915050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052600160045260246000fdfea2646970667358221220160993be637506882ebbd0abcfb64e94771cdb047ac10ba76563aa723049a84f64736f6c63430008110033 -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjectedV2/DarkForestGetterInjectedV2.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity >=0.8.17; 3 | 4 | interface IGetter { 5 | function set(bool) external; 6 | } 7 | 8 | interface IPool { 9 | function burn(address to) external returns (uint amount0, uint amount1); 10 | } 11 | 12 | interface IWETH { 13 | function balanceOf(address owner) external view returns (uint); 14 | } 15 | 16 | contract Getter is IGetter { 17 | IPool private pool; 18 | address private setter; 19 | address private getter; 20 | address private dest; 21 | bool private on; 22 | 23 | constructor(address pool_, address setter_, address getter_, address dest_) public { 24 | pool = IPool(pool_); 25 | setter = setter_; 26 | getter = getter_; 27 | dest = dest_; 28 | } 29 | 30 | function set(bool on_) public override { 31 | require(msg.sender == setter, "no-setter"); 32 | on = on_; 33 | } 34 | 35 | function get() public { 36 | require(msg.sender == getter, "no-getter"); 37 | require(on == true, "no-break"); 38 | pool.burn(dest); 39 | assert(IWETH(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2).balanceOf(dest) <= 0); 40 | } 41 | } -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/DarkForestGetterInjected.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity >=0.8.17; 3 | 4 | interface IGetter { 5 | function set(bool) external; 6 | } 7 | 8 | interface IPool { 9 | function burn(address to) external returns (uint amount0, uint amount1); 10 | } 11 | 12 | interface IWETH { 13 | function balanceOf(address owner) external view returns (uint); 14 | } 15 | 16 | contract Getter is IGetter { 17 | IPool private pool; 18 | address private setter; 19 | address private getter; 20 | address private dest; 21 | bool private on; 22 | 23 | constructor(address pool_, address setter_, address getter_, address dest_) public { 24 | pool = IPool(pool_); 25 | setter = setter_; 26 | getter = getter_; 27 | dest = dest_; 28 | } 29 | 30 | function set(bool on_) public override { 31 | require(msg.sender == setter, "no-setter"); 32 | on = on_; 33 | } 34 | 35 | function get() public { 36 | require(msg.sender == getter, "no-getter"); 37 | require(on == true, "no-break"); 38 | uint256 orig_balance = IWETH(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2).balanceOf(dest); 39 | pool.burn(dest); 40 | uint256 new_balance = IWETH(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2).balanceOf(dest); 41 | assert(new_balance <= orig_balance); 42 | } 43 | } -------------------------------------------------------------------------------- /DeployedGetter.bin-runtime: -------------------------------------------------------------------------------- 1 | 0x608060405234801561001057600080fd5b50600436106100365760003560e01c80635f76f6ab1461003b5780636d4ce63c1461006b575b600080fd5b6100696004803603602081101561005157600080fd5b81019080803515159060200190929190505050610075565b005b610073610155565b005b600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614610138576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004018080602001828103825260098152602001807f6e6f2d736574746572000000000000000000000000000000000000000000000081525060200191505060405180910390fd5b80600360146101000a81548160ff02191690831515021790555050565b600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614610218576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004018080602001828103825260098152602001807f6e6f2d676574746572000000000000000000000000000000000000000000000081525060200191505060405180910390fd5b60011515600360149054906101000a900460ff161515146102a1576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004018080602001828103825260088152602001807f6e6f2d627265616b00000000000000000000000000000000000000000000000081525060200191505060405180910390fd5b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166389afcb44600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b8152600401808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019150506040805180830381600087803b15801561036257600080fd5b505af1158015610376573d6000803e3d6000fd5b505050506040513d604081101561038c57600080fd5b810190808051906020019092919080519060200190929190505050505056fea26469706673582212200f84fa7c1eca0b747565f037279db5a87b0ade0a28dcb4c034ae70954ff906ea64736f6c63430006060033 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /contracts/InjectedAssert/InjectedAssert.opcode: -------------------------------------------------------------------------------- 1 | PUSH1 0x80 PUSH1 0x40 MSTORE CALLVALUE DUP1 ISZERO PUSH2 0x10 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP PUSH2 0x218 DUP1 PUSH2 0x20 PUSH1 0x0 CODECOPY PUSH1 0x0 RETURN INVALID PUSH1 0x80 PUSH1 0x40 MSTORE CALLVALUE DUP1 ISZERO PUSH2 0x10 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP PUSH1 0x4 CALLDATASIZE LT PUSH2 0x2B JUMPI PUSH1 0x0 CALLDATALOAD PUSH1 0xE0 SHR DUP1 PUSH4 0x6D4CE63C EQ PUSH2 0x30 JUMPI JUMPDEST PUSH1 0x0 DUP1 REVERT JUMPDEST PUSH2 0x38 PUSH2 0x3A JUMP JUMPDEST STOP JUMPDEST PUSH1 0x0 PUSH20 0xC02AAA39B223FE8D0A0E5C4F27EAD9083C756CC2 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH4 0x70A08231 PUSH20 0xE87E7073EC3021866553F0CDD73067A5AECC8E50 PUSH1 0x40 MLOAD DUP3 PUSH4 0xFFFFFFFF AND PUSH1 0xE0 SHL DUP2 MSTORE PUSH1 0x4 ADD PUSH2 0x9D SWAP2 SWAP1 PUSH2 0x130 JUMP JUMPDEST PUSH1 0x20 PUSH1 0x40 MLOAD DUP1 DUP4 SUB DUP2 DUP7 GAS STATICCALL ISZERO DUP1 ISZERO PUSH2 0xBA JUMPI RETURNDATASIZE PUSH1 0x0 