├── GPTLens.pdf ├── .streamlit └── config.toml ├── results └── auditor_gpt-4-turbo-preview_0.7_top3_1 │ ├── critic_gpt-4-turbo-preview_0.0_1_few │ ├── 2018-13071.json │ ├── 2018-13072.json │ └── ranker_default │ │ ├── 2018-13071.json │ │ └── 2018-13072.json │ ├── 2018-13072.json │ ├── 2018-13073.json │ ├── 2018-13074.json │ └── 2018-13071.json ├── .gitmodules ├── src ├── CS8903_Aditya_PAL_GPTLens_Demo.pdf ├── Gradio_UI_Files │ ├── images │ │ ├── author.png │ │ ├── header.png │ │ ├── model.png │ │ ├── criticism.png │ │ ├── developer.png │ │ ├── professor.png │ │ ├── auditor_prompt.png │ │ ├── critic_prompt.png │ │ └── auditor_reasoning.png │ └── README.md ├── utils.py ├── pre_process.py ├── model.py ├── logs │ ├── auditor_gpt-4-turbo-preview_0.7_top3_1 │ │ ├── 2018-10944.json │ │ ├── 2018-10706.json │ │ └── 2018-11239.json │ └── auditor_gpt-4_0.7_top3_1 │ │ ├── CVE-2018-13836.json │ │ ├── CVE-2018-17877.json │ │ ├── CVE-2018-17882.json │ │ ├── CVE-2018-15552.json │ │ ├── CVE-2018-10376.json │ │ ├── CVE-2018-11411.json │ │ ├── CVE-2018-10468.json │ │ └── CVE-2018-10299.json ├── environment_old.yml ├── run_rank.py ├── run_auditor_user_defined.py └── run_auditor.py ├── requirements.txt ├── .gitignore ├── data ├── CVE_label │ └── CVE2label.json ├── CVE_clean │ └── 2018-11239.sol └── CVE │ └── 2018-11239.sol ├── data_full ├── CVE_label │ └── CVE2label.json ├── CVE_clean │ ├── 2018-17071.sol │ ├── 2018-13698.sol │ ├── 2018-19833.sol │ ├── 2018-11239.sol │ ├── 2018-15552.sol │ ├── 2019-15079.sol │ ├── 2018-14002.sol │ ├── 2018-13144.sol │ ├── 2018-17111.sol │ ├── 2018-17882.sol │ ├── 2018-12959.sol │ ├── 2018-12083.sol │ ├── 2018-18665.sol │ ├── 2018-11687.sol │ ├── 2021-34273.sol │ ├── 2018-13327.sol │ ├── 2018-13670.sol │ ├── 2018-12702.sol │ ├── 2018-12703.sol │ ├── 2018-11561.sol │ ├── 2018-13326.sol │ ├── 2018-13777.sol │ ├── 2018-10705.sol │ ├── 2018-12025.sol │ ├── 2018-12230.sol │ ├── 2018-13092.sol │ ├── 2018-14086.sol │ ├── 2018-13113.sol │ ├── 2018-11411.sol │ ├── 2018-12454.sol │ ├── 2018-13041.sol │ ├── 2018-13068.sol │ └── 2018-13836.sol └── CVE │ ├── 2018-17071.sol │ ├── 2018-19833.sol │ ├── 2018-14002.sol │ ├── 2018-15552.sol │ ├── 2018-18665.sol │ ├── 2018-13327.sol │ ├── 2018-11687.sol │ ├── 2018-11239.sol │ ├── 2018-13670.sol │ ├── 2021-34273.sol │ └── 2018-17882.sol ├── data_sample └── CVE_label │ └── CVE2label.json └── .devcontainer └── devcontainer.json /GPTLens.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/GPTLens.pdf -------------------------------------------------------------------------------- /.streamlit/config.toml: -------------------------------------------------------------------------------- 1 | [server] 2 | port = 8501 3 | enableStaticServing = true -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/critic_gpt-4-turbo-preview_0.0_1_few/2018-13071.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/critic_gpt-4-turbo-preview_0.0_1_few/2018-13072.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "GPTLens"] 2 | path = GPTLens 3 | url = git@github.com:git-disl/GPTLens-Demo.git 4 | -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/critic_gpt-4-turbo-preview_0.0_1_few/ranker_default/2018-13071.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/critic_gpt-4-turbo-preview_0.0_1_few/ranker_default/2018-13072.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /src/CS8903_Aditya_PAL_GPTLens_Demo.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/CS8903_Aditya_PAL_GPTLens_Demo.pdf -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/author.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/author.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/header.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/model.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/criticism.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/criticism.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/developer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/developer.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/professor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/professor.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/auditor_prompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/auditor_prompt.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/critic_prompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/critic_prompt.png -------------------------------------------------------------------------------- /src/Gradio_UI_Files/images/auditor_reasoning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/git-disl/GPTLens/HEAD/src/Gradio_UI_Files/images/auditor_reasoning.png -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | # This file may be used to create an environment using: 2 | # $ conda create --name --file 3 | # platform: win-64 4 | openai==1.11.1 5 | streamlit==1.31.0 6 | tqdm==4.66.1 7 | STqdm 8 | # pyautogui 9 | # python-xlib 10 | streamlit_js_eval -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/* 2 | .DS_Store 3 | data/CVE_label/extract.py 4 | data/CVE_label/raw_data.txt 5 | src/__pycache__ 6 | .conda 7 | # GPTLens 8 | data_sample/CVE_label/extract.py 9 | data_sample/CVE_label/raw_data.txt 10 | data_full/CVE_label/extract.py 11 | data_full/CVE_label/raw_data.txt -------------------------------------------------------------------------------- /src/Gradio_UI_Files/README.md: -------------------------------------------------------------------------------- 1 | # Gradio UI details 2 | 3 | The app is deployed on huggingface spaces. 4 | 5 | UI Link - https://huggingface.co/spaces/Asolanki97/GPTLens 6 | 7 | Static UI Link - https://huggingface.co/spaces/Asolanki97/StaticGPTLens 8 | 9 | Report Link - https://docs.google.com/document/d/e/2PACX-1vQMRO7rtLrdXchyP1TXOH8jJ0jGS1lw-OcAvmYGDNFve1plgXjm7bBGKaWrlxBC6XdIGpvku3ArNavO/pub 10 | -------------------------------------------------------------------------------- /src/utils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import shutil 3 | 4 | class dotdict(dict): 5 | """dot.notation access to dictionary attributes""" 6 | __getattr__ = dict.get 7 | __setattr__ = dict.__setitem__ 8 | __delattr__ = dict.