DUP1 RETURNDATACOPY RETURNDATASIZE PUSH1 0x0 REVERT JUMPDEST POP POP POP POP PUSH1 0x40 MLOAD RETURNDATASIZE PUSH1 0x1F NOT PUSH1 0x1F DUP3 ADD AND DUP3 ADD DUP1 PUSH1 0x40 MSTORE POP DUP2 ADD SWAP1 PUSH2 0xDE SWAP2 SWAP1 PUSH2 0x186 JUMP JUMPDEST GT ISZERO PUSH2 0xED JUMPI PUSH2 0xEC PUSH2 0x1B3 JUMP JUMPDEST JUMPDEST JUMP JUMPDEST PUSH1 0x0 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DUP3 AND SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH2 0x11A DUP3 PUSH2 0xEF JUMP JUMPDEST SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH2 0x12A DUP2 PUSH2 0x10F JUMP JUMPDEST DUP3 MSTORE POP POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 ADD SWAP1 POP PUSH2 0x145 PUSH1 0x0 DUP4 ADD DUP5 PUSH2 0x121 JUMP JUMPDEST SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 DUP1 REVERT JUMPDEST PUSH1 0x0 DUP2 SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH2 0x163 DUP2 PUSH2 0x150 JUMP JUMPDEST DUP2 EQ PUSH2 0x16E JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP JUMP JUMPDEST PUSH1 0x0 DUP2 MLOAD SWAP1 POP PUSH2 0x180 DUP2 PUSH2 0x15A JUMP JUMPDEST SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 DUP5 SUB SLT ISZERO PUSH2 0x19C JUMPI PUSH2 0x19B PUSH2 0x14B JUMP JUMPDEST JUMPDEST PUSH1 0x0 PUSH2 0x1AA DUP5 DUP3 DUP6 ADD PUSH2 0x171 JUMP JUMPDEST SWAP2 POP POP SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH32 0x4E487B7100000000000000000000000000000000000000000000000000000000 PUSH1 0x0 MSTORE PUSH1 0x1 PUSH1 0x4 MSTORE PUSH1 0x24 PUSH1 0x0 REVERT INVALID LOG2 PUSH5 0x6970667358 0x22 SLT KECCAK256 AND MULMOD SWAP4 0xBE PUSH4 0x7506882E 0xBB 0xD0 0xAB 0xCF 0xB6 0x4E SWAP5 PUSH24 0x1CDB047AC10BA76563AA723049A84F64736F6C6343000811 STOP CALLER -------------------------------------------------------------------------------- /contracts/DarkForestGetter/Getter.bin-runtime: -------------------------------------------------------------------------------- 1 | 608060405234801561001057600080fd5b50600436106100365760003560e01c80635f76f6ab1461003b5780636d4ce63c14610057575b600080fd5b610055600480360381019061005091906102f2565b610061565b005b61005f61010e565b005b600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff16146100f1576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016100e89061037c565b60405180910390fd5b80600360146101000a81548160ff02191690831515021790555050565b600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff161461019e576040517f08c379a0000000000000000000000000000000000000000000000000000000008152600401610195906103e8565b60405180910390fd5b60011515600360149054906101000a900460ff161515146101f4576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016101eb90610454565b60405180910390fd5b60008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166389afcb44600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b815260040161026f91906104b5565b60408051808303816000875af115801561028d573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906102b19190610506565b5050565b600080fd5b60008115159050919050565b6102cf816102ba565b81146102da57600080fd5b50565b6000813590506102ec816102c6565b92915050565b600060208284031215610308576103076102b5565b5b6000610316848285016102dd565b91505092915050565b600082825260208201905092915050565b7f6e6f2d7365747465720000000000000000000000000000000000000000000000600082015250565b600061036660098361031f565b915061037182610330565b602082019050919050565b6000602082019050818103600083015261039581610359565b9050919050565b7f6e6f2d6765747465720000000000000000000000000000000000000000000000600082015250565b60006103d260098361031f565b91506103dd8261039c565b602082019050919050565b60006020820190508181036000830152610401816103c5565b9050919050565b7f6e6f2d627265616b000000000000000000000000000000000000000000000000600082015250565b600061043e60088361031f565b915061044982610408565b602082019050919050565b6000602082019050818103600083015261046d81610431565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b600061049f82610474565b9050919050565b6104af81610494565b82525050565b60006020820190506104ca60008301846104a6565b92915050565b6000819050919050565b6104e3816104d0565b81146104ee57600080fd5b50565b600081519050610500816104da565b92915050565b6000806040838503121561051d5761051c6102b5565b5b600061052b858286016104f1565b925050602061053c858286016104f1565b915050925092905056fea2646970667358221220b9c1259d90591266f863be62d00fdaa520f66ce0112e074c2bbf471a59d987b664736f6c63430008110033 -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjectedV2/Getter.bin-runtime: -------------------------------------------------------------------------------- 1 | 608060405234801561001057600080fd5b50600436106100365760003560e01c80635f76f6ab1461003b5780636d4ce63c14610057575b600080fd5b610055600480360381019061005091906103b3565b610061565b005b61005f61010e565b005b600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff16146100f1576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016100e89061043d565b60405180910390fd5b80600360146101000a81548160ff02191690831515021790555050565b600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff161461019e576040517f08c379a0000000000000000000000000000000000000000000000000000000008152600401610195906104a9565b60405180910390fd5b60011515600360149054906101000a900460ff161515146101f4576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016101eb90610515565b60405180910390fd5b60008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166389afcb44600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b815260040161026f9190610576565b60408051808303816000875af115801561028d573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906102b191906105c7565b5050600073c02aaa39b223fe8d0a0e5c4f27ead9083c756cc273ffffffffffffffffffffffffffffffffffffffff166370a08231600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b81526004016103249190610576565b602060405180830381865afa158015610341573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906103659190610607565b111561037457610373610634565b5b565b600080fd5b60008115159050919050565b6103908161037b565b811461039b57600080fd5b50565b6000813590506103ad81610387565b92915050565b6000602082840312156103c9576103c8610376565b5b60006103d78482850161039e565b91505092915050565b600082825260208201905092915050565b7f6e6f2d7365747465720000000000000000000000000000000000000000000000600082015250565b60006104276009836103e0565b9150610432826103f1565b602082019050919050565b600060208201905081810360008301526104568161041a565b9050919050565b7f6e6f2d6765747465720000000000000000000000000000000000000000000000600082015250565b60006104936009836103e0565b915061049e8261045d565b602082019050919050565b600060208201905081810360008301526104c281610486565b9050919050565b7f6e6f2d627265616b000000000000000000000000000000000000000000000000600082015250565b60006104ff6008836103e0565b915061050a826104c9565b602082019050919050565b6000602082019050818103600083015261052e816104f2565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b600061056082610535565b9050919050565b61057081610555565b82525050565b600060208201905061058b6000830184610567565b92915050565b6000819050919050565b6105a481610591565b81146105af57600080fd5b50565b6000815190506105c18161059b565b92915050565b600080604083850312156105de576105dd610376565b5b60006105ec858286016105b2565b92505060206105fd858286016105b2565b9150509250929050565b60006020828403121561061d5761061c610376565b5b600061062b848285016105b2565b91505092915050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052600160045260246000fdfea264697066735822122008c1bb42897e820b4c467e208ee6f8e1fcb1e0a891fc828b4c97de56e1c5f24664736f6c63430008110033 -------------------------------------------------------------------------------- /contracts/DarkForestGetterInjected/Getter.bin-runtime: -------------------------------------------------------------------------------- 1 | 608060405234801561001057600080fd5b50600436106100365760003560e01c80635f76f6ab1461003b5780636d4ce63c14610057575b600080fd5b6100556004803603810190610050919061046d565b610061565b005b61005f61010e565b005b600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff16146100f1576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016100e8906104f7565b60405180910390fd5b80600360146101000a81548160ff02191690831515021790555050565b600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff161461019e576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161019590610563565b60405180910390fd5b60011515600360149054906101000a900460ff161515146101f4576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016101eb906105cf565b60405180910390fd5b600073c02aaa39b223fe8d0a0e5c4f27ead9083c756cc273ffffffffffffffffffffffffffffffffffffffff166370a08231600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b81526004016102659190610630565b602060405180830381865afa158015610282573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906102a69190610681565b905060008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166389afcb44600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b81526004016103239190610630565b60408051808303816000875af1158015610341573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061036591906106ae565b5050600073c02aaa39b223fe8d0a0e5c4f27ead9083c756cc273ffffffffffffffffffffffffffffffffffffffff166370a08231600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b81526004016103d89190610630565b602060405180830381865afa1580156103f5573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906104199190610681565b90508181111561042c5761042b6106ee565b5b5050565b600080fd5b60008115159050919050565b61044a81610435565b811461045557600080fd5b50565b60008135905061046781610441565b92915050565b60006020828403121561048357610482610430565b5b600061049184828501610458565b91505092915050565b600082825260208201905092915050565b7f6e6f2d7365747465720000000000000000000000000000000000000000000000600082015250565b60006104e160098361049a565b91506104ec826104ab565b602082019050919050565b60006020820190508181036000830152610510816104d4565b9050919050565b7f6e6f2d6765747465720000000000000000000000000000000000000000000000600082015250565b600061054d60098361049a565b915061055882610517565b602082019050919050565b6000602082019050818103600083015261057c81610540565b9050919050565b7f6e6f2d627265616b000000000000000000000000000000000000000000000000600082015250565b60006105b960088361049a565b91506105c482610583565b602082019050919050565b600060208201905081810360008301526105e8816105ac565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b600061061a826105ef565b9050919050565b61062a8161060f565b82525050565b60006020820190506106456000830184610621565b92915050565b6000819050919050565b61065e8161064b565b811461066957600080fd5b50565b60008151905061067b81610655565b92915050565b60006020828403121561069757610696610430565b5b60006106a58482850161066c565b91505092915050565b600080604083850312156106c5576106c4610430565b5b60006106d38582860161066c565b92505060206106e48582860161066c565b9150509250929050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052600160045260246000fdfea26469706673582212204e19631c786438c6b8e19af72221e894409cbb37fb0d3c2acb8f8a425f951faa64736f6c63430008110033 -------------------------------------------------------------------------------- /BytecodeInjectorOutput.bin-runtime: -------------------------------------------------------------------------------- 1 | 608060405234801561001057600080fd5b50600436106100365760003560e01c80635f76f6ab1461003b5780636d4ce63c1461006b575b600080fd5b6103ac6004803603602081101561005157600080fd5b81019080803515159060200190929190505050610075565b005b610590610155565b005b600160009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614610138576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004018080602001828103825260098152602001807f6e6f2d736574746572000000000000000000000000000000000000000000000081525060200191505060405180910390fd5b80600360146101000a81548160ff02191690831515021790555050565b600260009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614610218576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004018080602001828103825260098152602001807f6e6f2d676574746572000000000000000000000000000000000000000000000081525060200191505060405180910390fd5b60011515600360149054906101000a900460ff161515146102a1576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004018080602001828103825260088152602001807f6e6f2d627265616b00000000000000000000000000000000000000000000000081525060200191505060405180910390fd5b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff166389afcb44600360009054906101000a900473ffffffffffffffffffffffffffffffffffffffff166040518263ffffffff1660e01b8152600401808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019150506040805180830381600087803b15801561036257600080fd5b505af1158015610376573d6000803e3d6000fd5b505050506040513d604081101561038c57600080fd5b810190808051906020019092919080519060200190929190505050505056fe5b60806040523480156103bd57600080fd5b50600436106103d85760003560e01c80636d4ce63c146103dd575b600080fd5b6103e56103e7565b005b600073c02aaa39b223fe8d0a0e5c4f27ead9083c756cc273ffffffffffffffffffffffffffffffffffffffff166370a0823173e87e7073ec3021866553f0cdd73067a5aecc8e506040518263ffffffff1660e01b815260040161044a91906104dd565b602060405180830381865afa158015610467573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061048b9190610533565b111561049a57610499610560565b5b565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b60006104c78261049c565b9050919050565b6104d7816104bc565b82525050565b60006020820190506104f260008301846104ce565b92915050565b600080fd5b6000819050919050565b610510816104fd565b811461051b57600080fd5b50565b60008151905061052d81610507565b92915050565b600060208284031215610549576105486104f8565b5b60006105578482850161051e565b91505092915050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052600160045260246000fdfe5b60806040523480156105a157600080fd5b50600436106105bc5760003560e01c80636d4ce63c146105c1575b600080fd5b6105c96105cb565b005b600073c02aaa39b223fe8d0a0e5c4f27ead9083c756cc273ffffffffffffffffffffffffffffffffffffffff166370a0823173e87e7073ec3021866553f0cdd73067a5aecc8e506040518263ffffffff1660e01b815260040161062e91906106c1565b602060405180830381865afa15801561064b573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061066f9190610717565b111561067e5761067d610744565b5b565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b60006106ab82610680565b9050919050565b6106bb816106a0565b82525050565b60006020820190506106d660008301846106b2565b92915050565b600080fd5b6000819050919050565b6106f4816106e1565b81146106ff57600080fd5b50565b600081519050610711816106eb565b92915050565b60006020828403121561072d5761072c6106dc565b5b600061073b84828501610702565b91505092915050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052600160045260246000fdfe -------------------------------------------------------------------------------- /contracts/DarkForestGetter/Getter.opcode: -------------------------------------------------------------------------------- 1 | PUSH1 0x80 PUSH1 0x40 MSTORE CALLVALUE DUP1 ISZERO PUSH2 0x10 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP PUSH1 0x40 MLOAD PUSH2 0x793 CODESIZE SUB DUP1 PUSH2 0x793 DUP4 CODECOPY DUP2 DUP2 ADD PUSH1 0x40 MSTORE DUP2 ADD SWAP1 PUSH2 0x32 SWAP2 SWAP1 PUSH2 0x1A1 JUMP JUMPDEST DUP4 PUSH1 0x0 DUP1 PUSH2 0x100 EXP DUP2 SLOAD DUP2 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MUL NOT AND SWAP1 DUP4 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND MUL OR SWAP1 SSTORE POP DUP3 PUSH1 0x1 PUSH1 0x0 PUSH2 0x100 EXP DUP2 SLOAD DUP2 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MUL NOT AND SWAP1 DUP4 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND MUL OR SWAP1 SSTORE POP DUP2 PUSH1 0x2 PUSH1 0x0 PUSH2 0x100 EXP DUP2 SLOAD DUP2 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MUL NOT AND SWAP1 DUP4 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND MUL OR SWAP1 SSTORE POP DUP1 PUSH1 0x3 PUSH1 0x0 PUSH2 0x100 EXP DUP2 SLOAD DUP2 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MUL NOT AND SWAP1 DUP4 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND MUL OR SWAP1 SSTORE POP POP POP POP POP PUSH2 0x208 JUMP JUMPDEST PUSH1 0x0 DUP1 REVERT JUMPDEST PUSH1 0x0 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DUP3 AND SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH2 0x16E DUP3 PUSH2 0x143 JUMP JUMPDEST SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH2 0x17E DUP2 PUSH2 0x163 JUMP JUMPDEST DUP2 EQ PUSH2 0x189 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP JUMP JUMPDEST PUSH1 0x0 DUP2 MLOAD SWAP1 POP PUSH2 0x19B DUP2 PUSH2 0x175 JUMP JUMPDEST SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 DUP1 PUSH1 0x0 DUP1 PUSH1 0x80 DUP6 DUP8 SUB SLT ISZERO PUSH2 0x1BB JUMPI PUSH2 0x1BA PUSH2 0x13E JUMP JUMPDEST JUMPDEST PUSH1 0x0 PUSH2 0x1C9 DUP8 DUP3 DUP9 ADD PUSH2 0x18C JUMP JUMPDEST SWAP5 POP POP PUSH1 0x20 PUSH2 0x1DA DUP8 DUP3 DUP9 ADD PUSH2 0x18C JUMP JUMPDEST SWAP4 POP POP PUSH1 0x40 PUSH2 0x1EB DUP8 DUP3 DUP9 ADD PUSH2 0x18C JUMP JUMPDEST SWAP3 POP POP PUSH1 0x60 PUSH2 0x1FC DUP8 DUP3 DUP9 ADD PUSH2 0x18C JUMP JUMPDEST SWAP2 POP POP SWAP3 SWAP6 SWAP2 SWAP5 POP SWAP3 POP JUMP JUMPDEST PUSH2 