__delitem__ 9 | 10 | def clean_folder(folder): 11 | for filename in os.listdir(folder): 12 | file_path = f"{folder}/{filename}" 13 | try: 14 | if os.path.isfile(file_path) or os.path.islink(file_path): 15 | os.unlink(file_path) 16 | elif os.path.isdir(file_path): 17 | shutil.rmtree(file_path) 18 | except Exception as e: 19 | print('Failed to delete %s. Reason: %s' % (file_path, e)) -------------------------------------------------------------------------------- /data/CVE_label/CVE2label.json: -------------------------------------------------------------------------------- 1 | { 2 | "CVE-2018-10299": "Integer Overflow", 3 | "CVE-2018-10376": "Integer Overflow", 4 | "CVE-2018-11335": "Integer Overflow", 5 | "CVE-2018-13836": "Integer Overflow", 6 | "CVE-2018-17882": "Integer Overflow", 7 | "CVE-2018-10468": "Wrong Logic", 8 | "CVE-2018-11411": "Wrong Logic", 9 | "CVE-2018-12025": "Wrong Logic", 10 | "CVE-2021-3004": "Wrong Logic", 11 | "CVE-2018-15552": "Bad Randomness", 12 | "CVE-2018-14715": "Bad Randomness", 13 | "CVE-2018-17877": "Bad Randomness", 14 | "CVE-2018-10666": "Access Control", 15 | "CVE-2018-10705": "Access Control", 16 | "CVE-2018-19830": "Access Control", 17 | "CVE-2019-15078": "Typo Constructor", 18 | "CVE-2019-15079": "Typo Constructor", 19 | "CVE-2019-15080": "Typo Constructor", 20 | "CVE-2018-18425": "Token Devalue" 21 | } -------------------------------------------------------------------------------- /data_full/CVE_label/CVE2label.json: -------------------------------------------------------------------------------- 1 | { 2 | "CVE-2018-10299": "Integer Overflow", 3 | "CVE-2018-10376": "Integer Overflow", 4 | "CVE-2018-11335": "Integer Overflow", 5 | "CVE-2018-13836": "Integer Overflow", 6 | "CVE-2018-17882": "Integer Overflow", 7 | "CVE-2018-10468": "Wrong Logic", 8 | "CVE-2018-11411": "Wrong Logic", 9 | "CVE-2018-12025": "Wrong Logic", 10 | "CVE-2021-3004": "Wrong Logic", 11 | "CVE-2018-15552": "Bad Randomness", 12 | "CVE-2018-14715": "Bad Randomness", 13 | "CVE-2018-17877": "Bad Randomness", 14 | "CVE-2018-10666": "Access Control", 15 | "CVE-2018-10705": "Access Control", 16 | "CVE-2018-19830": "Access Control", 17 | "CVE-2019-15078": "Typo Constructor", 18 | "CVE-2019-15079": "Typo Constructor", 19 | "CVE-2019-15080": "Typo Constructor", 20 | "CVE-2018-18425": "Token Devalue" 21 | } -------------------------------------------------------------------------------- /data_sample/CVE_label/CVE2label.json: -------------------------------------------------------------------------------- 1 | { 2 | "CVE-2018-10299": "Integer Overflow", 3 | "CVE-2018-10376": "Integer Overflow", 4 | "CVE-2018-11335": "Integer Overflow", 5 | "CVE-2018-13836": "Integer Overflow", 6 | "CVE-2018-17882": "Integer Overflow", 7 | "CVE-2018-10468": "Wrong Logic", 8 | "CVE-2018-11411": "Wrong Logic", 9 | "CVE-2018-12025": "Wrong Logic", 10 | "CVE-2021-3004": "Wrong Logic", 11 | "CVE-2018-15552": "Bad Randomness", 12 | "CVE-2018-14715": "Bad Randomness", 13 | "CVE-2018-17877": "Bad Randomness", 14 | "CVE-2018-10666": "Access Control", 15 | "CVE-2018-10705": "Access Control", 16 | "CVE-2018-19830": "Access Control", 17 | "CVE-2019-15078": "Typo Constructor", 18 | "CVE-2019-15079": "Typo Constructor", 19 | "CVE-2019-15080": "Typo Constructor", 20 | "CVE-2018-18425": "Token Devalue" 21 | } -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Python 3", 3 | // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile 4 | "image": "mcr.microsoft.com/devcontainers/python:1-3.11-bullseye", 5 | "customizations": { 6 | "codespaces": { 7 | "openFiles": [ 8 | "README.md", 9 | "src\UI.py" 10 | ] 11 | }, 12 | "vscode": { 13 | "settings": {}, 14 | "extensions": [ 15 | "ms-python.python", 16 | "ms-python.vscode-pylance" 17 | ] 18 | } 19 | }, 20 | "updateContentCommand": "[ -f packages.txt ] && sudo apt update && sudo apt upgrade -y && sudo xargs apt install -y list: 12 | messages = [{"role": "user", "content": prompt}] 13 | if model == "gpt-4": 14 | pass 15 | time.sleep(30) # to prevent speed limitation exception 16 | return chatgpt(messages, model=model, temperature=temperature, max_tokens=max_tokens, n=n, stop=stop) 17 | 18 | 19 | def chatgpt(messages, model, temperature, max_tokens, n, stop) -> list: 20 | global completion_tokens, prompt_tokens 21 | outputs = [] 22 | while n > 0: 23 | cnt = min(n, 20) 24 | n -= cnt 25 | res = openai.chat.completions.create(model=model, messages=messages, temperature=temperature, max_tokens=max_tokens, 26 | n=cnt, stop=stop) 27 | outputs.extend([choice.message.content for choice in res.choices]) 28 | # log completion tokens 29 | completion_tokens += res.usage.completion_tokens 30 | prompt_tokens += res.usage.prompt_tokens 31 | return outputs 32 | 33 | 34 | def gpt_usage(backend="gpt-4"): 35 | global completion_tokens, prompt_tokens 36 | if backend == "gpt-4": 37 | cost = completion_tokens / 1000 * 0.06 + prompt_tokens / 1000 * 0.03 38 | elif backend == "gpt-4-turbo-preview": 39 | cost = completion_tokens / 1000 * 0.03 + prompt_tokens / 1000 * 0.01 40 | elif backend == "gpt-3.5-turbo": 41 | cost = completion_tokens / 1000 * 0.002 + prompt_tokens / 1000 * 0.0015 42 | return {"completion_tokens": completion_tokens, "prompt_tokens": prompt_tokens, "cost": cost} 43 | -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-13072.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "mintToken", 4 | "code": "function mintToken(address target, uint256 mintedAmount) onlyOwner { balanceOf[target] += mintedAmount; Transfer(0, owner, mintedAmount); Transfer(owner, target, mintedAmount); }", 5 | "vulnerability": "Arbitrary minting", 6 | "reason": "The 'mintToken' function allows the contract owner to mint an arbitrary amount of tokens to any address. This can lead to inflation, diluting the value of existing tokens.", 7 | "file_name": "2018-13072.sol" 8 | }, 9 | { 10 | "function_name": "buy", 11 | "code": "function buy() payable { if(isSelling == false) revert(); uint amount = msg.value * buyRate; balanceOf[msg.sender] += amount; balanceOf[owner] -= amount; Transfer(owner, msg.sender, amount); }", 12 | "vulnerability": "Unchecked token transfer", 13 | "reason": "The 'buy' function calculates the amount of tokens to transfer based on the sent Ether and a fixed rate but does not check if the owner has enough tokens to sell, potentially leading to an underflow in the owner's balance.", 14 | "file_name": "2018-13072.sol" 15 | }, 16 | { 17 | "function_name": "transfer", 18 | "code": "function transfer(address _to, uint256 _value) { if (balanceOf[msg.sender] < _value) revert(); if (balanceOf[_to] + _value < balanceOf[_to]) revert(); if (frozenAccount[msg.sender]) revert(); balanceOf[msg.sender] -= _value; balanceOf[_to] += _value; Transfer(msg.sender, _to, _value); }", 19 | "vulnerability": "Reentrancy", 20 | "reason": "Though not directly exploitable for reentrancy in this context as the function does not call an untrusted contract, the pattern of making state changes after calling an external contract (Transfer event in this case) could be risky if the code evolves or is reused without considering reentrancy attacks.", 21 | "file_name": "2018-13072.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13698.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract Play2LivePromo { 3 | address public owner; 4 | string public constant name = "Level Up Coin Diamond | play2live.io"; 5 | string public constant symbol = "LUCD"; 6 | uint8 public constant decimals = 18; 7 | uint public totalSupply = 0; 8 | uint256 promoValue = 777 * 1e18; 9 | mapping(address => uint) balances; 10 | mapping(address => mapping (address => uint)) allowed; 11 | event Transfer(address _from, address _to, uint256 amount); 12 | event Approval(address indexed _owner, address indexed _spender, uint _value); 13 | modifier onlyOwner { 14 | require(msg.sender == owner); 15 | _; 16 | } 17 | function Play2LivePromo() { 18 | owner = msg.sender; 19 | } 20 | function setPromo(uint256 _newValue) external onlyOwner { 21 | promoValue = _newValue; 22 | } 23 | function balanceOf(address _investor) public constant returns(uint256) { 24 | return balances[_investor]; 25 | } 26 | function mintTokens(address _investor) external onlyOwner { 27 | balances[_investor] += promoValue; 28 | totalSupply += promoValue; 29 | Transfer(0x0, _investor, promoValue); 30 | } 31 | function transfer(address _to, uint _amount) public returns (bool) { 32 | balances[msg.sender] -= _amount; 33 | balances[_to] -= _amount; 34 | Transfer(msg.sender, _to, _amount); 35 | return true; 36 | } 37 | function transferFrom(address _from, address _to, uint _amount) public returns (bool) { 38 | balances[_from] -= _amount; 39 | allowed[_from][msg.sender] -= _amount; 40 | balances[_to] -= _amount; 41 | Transfer(_from, _to, _amount); 42 | return true; 43 | } 44 | function approve(address _spender, uint _amount) public returns (bool) { 45 | require((_amount == 0) || (allowed[msg.sender][_spender] == 0)); 46 | allowed[msg.sender][_spender] = _amount; 47 | Approval(msg.sender, _spender, _amount); 48 | return true; 49 | } 50 | function allowance(address _owner, address _spender) constant returns (uint) { 51 | return allowed[_owner][_spender]; 52 | } 53 | } -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-13073.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transfer", 4 | "code": "function transfer(address _to, uint256 _value) { if (balanceOf[msg.sender] < _value) throw; if (balanceOf[_to] + _value < balanceOf[_to]) throw; if (frozenAccount[msg.sender]) throw; balanceOf[msg.sender] -= _value; balanceOf[_to] += _value; Transfer(msg.sender, _to, _value); }", 5 | "vulnerability": "reentrancy", 6 | "reason": "This function directly modifies the state without considering the potential for a reentrant attack. A malicious contract could take advantage of the call to 'Transfer' event to re-enter and drain funds in an unexpected manner.", 7 | "file_name": "2018-13073.sol" 8 | }, 9 | { 10 | "function_name": "sell", 11 | "code": "function sell(uint256 amount) { if (balanceOf[msg.sender] < amount ) throw; balanceOf[this] += amount; balanceOf[msg.sender] -= amount; if (!msg.sender.send(amount * sellPrice)) { throw; } else { Transfer(msg.sender, this, amount); } }", 12 | "vulnerability": "DoS with (unexpected) revert", 13 | "reason": "This function uses 'throw' for error handling, which will revert all state changes and consume all provided gas. An attacker can intentionally fail the 'send' function to cause the transaction to fail, leading to a denial of service.", 14 | "file_name": "2018-13073.sol" 15 | }, 16 | { 17 | "function_name": "transferFrom", 18 | "code": "function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { if (frozenAccount[_from]) throw; if (balanceOf[_from] < _value) throw; if (balanceOf[_to] + _value < balanceOf[_to]) throw; if (_value > allowance[_from][msg.sender]) throw; balanceOf[_from] -= _value; balanceOf[_to] += _value; allowance[_from][msg.sender] -= _value; Transfer(_from, _to, _value); return true; }", 19 | "vulnerability": "Integer overflow", 20 | "reason": "The check 'if (balanceOf[_to] + _value < balanceOf[_to])' is intended to prevent overflow, but it could be bypassed or incorrectly trigger due to the arithmetic properties of unsigned integers in Solidity, leading to unintended behavior.", 21 | "file_name": "2018-13073.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-10944.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transferFrom", 4 | "code": "function transferFrom( address _from, address _to, uint256 _amount ) returns (bool success) { if (balances[_from] >= _amount && allowed[_from][msg.sender] >= _amount && _amount > 0 && balances[_to] + _amount > balances[_to]) { balances[_from] -= _amount; allowed[_from][msg.sender] -= _amount; balances[_to] += _amount; Transfer(_from, _to, _amount); return true; } else { return false; } }", 5 | "vulnerability": "Reentrancy", 6 | "reason": "The 'transferFrom' function transfers tokens on behalf of another address after allowance is given, but does not implement reentrancy guards. This could allow an attacker to perform a reentrancy attack if the recipient contract is malicious and has a fallback function designed to call back into this contract.", 7 | "file_name": "2018-10944.sol" 8 | }, 9 | { 10 | "function_name": "request_dividend", 11 | "code": "function request_dividend(address token_holder) payable { holder_token_balance = balanceOf(token_holder)/10000000000; Message(holder_token_balance); holder_profit = holder_token_balance * profit_per_token; Message(holder_profit); Transfer(owner, token_holder , (holder_profit/10**18)); token_holder.send(holder_profit); }", 12 | "vulnerability": "Reentrancy", 13 | "reason": "In the 'request_dividend' function, ether is sent using 'send' without a reentrancy guard. This could allow an attacker to re-enter the contract if the caller is a contract with a fallback function.", 14 | "file_name": "2018-10944.sol" 15 | }, 16 | { 17 | "function_name": "drain", 18 | "code": "function drain() onlyOwner { if (!owner.send(this.balance)) throw; }", 19 | "vulnerability": "Unchecked CALL return value", 20 | "reason": "The 'drain' function uses '.send()' to transfer ether and checks the return value with a 'throw', which is deprecated and should be replaced with 'require()' for better error handling. It's also susceptible to gas limitations of '.send()', potentially leading to failed transactions without proper notification or handling.", 21 | "file_name": "2018-10944.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-19833.