0x57C DUP1 PUSH2 0x217 PUSH1 0x0 CODECOPY PUSH1 0x0 RETURN INVALID PUSH1 0x80 PUSH1 0x40 MSTORE CALLVALUE DUP1 ISZERO PUSH2 0x10 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP PUSH1 0x4 CALLDATASIZE LT PUSH2 0x36 JUMPI PUSH1 0x0 CALLDATALOAD PUSH1 0xE0 SHR DUP1 PUSH4 0x5F76F6AB EQ PUSH2 0x3B JUMPI DUP1 PUSH4 0x6D4CE63C EQ PUSH2 0x57 JUMPI JUMPDEST PUSH1 0x0 DUP1 REVERT JUMPDEST PUSH2 0x55 PUSH1 0x4 DUP1 CALLDATASIZE SUB DUP2 ADD SWAP1 PUSH2 0x50 SWAP2 SWAP1 PUSH2 0x2F2 JUMP JUMPDEST PUSH2 0x61 JUMP JUMPDEST STOP JUMPDEST PUSH2 0x5F PUSH2 0x10E JUMP JUMPDEST STOP JUMPDEST PUSH1 0x1 PUSH1 0x0 SWAP1 SLOAD SWAP1 PUSH2 0x100 EXP SWAP1 DIV PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND CALLER PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND EQ PUSH2 0xF1 JUMPI PUSH1 0x40 MLOAD PUSH32 0x8C379A000000000000000000000000000000000000000000000000000000000 DUP2 MSTORE PUSH1 0x4 ADD PUSH2 0xE8 SWAP1 PUSH2 0x37C JUMP JUMPDEST PUSH1 0x40 MLOAD DUP1 SWAP2 SUB SWAP1 REVERT JUMPDEST DUP1 PUSH1 0x3 PUSH1 0x14 PUSH2 0x100 EXP DUP2 SLOAD DUP2 PUSH1 0xFF MUL NOT AND SWAP1 DUP4 ISZERO ISZERO MUL OR SWAP1 SSTORE POP POP JUMP JUMPDEST PUSH1 0x2 PUSH1 0x0 SWAP1 SLOAD SWAP1 PUSH2 0x100 EXP SWAP1 DIV PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND CALLER PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND EQ PUSH2 0x19E JUMPI PUSH1 0x40 MLOAD PUSH32 0x8C379A000000000000000000000000000000000000000000000000000000000 DUP2 MSTORE PUSH1 0x4 ADD PUSH2 0x195 SWAP1 PUSH2 0x3E8 JUMP JUMPDEST PUSH1 0x40 MLOAD DUP1 SWAP2 SUB SWAP1 REVERT JUMPDEST PUSH1 0x1 ISZERO ISZERO PUSH1 0x3 PUSH1 0x14 SWAP1 SLOAD SWAP1 PUSH2 0x100 EXP SWAP1 DIV PUSH1 0xFF AND ISZERO ISZERO EQ PUSH2 0x1F4 JUMPI PUSH1 0x40 MLOAD PUSH32 0x8C379A000000000000000000000000000000000000000000000000000000000 DUP2 MSTORE PUSH1 0x4 ADD PUSH2 0x1EB SWAP1 PUSH2 0x454 JUMP JUMPDEST PUSH1 0x40 MLOAD DUP1 SWAP2 SUB SWAP1 REVERT JUMPDEST PUSH1 0x0 DUP1 SLOAD SWAP1 PUSH2 0x100 EXP SWAP1 DIV PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH4 0x89AFCB44 PUSH1 0x3 PUSH1 0x0 SWAP1 SLOAD SWAP1 PUSH2 0x100 EXP SWAP1 DIV PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH1 0x40 MLOAD DUP3 PUSH4 0xFFFFFFFF AND PUSH1 0xE0 SHL DUP2 MSTORE PUSH1 0x4 ADD PUSH2 0x26F SWAP2 SWAP1 PUSH2 0x4B5 JUMP JUMPDEST PUSH1 0x40 DUP1 MLOAD DUP1 DUP4 SUB DUP2 PUSH1 0x0 DUP8 GAS CALL ISZERO DUP1 ISZERO PUSH2 0x28D JUMPI RETURNDATASIZE PUSH1 0x0 DUP1 RETURNDATACOPY RETURNDATASIZE PUSH1 0x0 REVERT JUMPDEST POP POP POP POP PUSH1 0x40 MLOAD RETURNDATASIZE PUSH1 0x1F NOT PUSH1 0x1F DUP3 ADD AND DUP3 ADD DUP1 PUSH1 0x40 MSTORE POP DUP2 ADD SWAP1 PUSH2 0x2B1 SWAP2 SWAP1 PUSH2 0x506 JUMP JUMPDEST POP POP JUMP JUMPDEST PUSH1 0x0 DUP1 REVERT JUMPDEST PUSH1 0x0 DUP2 ISZERO ISZERO SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH2 0x2CF DUP2 PUSH2 0x2BA JUMP JUMPDEST DUP2 EQ PUSH2 0x2DA JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP JUMP JUMPDEST PUSH1 0x0 DUP2 CALLDATALOAD SWAP1 POP PUSH2 0x2EC DUP2 PUSH2 0x2C6 JUMP JUMPDEST SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 DUP5 SUB SLT ISZERO PUSH2 0x308 JUMPI PUSH2 0x307 PUSH2 0x2B5 JUMP JUMPDEST JUMPDEST PUSH1 0x0 PUSH2 0x316 DUP5 DUP3 DUP6 ADD PUSH2 0x2DD JUMP JUMPDEST SWAP2 POP POP SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 DUP3 DUP3 MSTORE PUSH1 0x20 DUP3 ADD SWAP1 POP SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH32 0x6E6F2D7365747465720000000000000000000000000000000000000000000000 PUSH1 0x0 DUP3 ADD MSTORE POP JUMP JUMPDEST PUSH1 0x0 PUSH2 0x366 PUSH1 0x9 DUP4 PUSH2 0x31F JUMP JUMPDEST SWAP2 POP PUSH2 0x371 DUP3 PUSH2 0x330 JUMP JUMPDEST PUSH1 0x20 DUP3 ADD SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 ADD SWAP1 POP DUP2 DUP2 SUB PUSH1 0x0 DUP4 ADD MSTORE PUSH2 0x395 DUP2 PUSH2 0x359 JUMP JUMPDEST SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH32 0x6E6F2D6765747465720000000000000000000000000000000000000000000000 PUSH1 0x0 DUP3 ADD MSTORE POP JUMP JUMPDEST PUSH1 0x0 PUSH2 0x3D2 PUSH1 0x9 DUP4 PUSH2 0x31F JUMP JUMPDEST SWAP2 POP PUSH2 0x3DD DUP3 PUSH2 0x39C JUMP JUMPDEST PUSH1 0x20 DUP3 ADD SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 ADD SWAP1 POP DUP2 DUP2 SUB PUSH1 0x0 DUP4 ADD MSTORE PUSH2 0x401 DUP2 PUSH2 0x3C5 JUMP JUMPDEST SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH32 0x6E6F2D627265616B000000000000000000000000000000000000000000000000 PUSH1 0x0 DUP3 ADD MSTORE POP JUMP JUMPDEST PUSH1 0x0 PUSH2 0x43E PUSH1 0x8 DUP4 PUSH2 0x31F JUMP JUMPDEST SWAP2 POP PUSH2 0x449 DUP3 PUSH2 0x408 JUMP JUMPDEST PUSH1 0x20 DUP3 ADD SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 ADD SWAP1 POP DUP2 DUP2 SUB PUSH1 0x0 DUP4 ADD MSTORE PUSH2 0x46D DUP2 PUSH2 0x431 JUMP JUMPDEST SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DUP3 AND SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH1 0x0 PUSH2 0x49F DUP3 PUSH2 0x474 JUMP JUMPDEST SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH2 0x4AF DUP2 PUSH2 0x494 JUMP JUMPDEST DUP3 MSTORE POP POP JUMP JUMPDEST PUSH1 0x0 PUSH1 0x20 DUP3 ADD SWAP1 POP PUSH2 0x4CA PUSH1 0x0 DUP4 ADD DUP5 PUSH2 0x4A6 JUMP JUMPDEST SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 DUP2 SWAP1 POP SWAP2 SWAP1 POP JUMP JUMPDEST PUSH2 0x4E3 DUP2 PUSH2 0x4D0 JUMP JUMPDEST DUP2 EQ PUSH2 0x4EE JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP JUMP JUMPDEST PUSH1 0x0 DUP2 MLOAD SWAP1 POP PUSH2 0x500 DUP2 PUSH2 0x4DA JUMP JUMPDEST SWAP3 SWAP2 POP POP JUMP JUMPDEST PUSH1 0x0 DUP1 PUSH1 0x40 DUP4 DUP6 SUB SLT ISZERO PUSH2 0x51D JUMPI PUSH2 0x51C PUSH2 0x2B5 JUMP JUMPDEST JUMPDEST PUSH1 0x0 PUSH2 0x52B DUP6 DUP3 DUP7 ADD PUSH2 0x4F1 JUMP JUMPDEST SWAP3 POP POP PUSH1 0x20 PUSH2 0x53C DUP6 DUP3 DUP7 ADD PUSH2 0x4F1 JUMP JUMPDEST SWAP2 POP POP SWAP3 POP SWAP3 SWAP1 POP JUMP INVALID LOG2 PUSH5 0x6970667358 0x22 SLT KECCAK256 0xB9 0xC1 0x25 SWAP14 SWAP1 MSIZE SLT PUSH7 0xF863BE62D00FDA 0xA5 KECCAK256 0xF6 PUSH13 0xE0112E074C2BBF471A59D987B6 PUSH5 0x736F6C6343 STOP ADDMOD GT STOP CALLER -------------------------------------------------------------------------------- /run.