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.24; 2 | contract ERCDDAToken { 3 | address public owner; 4 | string public name; 5 | string public symbol; 6 | uint8 public decimals = 0; 7 | uint256 public totalSupply; 8 | event Transfer(address indexed from, address indexed to, uint256 value); 9 | event FrozenFunds(address target, bool frozen); 10 | event Burn(address indexed from, uint256 value); 11 | mapping (address => uint256) public balanceOf; 12 | mapping (address => bool) public frozenAccount; 13 | function owned() public { 14 | owner = msg.sender; 15 | } 16 | modifier onlyOwner { 17 | require(msg.sender == owner); 18 | _; 19 | } 20 | constructor( 21 | uint256 initialSupply, 22 | string tokenName, 23 | string tokenSymbol 24 | ) public { 25 | owner = msg.sender; 26 | totalSupply = initialSupply * 10 ** uint256(decimals); 27 | balanceOf[msg.sender] = totalSupply; 28 | name = tokenName; 29 | symbol = tokenSymbol; 30 | } 31 | function _transfer(address _from, address _to, uint _value) internal { 32 | require (_to != 0x0); 33 | require (balanceOf[_from] >= _value); 34 | require (balanceOf[_to] + _value >= balanceOf[_to]); 35 | require(!frozenAccount[_from]); 36 | require(!frozenAccount[_to]); 37 | balanceOf[_from] -= _value; 38 | balanceOf[_to] += _value; 39 | emit Transfer(_from, _to, _value); 40 | } 41 | function transfer(address _to, uint256 _value) public returns (bool success) { 42 | _transfer(msg.sender, _to, _value); 43 | return true; 44 | } 45 | function freezeAccount(address target, bool freeze) onlyOwner public { 46 | frozenAccount[target] = freeze; 47 | emit FrozenFunds(target, freeze); 48 | } 49 | function burn(uint256 _value) onlyOwner public returns (bool success) { 50 | require(balanceOf[msg.sender] >= _value); 51 | balanceOf[msg.sender] -= _value; 52 | totalSupply -= _value; 53 | emit Burn(msg.sender, _value); 54 | return true; 55 | } 56 | function mintToken(address target, uint256 mintedAmount) onlyOwner public{ 57 | balanceOf[target] += mintedAmount; 58 | totalSupply += mintedAmount; 59 | } 60 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-11239.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract Hexagon { 3 | string public constant name = "Hexagon"; 4 | string public constant symbol = "HXG"; 5 | uint8 public constant decimals = 4; 6 | uint8 public constant burnPerTransaction = 2; 7 | uint256 public constant initialSupply = 420000000000000; 8 | uint256 public currentSupply = initialSupply; 9 | mapping (address => uint256) public balanceOf; 10 | mapping (address => mapping (address => uint256)) public allowance; 11 | function Hexagon() public { 12 | balanceOf[msg.sender] = initialSupply; 13 | } 14 | function transfer(address _to, uint256 _value) public returns (bool success) { 15 | _transfer(msg.sender, _to, _value); 16 | return true; 17 | } 18 | function totalSupply() public constant returns (uint) { 19 | return currentSupply; 20 | } 21 | function burn(uint256 _value) public returns (bool success) { 22 | require(balanceOf[msg.sender] >= _value); 23 | balanceOf[msg.sender] -= _value; 24 | balanceOf[0x0] += _value; 25 | currentSupply -= _value; 26 | Burn(msg.sender, _value); 27 | return true; 28 | } 29 | function approve(address _spender, uint256 _value) public returns (bool success) { 30 | require(_value == 0 || allowance[msg.sender][_spender] == 0); 31 | allowance[msg.sender][_spender] = _value; 32 | Approval(msg.sender, _spender, _value); 33 | return true; 34 | } 35 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 36 | require(allowance[_from][msg.sender] >= _value); 37 | allowance[_from][msg.sender] -= _value; 38 | _transfer(_from, _to, _value); 39 | return true; 40 | } 41 | function _transfer(address _from, address _to, uint _value) internal { 42 | require (_to != 0x0); 43 | require (balanceOf[_from] >= _value + burnPerTransaction); 44 | require (balanceOf[_to] + _value > balanceOf[_to]); 45 | balanceOf[_from] -= _value + burnPerTransaction; 46 | balanceOf[_to] += _value; 47 | balanceOf[0x0] += burnPerTransaction; 48 | currentSupply -= burnPerTransaction; 49 | Burn(_from, burnPerTransaction); 50 | Transfer(_from, _to, _value); 51 | } 52 | event Transfer(address indexed from, address indexed to, uint256 value); 53 | event Burn(address indexed from, uint256 value); 54 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 55 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-19833.sol: -------------------------------------------------------------------------------- 1 | /** 2 | *Submitted for verification at Etherscan.io on 2018-09-04 3 | */ 4 | 5 | pragma solidity ^0.4.24; 6 | contract ERCDDAToken { 7 | address public owner; 8 | string public name; 9 | string public symbol; 10 | uint8 public decimals = 0; 11 | uint256 public totalSupply; 12 | 13 | event Transfer(address indexed from, address indexed to, uint256 value); 14 | event FrozenFunds(address target, bool frozen); 15 | event Burn(address indexed from, uint256 value); 16 | mapping (address => uint256) public balanceOf; 17 | mapping (address => bool) public frozenAccount; 18 | 19 | function owned() public { 20 | owner = msg.sender; 21 | } 22 | 23 | modifier onlyOwner { 24 | require(msg.sender == owner); 25 | _; 26 | } 27 | 28 | constructor( 29 | uint256 initialSupply, 30 | string tokenName, 31 | string tokenSymbol 32 | ) public { 33 | owner = msg.sender; 34 | totalSupply = initialSupply * 10 ** uint256(decimals); 35 | balanceOf[msg.sender] = totalSupply; 36 | name = tokenName; 37 | symbol = tokenSymbol; 38 | } 39 | 40 | function _transfer(address _from, address _to, uint _value) internal { 41 | require (_to != 0x0); 42 | require (balanceOf[_from] >= _value); 43 | require (balanceOf[_to] + _value >= balanceOf[_to]); 44 | require(!frozenAccount[_from]); 45 | require(!frozenAccount[_to]); 46 | balanceOf[_from] -= _value; 47 | balanceOf[_to] += _value; 48 | emit Transfer(_from, _to, _value); 49 | } 50 | 51 | function transfer(address _to, uint256 _value) public returns (bool success) { 52 | _transfer(msg.sender, _to, _value); 53 | return true; 54 | } 55 | 56 | function freezeAccount(address target, bool freeze) onlyOwner public { 57 | frozenAccount[target] = freeze; 58 | emit FrozenFunds(target, freeze); 59 | } 60 | 61 | function burn(uint256 _value) onlyOwner public returns (bool success) { 62 | require(balanceOf[msg.sender] >= _value); 63 | balanceOf[msg.sender] -= _value; 64 | totalSupply -= _value; 65 | emit Burn(msg.sender, _value); 66 | return true; 67 | } 68 | 69 | function mintToken(address target, uint256 mintedAmount) onlyOwner public{ 70 | balanceOf[target] += mintedAmount; 71 | totalSupply += mintedAmount; 72 | } 73 | } -------------------------------------------------------------------------------- /data/CVE_clean/2018-11239.