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import re 3 | import logging 4 | 5 | STOP_CODE = "00" 6 | RETURN_CODE = "f3" 7 | JUMPDEST_CODE = "5b" 8 | PUSH2_CODE = "61" 9 | REVERT_CODE = "fd" 10 | 11 | 12 | class BytecodeInjector: 13 | def __init__(self, base_bin, inject_bin): 14 | self.base_bin = self.process_bin_str(base_bin) 15 | self.inject_bin = self.process_bin_str(inject_bin) 16 | 17 | # Split bin into two-character bytes 18 | self.base_bytes = [ 19 | self.base_bin[i:i+2] for i in range(0, len(self.base_bin), 2) 20 | ] 21 | self.inject_bytes = [ 22 | self.inject_bin[i:i+2] for i in range(0, len(self.inject_bin), 2) 23 | ] 24 | 25 | self.L = len(self.base_bytes) 26 | self.K = len(self.inject_bytes) 27 | self.debug_print() 28 | 29 | self.stop_sections = self.get_stop_sections_in_base_bytes() 30 | print("[get_stop_sections_in_base_bytes]", self.stop_sections) 31 | self.valid_jumpdests = self.get_valid_jumpdests_in_inject_bytes() 32 | print("[get_valid_jumpdests_in_inject_bytes]", self.valid_jumpdests) 33 | 34 | def process_bin_str(self, bin_str): 35 | bin_str = bin_str.strip() 36 | if bin_str[:2] == "0x": 37 | bin_str = bin_str[2:] 38 | 39 | # Get CBOR length from last two bytes 40 | length = int(bin_str[-4:], 16) 41 | print("CBOR length:", length, " bytes") 42 | 43 | # Truncate metadata hash 44 | bin_str = bin_str[:-2*(length+2)] 45 | 46 | return bin_str 47 | 48 | def get_stop_sections_in_base_bytes(self): 49 | """ 50 | Returns list of indices (i, j) corresponding to sections of 51 | (JUMPDEST ... STOP) in base_bytes 52 | 53 | Returns: List[Tuple[Int, Int]] 54 | """ 55 | stop_sections = [] 56 | last_jumpdest = -1 57 | last_pushx = -1 58 | last_x = -1 59 | i = 0 60 | while i < self.L: 61 | opcode = self.base_bytes[i] 62 | if opcode == JUMPDEST_CODE: 63 | last_jumpdest = i 64 | elif opcode[0] == '6' or opcode[0] == '7': 65 | # Corresponds to PUSHX instruction, so jump forward 66 | opcode_val = int("0x" + opcode, 16) # Eval in base 10 67 | last_pushx = i 68 | last_x = opcode_val - 0x60 + 1 69 | i += last_x 70 | elif ( 71 | opcode == STOP_CODE 72 | and last_jumpdest != -1 73 | and (i == self.L-1 or self.base_bytes[i+1] != STOP_CODE) 74 | and (self.base_bytes[i-1] != STOP_CODE) 75 | ): 76 | stop_sections.append((last_jumpdest, i)) 77 | i += 1 78 | 79 | return stop_sections 80 | 81 | def get_valid_jumpdests_in_inject_bytes(self): 82 | """ 83 | Returns list of tuples (i, occurrences = [j1, j2...]) for all indices 84 | i where there is a JUMPDEST at index i of inject_bytes and all 85 | occurrences of string "PUSH2 " in inject_bin 86 | 87 | Returns: List[Tuple[Int, List]] 88 | """ 89 | valid_jumpdests = [] 90 | for i in range(self.K): 91 | if self.inject_bytes[i] == JUMPDEST_CODE: #0x5b 92 | # Get the current location in hex 93 | jumpdest_loc = self.format_hex_loc(i) 94 | push_jumpdest_instr = PUSH2_CODE + jumpdest_loc # PUSH2 95 | 96 | # ========= DEBUG ========= 97 | print("[get_valid_jumpdests_in_inject_bytes] Found at loc", i, "=", jumpdest_loc) 98 | # ========= DEBUG ========= 99 | 100 | occurrences = [ 101 | m.start() for m in re.finditer(push_jumpdest_instr, self.inject_bin) 102 | ] 103 | if len(occurrences) > 0: 104 | valid_jumpdests.append((i, occurrences)) 105 | else: 106 | # ========= DEBUG ========= 107 | print("[get_valid_jumpdests_in_inject_bytes] Did not find for", i) 108 | # ========= DEBUG ========= 109 | 110 | return valid_jumpdests 111 | 112 | def build_mod_bin(self): 113 | concat_bin = self.base_bin[:] 114 | 115 | curr_inject_offset = self.L 116 | inject_offsets = [] 117 | 118 | # Append inject_bin once for each [JUMPDEST...STOP) section of base_bin 119 | for i in range(len(self.stop_sections)): 120 | inject_offsets.append(curr_inject_offset) 121 | a, b = self.stop_sections[i] 122 | 123 | # Get modified inject_bin where each jump location is offset 124 | # by the current inject_offset 125 | mod_inject_bin = self.replace_jumplocs_with_offsets( 126 | self.inject_bin, self.valid_jumpdests, curr_inject_offset + b-a 127 | ) 128 | snippet = self.base_bin[2*a:2*b] 129 | print("[build_mod_bin] Append [JUMPDEST...STOP) snippet from base bin:", snippet) 130 | injection = self.base_bin[2*a:2*b] + mod_inject_bin 131 | print("[build_mod_bin] Inject code:", injection) 132 | 133 | concat_bin += injection 134 | curr_inject_offset = len(concat_bin) // 2 135 | 136 | # Modify base_bin to jump to inject_offsets 137 | mod_base_bin = self.base_bin[:] 138 | for i in range(len(self.stop_sections)): 139 | a, b = self.stop_sections[i] # (JUMPDEST_ind, STOP_ind) 140 | mod_base_bin = self.replace_hex_index(mod_base_bin, a, inject_offsets[i]) 141 | 142 | result = mod_base_bin + concat_bin[2 * self.L:] 143 | print("==========") 144 | print("Bytecode injection complete!") 145 | print("==========") 146 | return result 147 | 148 | def replace_hex_index(self, bytestring, find_index, replace_index): 149 | """ 150 | Modify a hex bytestring to replace 2-byte hex find_index with 151 | 2-byte hex replace_index 152 | 153 | Returns: str 154 | """ 155 | find_hex = self.format_hex_loc(find_index) 156 | replace_hex = self.format_hex_loc(replace_index) 157 | print("[replace_hex_index in base_bin]: Replace", find_hex, ">>", replace_hex) 158 | return bytestring.replace(find_hex, replace_hex) 159 | 160 | def replace_jumplocs_with_offsets(self, bytestring, valid_jumpdests, offset_value): 161 | """ 162 | Return a modified bytestring where valid jump locations are offset 163 | 164 | Returns: str 165 | """ 166 | mod_bytestring = bytestring[:] 167 | for _, jump_occurrences in valid_jumpdests: 168 | for j in jump_occurrences: 169 | original_loc_hex = bytestring[j+2:j+6] 170 | original_loc = int(original_loc_hex, 16) 171 | new_loc = original_loc + offset_value 172 | new_loc_hex = self.format_hex_loc(new_loc) 173 | 174 | ########## DEBUG ########## 175 | print("[replace_jumplocs_with_offsets] Replacing", j+2, ": ", original_loc_hex, ">>", new_loc_hex) 176 | ########## DEBUG ########## 177 | mod_bytestring = ( 178 | mod_bytestring[:j+2] + 179 | new_loc_hex + 180 | mod_bytestring[j+6:] 181 | ) 182 | 183 | return mod_bytestring 184 | 185 | def format_hex_loc(self, index): 186 | """ 187 | Returns index formatted as 2-byte hex string location, e.g. "05ac" 188 | 189 | Returns: 4-character str 190 | """ 191 | return "{0:#0{1}x}".format(index,6)[2:] 192 | 193 | def debug_print(self): 194 | print("========== DEBUG ==========") 195 | print("Base bin = ", self.base_bin) 196 | print("Inject bin = ", self.inject_bin) 197 | print("L = ", self.L) 198 | print("K = ", self.K) 199 | 200 | parser = argparse.ArgumentParser() 201 | parser.add_argument( 202 | '--base_bin_fname', 203 | dest='base_bin_fname', 204 | help="Input filename containing original bin-runtime bytecode", 205 | # default="DeployedGetter.bin-runtime" 206 | default="contracts/DarkForestGetter/Getter.bin-runtime" 207 | ) 208 | parser.add_argument( 209 | '--inject_bin_fname', 210 | dest='inject_bin_fname', 211 | help="Input filename containing to-be-injected bin-runtime bytecode", 212 | default="contracts/InjectedAssert/InjectedAssert.bin-runtime" 213 | ) 214 | parser.add_argument( 215 | '--output_bin_fname', 216 | dest='output_bin_fname', 217 | help="Input filename for output bin-runtime bytecode", 218 | default="BytecodeInjectorOutput.bin-runtime" 219 | ) 220 | 221 | args = parser.parse_args() 222 | 223 | f = open(args.base_bin_fname) 224 | base_bin_str = f.read() 225 | f.close() 226 | 227 | f = open(args.inject_bin_fname) 228 | inject_bin_str = f.read() 229 | f.close() 230 | 231 | injecter = BytecodeInjector(base_bin_str, inject_bin_str) 232 | f = open(args.output_bin_fname, "w") 233 | mod_bin_str = injecter.build_mod_bin() 234 | print("Writing result to file...") 235 | f.write(mod_bin_str) 236 | f.close() 237 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Background 2 | Symbolic Searcher identifies long-tail MEV using symbolic execution and bytecode injections. We demonstrate a symbolic searcher on the the canonical [Ethereum is a Dark Forest](https://www.paradigm.xyz/2020/08/ethereum-is-a-dark-forest) example published. Disclaimer: this is currently a proof of concept. 3 | 4 | # Research Report 5 | [Research Report for Encode x Wintermute MEV Hackathon 2022](https://github.com/bzhang42/symbolic-searcher/blob/main/research_report.pdf) 6 | 7 | # Demo 8 | [Video Demo](https://youtu.be/h2S_Q4aqOzs) 9 | 10 | # Setup 11 | Install `hevm` and `seth` by following the dapptools installation instructions outlined in https://github.com/dapphub/dapptools. Specifially, make sure you install Nix and then call: 12 | ``` 13 | nix-env -iA hevm -f $(curl -sS https://api.github.com/repos/dapphub/dapptools/releases/latest | jq -r .tarball_url) 14 | 15 | nix-env -iA seth -f $(curl -sS https://api.github.com/repos/dapphub/dapptools/releases/latest | jq -r .tarball_url) 16 | ``` 17 | 18 | Export environment variables `ETH_RPC_URL` and `ETHERSCAN_API_KEY`. For example: 19 | ``` 20 | export ETH_RPC_URL=https://mainnet.infura.io/... 21 | export ETHERSCAN_API_KEY=... 22 | ``` 23 | 24 | # Commands 25 | The main point of entry for bytecode injection is `run.py`. The end-to-end workflow is as follows: 26 | 27 | 28 | ``` 29 | # Compile our independent assertion bytecode 30 | solc --bin-runtime -o contracts/InjectedAssert contracts/InjectedAssert/InjectedAssert.sol --overwrite 31 | 32 | # Read bytecode of target contract 33 | seth code 0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6 > DeployedGetter.bin-runtime 34 | 35 | # Run bytecode injection 36 | python run.py --base_bin_fname DeployedGetter.bin-runtime --inject_bin_fname contracts/InjectedAssert/InjectedAssert.bin-runtime --output_bin_fname BytecodeInjectorOutput.bin-runtime 37 | 38 | # Run symbolic execution on output bytecode 39 | CONTRACT_ADDR=0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6 40 | hevm symbolic \ 41 | --rpc $ETH_RPC_URL \ 42 | --address $CONTRACT_ADDR \ 43 | --sig "get()"\ 44 | --get-models \ 45 | --show-tree \ 46 | --storage-model ConcreteS \ 47 | --code $(cat BytecodeInjectorOutput.bin-runtime) \ 48 | --block 10741412 49 | ``` 50 | 51 | You should get the following output 52 | ``` 53 | Assertion violation found. 