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract Hexagon { 3 | string public constant name = "Hexagon"; 4 | string public constant symbol = "HXG"; 5 | uint8 public constant decimals = 4; 6 | uint8 public constant burnPerTransaction = 2; 7 | uint256 public constant initialSupply = 420000000000000; 8 | uint256 public currentSupply = initialSupply; 9 | mapping (address => uint256) public balanceOf; 10 | mapping (address => mapping (address => uint256)) public allowance; 11 | function Hexagon() public { 12 | balanceOf[msg.sender] = initialSupply; 13 | } 14 | function transfer(address _to, uint256 _value) public returns (bool success) { 15 | _transfer(msg.sender, _to, _value); 16 | return true; 17 | } 18 | function totalSupply() public constant returns (uint) { 19 | return currentSupply; 20 | } 21 | function burn(uint256 _value) public returns (bool success) { 22 | require(balanceOf[msg.sender] >= _value); 23 | balanceOf[msg.sender] -= _value; 24 | balanceOf[0x0] += _value; 25 | currentSupply -= _value; 26 | Burn(msg.sender, _value); 27 | return true; 28 | } 29 | function approve(address _spender, uint256 _value) public returns (bool success) { 30 | require(_value == 0 || allowance[msg.sender][_spender] == 0); 31 | allowance[msg.sender][_spender] = _value; 32 | Approval(msg.sender, _spender, _value); 33 | return true; 34 | } 35 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 36 | require(allowance[_from][msg.sender] >= _value); 37 | allowance[_from][msg.sender] -= _value; 38 | _transfer(_from, _to, _value); 39 | return true; 40 | } 41 | function _transfer(address _from, address _to, uint _value) internal { 42 | require (_to != 0x0); 43 | require (balanceOf[_from] >= _value + burnPerTransaction); 44 | require (balanceOf[_to] + _value > balanceOf[_to]); 45 | balanceOf[_from] -= _value + burnPerTransaction; 46 | balanceOf[_to] += _value; 47 | balanceOf[0x0] += burnPerTransaction; 48 | currentSupply -= burnPerTransaction; 49 | Burn(_from, burnPerTransaction); 50 | Transfer(_from, _to, _value); 51 | } 52 | event Transfer(address indexed from, address indexed to, uint256 value); 53 | event Burn(address indexed from, uint256 value); 54 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 55 | } -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-13074.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "_transfer", 4 | "code": "function _transfer(address _from, address _to, uint _value) internal { require(_to != 0x0); require(balanceOf[_from] >= _value); require(balanceOf[_to] + _value > balanceOf[_to]); uint previousBalances = balanceOf[_from] + balanceOf[_to]; balanceOf[_from] -= _value; balanceOf[_to] += _value; emit Transfer(_from, _to, _value); assert(balanceOf[_from] + balanceOf[_to] == previousBalances); }", 5 | "vulnerability": "Integer Overflow and Underflow", 6 | "reason": "The function does not properly validate the input values to prevent overflows and underflows. Although there is a check to ensure that the balance after transfer is greater than before, it does not protect against overflow in the addition operation. This could allow attackers to exploit the contract by manipulating balances.", 7 | "file_name": "2018-13074.sol" 8 | }, 9 | { 10 | "function_name": "mintToken", 11 | "code": "function mintToken(address target, uint256 mintedAmount) onlyOwner public { balanceOf[target] += mintedAmount; totalSupply += mintedAmount; emit Transfer(0, this, mintedAmount); emit Transfer(this, target, mintedAmount); }", 12 | "vulnerability": "Arbitrary Minting", 13 | "reason": "This function allows the contract owner to mint an arbitrary amount of tokens to any account. There is no check on the amount being minted, potentially leading to inflation or devaluation of the token by creating tokens out of thin air and transferring them to any account, including the owner's.", 14 | "file_name": "2018-13074.sol" 15 | }, 16 | { 17 | "function_name": "burnFrom", 18 | "code": "function burnFrom(address _from, uint256 _value) public returns (bool success) { require(balanceOf[_from] >= _value); require(_value <= allowance[_from][msg.sender]); balanceOf[_from] -= _value; allowance[_from][msg.sender] -= _value; totalSupply -= _value; emit Burn(_from, _value); return true; }", 19 | "vulnerability": "Unchecked Burn Permissions", 20 | "reason": "The function burns tokens from a user's account with the caller's permission but does not check if the caller is allowed to initiate the burn. This could potentially allow an attacker to burn tokens from another's account without explicit permission, reducing the victim's balance unfairly.", 21 | "file_name": "2018-13074.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-10706.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "approveAndCall", 4 | "code": "function approveAndCall(address _spender, uint256 _amount, bytes _extraData) public returns (bool success) { require(approve(_spender, _amount)); ApproveAndCallReceiver(_spender).receiveApproval( msg.sender, _amount, this, _extraData ); return true; }", 5 | "vulnerability": "Reentrancy", 6 | "reason": "This function approves tokens for a spender and then calls an external contract (ApproveAndCallReceiver). If the external contract is malicious, it can call back into this contract and exploit its state before the initial operation is complete, potentially leading to unexpected behavior or loss of funds.", 7 | "file_name": "2018-10706.sol" 8 | }, 9 | { 10 | "function_name": "transferFrom", 11 | "code": "function transferFrom(address _from, address _to, uint256 _value) realUser(_from) realUser(_to) moreThanZero(_value) public returns (bool success) { require(balanceOf[_from] >= _value); require(balanceOf[_to] + _value > balanceOf[_to]); require(_value <= allowance[_from][msg.sender]); balanceOf[_from] = balanceOf[_from] - _value; balanceOf[_to] = balanceOf[_to] + _value; allowance[_from][msg.sender] = allowance[_from][msg.sender] + _value; emit Transfer(_from, _to, _value); return true; }", 12 | "vulnerability": "Integer Overflow", 13 | "reason": "The line 'allowance[_from][msg.sender] = allowance[_from][msg.sender] + _value;' can potentially overflow if '_value' is chosen such that the sum exceeds the maximum representable uint256 value. This could allow an attacker to wrap the allowance around and exploit the contract by transferring more tokens than intended.", 14 | "file_name": "2018-10706.sol" 15 | }, 16 | { 17 | "function_name": "generateTokens", 18 | "code": "function generateTokens(address _user, uint _amount) onlyController public returns (bool) { _amount=_amount*10**uint256(decimals); return _generateTokens(_user,_amount); }", 19 | "vulnerability": "Unchecked Math", 20 | "reason": "The function multiplies '_amount' by '10**uint256(decimals)' without checking for overflow. In Solidity versions before 0.8.0, arithmetic operations do not automatically check for overflows. If '_amount' is large enough, this multiplication could overflow, allowing an attacker to mint an arbitrary number of tokens.", 21 | "file_name": "2018-10706.