54 | Calldata: 55 | 0x6d4ce63c 56 | get() 57 | Caller: 58 | 0xEDd764AAa77C2148782cE5bcb8a3ADA80D932942 59 | Callvalue: 60 | 0 61 | ├ 0 IsZero(IsZero(CallValue)) 62 | │ Revert 63 | │ 64 | └ 1 IsZero(IsZero(CallValue)) 65 | ├ 0 IsZero(0xffffffffffffffffffffffffffffffffffffffff and CALLER == 0xffffffffffffffffffffffffffffffffffffffff and 0xffffffffffffffffffffffffffffffffffffffff and 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 / 0x100 ** 0x0) 66 | │ Revert("no-getter") 67 | │ 68 | └ 1 IsZero(0xffffffffffffffffffffffffffffffffffffffff and CALLER == 0xffffffffffffffffffffffffffffffffffffffff and 0xffffffffffffffffffffffffffffffffffffffff and 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 / 0x100 ** 0x0) 69 | ├ 0 IsZero(IsZero(0xffffffff and Timestamp + not 0xffffffff and 0x5f47674200000000000f2060b210d5af29ee0000000000000001012e41e74cc0 / 0x100000000000000000000000000000000000000000000000000000000 and 0xffffffff)) 70 | │ └ 0 IsZero(IsZero(CallValue)) 71 | │ Revert0x4e487b710000000000000000000000000000000000000000000000000000000000000001 72 | │ 73 | └ 1 IsZero(IsZero(0xffffffff and Timestamp + not 0xffffffff and 0x5f47674200000000000f2060b210d5af29ee0000000000000001012e41e74cc0 / 0x100000000000000000000000000000000000000000000000000000000 and 0xffffffff)) 74 | └ 0 IsZero(IsZero(IsZero(IsZero(0xffffffff and Timestamp + not 0xffffffff and 0x5f47674200000000000f2060b210d5af29ee0000000000000001012e41e74cc0 / 0x100000000000000000000000000000000000000000000000000000000 and 0xffffffff)))) 75 | └ 0 IsZero(IsZero(CallValue)) 76 | Revert0x4e487b710000000000000000000000000000000000000000000000000000000000000001 77 | ``` 78 | which demonstrates that the symbolic executor has found the correct caller address to extract value with the `get()` call. 79 | 80 | Note that if we were to call `hevm symbolic` on the next block, 10741413, we see the contract execution revert with error `"UniswapV2: INSUFFICIENT_LIQUIDITY_BURNED"` as another attacker has already executed the Dark Forest `burn()` opportunity in that block: 81 | 82 | ``` 83 | hevm symbolic \ 84 | --rpc $ETH_RPC_URL \ 85 | --address $CONTRACT_ADDR \ 86 | --sig "get()"\ 87 | --get-models \ 88 | --show-tree \ 89 | --storage-model ConcreteS \ 90 | --code $(cat BytecodeInjecterOutput.bin-runtime) \ 91 | --block 10741413 92 | checking postcondition... 93 | Q.E.D. 94 | Explored: 5 branches without assertion violations 95 | ├ 0 IsZero(IsZero(CallValue)) 96 | │ Revert 97 | │ 98 | └ 1 IsZero(IsZero(CallValue)) 99 | ├ 0 IsZero(0xffffffffffffffffffffffffffffffffffffffff and CALLER == 0xffffffffffffffffffffffffffffffffffffffff and 0xffffffffffffffffffffffffffffffffffffffff and 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 / 0x100 ** 0x0) 100 | │ Revert("no-getter") 101 | │ 102 | └ 1 IsZero(0xffffffffffffffffffffffffffffffffffffffff and CALLER == 0xffffffffffffffffffffffffffffffffffffffff and 0xffffffffffffffffffffffffffffffffffffffff and 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 / 0x100 ** 0x0) 103 | Revert("UniswapV2: INSUFFICIENT_LIQUIDITY_BURNED") 104 | ``` 105 | 106 | # Additional Details on hevm 107 | In our example, we injected a custom assert to the `get()` call of a deployed Mainnet contract https://etherscan.io/address/0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6. 108 | 109 | 1. First, test `hevm symbolic` on the deployed bytecode without any modifications. 110 | ``` 111 | hevm symbolic --rpc $ETH_RPC_URL --address 0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6 --sig "get()" --get-models --show-tree --storage-model ConcreteS --block 10741412 112 | ``` 113 | You should get the following output: 114 | ``` 115 | $ hevm symbolic --rpc $ETH_RPC_URL --address 0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6 --sig "get()" --get-models --show-tree --storage-model ConcreteS --block 10741412 116 | checking postcondition... 117 | Q.E.D. 118 | Explored: 11 branches without assertion violations 119 | ├ 0 IsZero(IsZero(CallValue)) 120 | │ Revert 121 | │ 122 | └ 1 IsZero(IsZero(CallValue)) 123 | ├ 0 IsZero(0xffffffffffffffffffffffffffffffffffffffff and CALLER == 0xffffffffffffffffffffffffffffffffffffffff and 0xffffffffffffffffffffffffffffffffffffffff and 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 / 0x100 ** 0x0) 124 | │ Revert("no-getter") 125 | │ 126 | └ 1 IsZero(0xffffffffffffffffffffffffffffffffffffffff and CALLER == 0xffffffffffffffffffffffffffffffffffffffff and 0xffffffffffffffffffffffffffffffffffffffff and 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 / 0x100 ** 0x0) 127 | ├ 0 IsZero(IsZero(0xffffffff and Timestamp + not 0xffffffff and 0x5f47674200000000000f2060b210d5af29ee0000000000000001012e41e74cc0 / 0x100000000000000000000000000000000000000000000000000000000 and 0xffffffff)) 128 | │ Stop 129 | │ 0x0 => 0x2cde6be34a59ff01aa532d56956a3c339c26322 130 | │ 0x2 => 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 131 | │ 0x3 => 0x1e87e7073ec3021866553f0cdd73067a5aecc8e50 132 | │ 133 | └ 1 IsZero(IsZero(0xffffffff and Timestamp + not 0xffffffff and 0x5f47674200000000000f2060b210d5af29ee0000000000000001012e41e74cc0 / 0x100000000000000000000000000000000000000000000000000000000 and 0xffffffff)) 134 | └ 0 IsZero(IsZero(IsZero(IsZero(0xffffffff and Timestamp + not 0xffffffff and 0x5f47674200000000000f2060b210d5af29ee0000000000000001012e41e74cc0 / 0x100000000000000000000000000000000000000000000000000000000 and 0xffffffff)))) 135 | Stop 136 | 0x0 => 0x2cde6be34a59ff01aa532d56956a3c339c26322 137 | 0x2 => 0xedd764aaa77c2148782ce5bcb8a3ada80d932942 138 | 0x3 => 0x1e87e7073ec3021866553f0cdd73067a5aecc8e50 139 | 140 | 141 | -- Branch (1/11) -- 142 | .... 143 | ``` 144 | 2. To run `hevm` on a locally compiled contract, first compile the contract into bytecode. 145 | ``` 146 | solc --bin-runtime -o contracts/DarkForestGetter/ contracts/DarkForestGetter/DarkForestGetter.sol --overwrite 147 | ``` 148 | Then run `hevm symbolic` with the argument `--code` to read from the output bytecode. 149 | ``` 150 | hevm symbolic --rpc $ETH_RPC_URL --address 0xa4004b352fcbb913f0ddaba2454e7ff9cb64bdf6 --sig "get()" --get-models --show-tree --storage-model ConcreteS --block 10741412 --code $(