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-15552.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.19; 2 | contract LottoCount { 3 | uint256 private maxTickets; 4 | uint256 public ticketPrice; 5 | uint256 public lottoIndex; 6 | uint256 lastTicketTime; 7 | uint8 _direction; 8 | uint256 numtickets; 9 | uint256 totalBounty; 10 | address worldOwner; 11 | event NewTicket(address indexed fromAddress, bool success); 12 | event LottoComplete(address indexed fromAddress, uint indexed lottoIndex, uint256 reward); 13 | function LottoCount() public 14 | { 15 | worldOwner = msg.sender; 16 | ticketPrice = 0.0101 * 10**18; 17 | maxTickets = 10; 18 | _direction = 0; 19 | lottoIndex = 1; 20 | lastTicketTime = 0; 21 | numtickets = 0; 22 | totalBounty = 0; 23 | } 24 | function getBalance() public view returns (uint256 balance) 25 | { 26 | balance = 0; 27 | if(worldOwner == msg.sender) balance = this.balance; 28 | return balance; 29 | } 30 | function withdraw() public 31 | { 32 | require(worldOwner == msg.sender); 33 | lottoIndex += 1; 34 | numtickets = 0; 35 | totalBounty = 0; 36 | worldOwner.transfer(this.balance); 37 | } 38 | function getLastTicketTime() public view returns (uint256 time) 39 | { 40 | time = lastTicketTime; 41 | return time; 42 | } 43 | function AddTicket() public payable 44 | { 45 | require(msg.value == ticketPrice); 46 | require(numtickets < maxTickets); 47 | lastTicketTime = now; 48 | numtickets += 1; 49 | totalBounty += ticketPrice; 50 | bool success = numtickets == maxTickets; 51 | NewTicket(msg.sender, success); 52 | if(success) 53 | { 54 | PayWinner(msg.sender); 55 | } 56 | } 57 | function PayWinner( address winner ) private 58 | { 59 | require(numtickets == maxTickets); 60 | uint ownerTax = 6 * totalBounty / 100; 61 | uint winnerPrice = totalBounty - ownerTax; 62 | LottoComplete(msg.sender, lottoIndex, winnerPrice); 63 | lottoIndex += 1; 64 | numtickets = 0; 65 | totalBounty = 0; 66 | if(_direction == 0 && maxTickets < 20) maxTickets += 1; 67 | if(_direction == 1 && maxTickets > 10) maxTickets -= 1; 68 | if(_direction == 0 && maxTickets == 20) _direction = 1; 69 | if(_direction == 1 && maxTickets == 10) _direction = 0; 70 | worldOwner.transfer(ownerTax); 71 | winner.transfer(winnerPrice); 72 | } 73 | } -------------------------------------------------------------------------------- /src/environment_old.yml: -------------------------------------------------------------------------------- 1 | # name: GPTLens 2 | # channels: 3 | # - defaults 4 | # dependencies: 5 | # - bzip2=1.0.8=he774522_0 6 | # - ca-certificates=2023.12.12=haa95532_0 7 | # - libffi=3.4.4=hd77b12b_0 8 | # - openssl=3.0.13=h2bbff1b_0 9 | # - pip=23.3.1=py311haa95532_0 10 | # - python=3.11.7=he1021f5_0 11 | # - setuptools=68.2.2=py311haa95532_0 12 | # - sqlite=3.41.2=h2bbff1b_0 13 | # - tk=8.6.12=h2bbff1b_0 14 | # - vc=14.2=h21ff451_1 15 | # - vs2015_runtime=14.27.29016=h5e58377_2 16 | # # - wheel=0.41.2=py311haa95532_0 17 | # - xz=5.4.5=h8cc25b3_0 18 | # - zlib=1.2.13=h8cc25b3_0 19 | # - pip: 20 | # - aiohttp==3.9.3 21 | # - aiosignal==1.3.1 22 | # - altair==5.2.0 23 | # - annotated-types==0.6.0 24 | # - anyio==4.2.0 25 | # - attrs==23.2.0 26 | # - blinker==1.7.0 27 | # - cachetools==5.3.2 28 | # - certifi==2024.2.2 29 | # - charset-normalizer==3.3.2 30 | # - click==8.1.7 31 | # - colorama==0.4.6 32 | # - distro==1.9.0 33 | # - frozenlist==1.4.1 34 | # - gitdb==4.0.11 35 | # - gitpython==3.1.41 36 | # - h11==0.14.0 37 | # - httpcore==1.0.2 38 | # - httpx==0.26.0 39 | # - idna==3.6 40 | # - importlib-metadata==7.0.1 41 | # - inflection==0.5.1 42 | # - jinja2==3.1.3 43 | # - jsonschema==4.21.1 44 | # - jsonschema-specifications==2023.12.1 45 | # - markdown-it-py==3.0.0 46 | # - markupsafe==2.1.5 47 | # - mdurl==0.1.2 48 | # - multidict==6.0.5 49 | # - numpy==1.26.3 50 | # - openai==1.11.1 51 | # - openapi==1.1.0 52 | # - packaging==23.2 53 | # - pandas==2.2.0 54 | # - pillow==10.2.0 55 | # - protobuf==4.25.2 56 | # - pyarrow==15.0.0 57 | # - pydantic==2.6.0 58 | # - pydantic-core==2.16.1 59 | # - pydeck==0.8.1b0 60 | # - pygments==2.17.2 61 | # - python-dateutil==2.8.2 62 | # - pytz==2024.1 63 | # - referencing==0.33.0 64 | # - requests==2.31.0 65 | # - rich==13.7.0 66 | # - rpds-py==0.17.1 67 | # - six==1.16.0 68 | # - smmap==5.0.1 69 | # - sniffio==1.3.0 70 | # - streamlit==1.31.0 71 | # - tenacity==8.2.3 72 | # - toml==0.10.2 73 | # - toolz==0.12.1 74 | # - tornado==6.4 75 | # - tqdm==4.66.1 76 | # - typing-extensions==4.9.0 77 | # - tzdata==2023.4 78 | # - tzlocal==5.2 79 | # - urllib3==2.2.0 80 | # - validators==0.22.0 81 | # - watchdog==3.0.0 82 | # - yarl==1.9.4 83 | # - zipp==3.17.0 84 | -------------------------------------------------------------------------------- /results/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-13071.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transfer", 4 | "code": "function transfer(address _to, uint256 _value) { if (balanceOf[msg.sender] < _value) throw; if (balanceOf[_to] + _value < balanceOf[_to]) throw; if (frozenAccount[msg.sender]) throw; balanceOf[msg.sender] -= _value; balanceOf[_to] += _value; Transfer(msg.sender, _to, _value); if(_value > 0){ if(balanceOf[msg.sender] == 0){ addresses[indexes[msg.sender]] = addresses[lastIndex]; indexes[addresses[lastIndex]] = indexes[msg.sender]; indexes[msg.sender] = 0; delete addresses[lastIndex]; lastIndex--; } if(indexes[_to]==0){ lastIndex++; addresses[lastIndex] = _to; indexes[_to] = lastIndex; } } }", 5 | "vulnerability": "Throw deprecated", 6 | "reason": "The contract uses 'throw' to handle errors, which has been deprecated in favor of 'require', 'revert', and 'assert'. Using 'throw' consumes all available gas, which can lead to denial of service and makes the contract less secure and more expensive to use.", 7 | "file_name": "2018-13071.sol" 8 | }, 9 | { 10 | "function_name": "mintToken", 11 | "code": "function mintToken(address target, uint256 mintedAmount) onlyOwner { balanceOf[target] += mintedAmount; totalSupply += mintedAmount; Transfer(0, this, mintedAmount); Transfer(this, target, mintedAmount); }", 12 | "vulnerability": "Unchecked minting", 13 | "reason": "The 'mintToken' function allows the contract owner to mint an arbitrary amount of tokens to any address without any checks or limits. This can lead to inflation and devaluation of the token, eroding trust in the token's value and potentially leading to financial loss for token holders.", 14 | "file_name": "2018-13071.sol" 15 | }, 16 | { 17 | "function_name": "distributeTokens", 18 | "code": "function distributeTokens(uint startIndex,uint endIndex) onlyOwner returns (uint) { uint distributed = 0; require(startIndex < endIndex); for(uint i = startIndex; i < lastIndex; i++){ address holder = addresses[i+1]; uint reward = balanceOf[holder] * 3 / 100; balanceOf[holder] += reward; distributed += reward; Transfer(0, holder, reward); } totalSupply += distributed; return distributed; }", 19 | "vulnerability": "Integer overflow", 20 | "reason": "The calculation for 'reward' in 'distributeTokens' does not prevent integer overflow. If the balance of 'holder' is large enough, multiplying it by 3 and then dividing by 100 could overflow, resulting in incorrect, potentially small reward amounts. This can be exploited to disrupt the token distribution process.", 21 | "file_name": "2018-13071.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /src/run_rank.py: -------------------------------------------------------------------------------- 1 | import json 2 | import argparse 3 | import os 4 | from stqdm import stqdm 5 | from utils import dotdict 6 | 7 | 8 | def rank_by_score(json_list): 9 | return sorted(json_list, key=lambda x: x["final_score"], reverse=True) 10 | 11 | def run(args): 12 | # output file 13 | ranker_dir = f"ranker_{args.strategy}" 14 | 15 | for filename in stqdm(os.listdir(f"src/logs/{args.auditor_dir}/{args.critic_dir}")): 16 | if not filename.endswith("json"): 17 | continue 18 | filepath = f"src/logs/{args.auditor_dir}/{args.critic_dir}/{filename}" 19 | with open(filepath, "r") as f: 20 | critic_output_list = json.load(f) 21 | 22 | for i in range(len(critic_output_list)): 23 | bug_info = critic_output_list[i] 24 | correctness = float(bug_info["correctness"]) 25 | severity = float(bug_info["severity"]) 26 | profitability = float(bug_info["profitability"]) 27 | 28 | # overall score 29 | if args.strategy == "default": 30 | # naive weighted function 31 | final_score = 0.5 * correctness + 0.25 * severity + 0.25 * profitability 32 | 33 | elif args.strategy == "customize": 34 | # TODO: add your scoring function 35 | pass 36 | else: 37 | raise Exception("Please choose correct strategy for scoring...") 38 | 39 | bug_info.update({"final_score": final_score}) 40 | 41 | # Rank based on scores 42 | ranker_output_list = rank_by_score(critic_output_list) 43 | filepath = f"src/logs/{args.auditor_dir}/{args.critic_dir}/{ranker_dir}/{filename}" 44 | # dump the file 45 | os.makedirs(os.path.dirname(filepath), exist_ok=True) 46 | 47 | with open(filepath, 'w') as f: 48 | json.dump(ranker_output_list, f, indent=4) 49 | 50 | print("Ranking finished...") 51 | 52 | def parse_args(): 53 | args = argparse.ArgumentParser() 54 | args.add_argument('--dataset', type=str, choices=['CVE'], default="CVE") 55 | args.add_argument('--auditor_dir', type=str, default="auditor_gpt-4_0.7_top3_1") #The auditor output directory 56 | args.add_argument('--critic_dir', type=str, default="critic_gpt-4_0_1_few_1026") #The critic output directory 57 | args.add_argument('--strategy', type=str, default="default", choices=["default", "customize"]) 58 | 59 | args = args.parse_args() 60 | return args 61 | 62 | if __name__ == '__main__': 63 | args = parse_args() 64 | print(args) 65 | run(args) 66 | 67 | 68 | def mainfnc(args=dotdict): 69 | # args = parse_args() 70 | # print(args) 71 | run(args) -------------------------------------------------------------------------------- /data_full/CVE_clean/2019-15079.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.16; 2 | contract EAI_TokenERC { 3 | string public name; 4 | string public symbol; 5 | uint8 public decimals = 8; 6 | uint256 public totalSupply; 7 | mapping (address => uint256) public balanceOf; 8 | mapping (address => mapping (address => uint256)) public allowance; 9 | event Transfer(address indexed from, address indexed to, uint256 value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | event Burn(address indexed from, uint256 value); 12 | function EAI_TokenERC20( 13 | uint256 initialSupply, 14 | string tokenName, 15 | string tokenSymbol 16 | ) public { 17 | totalSupply = initialSupply * 10 ** uint256(decimals); 18 | balanceOf[msg.sender] = totalSupply; 19 | name = tokenName; 20 | symbol = tokenSymbol; 21 | } 22 | function _transfer(address _from, address _to, uint _value) internal { 23 | require(_to != 0x0); 24 | require(balanceOf[_from] >= _value); 25 | require(balanceOf[_to] + _value >= balanceOf[_to]); 26 | uint previousBalances = balanceOf[_from] + balanceOf[_to]; 27 | balanceOf[_from] -= _value; 28 | balanceOf[_to] += _value; 29 | emit Transfer(_from, _to, _value); 30 | assert(balanceOf[_from] + balanceOf[_to] == previousBalances); 31 | } 32 | function transfer(address _to, uint256 _value) public returns (bool success) { 33 | _transfer(msg.sender, _to, _value); 34 | return true; 35 | } 36 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 37 | require(_value <= allowance[_from][msg.sender]); 38 | allowance[_from][msg.sender] -= _value; 39 | _transfer(_from, _to, _value); 40 | return true; 41 | } 42 | function burn(uint256 _value) public returns (bool success) { 43 | require(balanceOf[msg.sender] >= _value); 44 | balanceOf[msg.sender] -= _value; 45 | totalSupply -= _value; 46 | emit Burn(msg.sender, _value); 47 | return true; 48 | } 49 | function burnFrom(address _from, uint256 _value) public returns (bool success) { 50 | require(balanceOf[_from] >= _value); 51 | require(_value <= allowance[_from][msg.sender]); 52 | balanceOf[_from] -= _value; 53 | allowance[_from][msg.sender] -= _value; 54 | totalSupply -= _value; 55 | emit Burn(_from, _value); 56 | return true; 57 | } 58 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-14002.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.8; 2 | contract MP3Coin { 3 | string public constant symbol = "MP3"; 4 | string public constant name = "MP3 Coin"; 5 | string public constant slogan = "Make Music Great Again"; 6 | uint public constant decimals = 8; 7 | uint public totalSupply = 1000000 * 10 ** decimals; 8 | address owner; 9 | mapping (address => uint) balances; 10 | mapping (address => mapping (address => uint)) allowed; 11 | event Transfer(address indexed _from, address indexed _to, uint _value); 12 | event Approval(address indexed _owner, address indexed _spender, uint _value); 13 | function MP3Coin() public { 14 | owner = msg.sender; 15 | balances[owner] = totalSupply; 16 | Transfer(this, owner, totalSupply); 17 | } 18 | function balanceOf(address _owner) public constant returns (uint balance) { 19 | return balances[_owner]; 20 | } 21 | function allowance(address _owner, address _spender) public constant returns (uint remaining) { 22 | return allowed[_owner][_spender]; 23 | } 24 | function transfer(address _to, uint _amount) public returns (bool success) { 25 | require(_amount > 0 && balances[msg.sender] >= _amount); 26 | balances[msg.sender] -= _amount; 27 | balances[_to] += _amount; 28 | Transfer(msg.sender, _to, _amount); 29 | return true; 30 | } 31 | function transferFrom(address _from, address _to, uint _amount) public returns (bool success) { 32 | require(_amount > 0 && balances[_from] >= _amount && allowed[_from][msg.sender] >= _amount); 33 | balances[_from] -= _amount; 34 | allowed[_from][msg.sender] -= _amount; 35 | balances[_to] += _amount; 36 | Transfer(_from, _to, _amount); 37 | return true; 38 | } 39 | function approve(address _spender, uint _amount) public returns (bool success) { 40 | allowed[msg.sender][_spender] = _amount; 41 | Approval(msg.sender, _spender, _amount); 42 | return true; 43 | } 44 | function distribute(address[] _addresses, uint[] _amounts) public returns (bool success) { 45 | require(_addresses.length < 256 && _addresses.length == _amounts.length); 46 | uint totalAmount; 47 | for (uint a = 0; a < _amounts.length; a++) { 48 | totalAmount += _amounts[a]; 49 | } 50 | require(totalAmount > 0 && balances[msg.sender] >= totalAmount); 51 | balances[msg.sender] -= totalAmount; 52 | for (uint b = 0; b < _addresses.length; b++) { 53 | if (_amounts[b] > 0) { 54 | balances[_addresses[b]] += _amounts[b]; 55 | Transfer(msg.sender, _addresses[b], _amounts[b]); 56 | } 57 | } 58 | return true; 59 | } 60 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4-turbo-preview_0.7_top3_1/2018-11239.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "approve", 4 | "code": "function approve(address _spender, uint256 _value) public returns (bool success) { require(_value == 0 || allowance[msg.sender][_spender] == 0); allowance[msg.sender][_spender] = _value; Approval(msg.sender, _spender, _value); return true; }", 5 | "vulnerability": "ERC20 Approve/Allowance Race Condition", 6 | "reason": "This vulnerability occurs because the function does not handle the case where changing an allowance from a non-zero value to another non-zero value could be exploited by an attacker who is able to call transferFrom multiple times. The require condition only checks for changes from zero to non-zero or vice versa, which means an attacker can exploit the race condition by requesting a change in allowance while executing transferFrom, potentially draining the owner's funds.", 7 | "file_name": "2018-11239.sol" 8 | }, 9 | { 10 | "function_name": "_transfer", 11 | "code": "function _transfer(address _from, address _to, uint _value) internal { require (_to != 0x0); require (balanceOf[_from] >= _value + burnPerTransaction); require (balanceOf[_to] + _value > balanceOf[_to]); balanceOf[_from] -= _value + burnPerTransaction; balanceOf[_to] += _value; balanceOf[0x0] += burnPerTransaction; currentSupply -= burnPerTransaction; Burn(_from, burnPerTransaction); Transfer(_from, _to, _value); }", 12 | "vulnerability": "Integer Overflow and Underflow", 13 | "reason": "The function does not adequately check for integer overflows or underflows when calculating balances after a transfer and burn operation. Solidity versions prior to 0.8.0 do not automatically check for arithmetic overflows/underflows. An attacker might exploit this by sending a value that, when added to the recipient's balance, overflows the balance, potentially allowing for theft of tokens.", 14 | "file_name": "2018-11239.sol" 15 | }, 16 | { 17 | "function_name": "burn", 18 | "code": "function burn(uint256 _value) public returns (bool success) { require(balanceOf[msg.sender] >= _value); balanceOf[msg.sender] -= _value; balanceOf[0x0] += _value; currentSupply -= _value; Burn(msg.sender, _value); return true; }", 19 | "vulnerability": "Burning Tokens to 0x0 Address", 20 | "reason": "Directly burning tokens by sending them to the 0x0 address can lead to a permanent loss of those tokens, decreasing the total supply potentially in an undesirable manner. While this is somewhat intentional as described by the function, it can be problematic if there's a mistake in the amount to be burned. It also does not follow the best practice of burning tokens, which is to reduce the total supply without transferring to the 0x0 address.", 21 | "file_name": "2018-11239.sol" 22 | } 23 | ] -------------------------------------------------------------------------------- /data_full/CVE/2018-14002.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.8; 2 | 3 | 4 | contract MP3Coin { 5 | string public constant symbol = "MP3"; 6 | 7 | string public constant name = "MP3 Coin"; 8 | 9 | string public constant slogan = "Make Music Great Again"; 10 | 11 | uint public constant decimals = 8; 12 | 13 | uint public totalSupply = 1000000 * 10 ** decimals; 14 | 15 | address owner; 16 | 17 | mapping (address => uint) balances; 18 | 19 | mapping (address => mapping (address => uint)) allowed; 20 | 21 | event Transfer(address indexed _from, address indexed _to, uint _value); 22 | 23 | event Approval(address indexed _owner, address indexed _spender, uint _value); 24 | 25 | function MP3Coin() public { 26 | owner = msg.sender; 27 | balances[owner] = totalSupply; 28 | Transfer(this, owner, totalSupply); 29 | } 30 | 31 | function balanceOf(address _owner) public constant returns (uint balance) { 32 | return balances[_owner]; 33 | } 34 | 35 | function allowance(address _owner, address _spender) public constant returns (uint remaining) { 36 | return allowed[_owner][_spender]; 37 | } 38 | 39 | function transfer(address _to, uint _amount) public returns (bool success) { 40 | require(_amount > 0 && balances[msg.sender] >= _amount); 41 | balances[msg.sender] -= _amount; 42 | balances[_to] += _amount; 43 | Transfer(msg.sender, _to, _amount); 44 | return true; 45 | } 46 | 47 | function transferFrom(address _from, address _to, uint _amount) public returns (bool success) { 48 | require(_amount > 0 && balances[_from] >= _amount && allowed[_from][msg.sender] >= _amount); 49 | balances[_from] -= _amount; 50 | allowed[_from][msg.sender] -= _amount; 51 | balances[_to] += _amount; 52 | Transfer(_from, _to, _amount); 53 | return true; 54 | } 55 | 56 | function approve(address _spender, uint _amount) public returns (bool success) { 57 | allowed[msg.sender][_spender] = _amount; 58 | Approval(msg.sender, _spender, _amount); 59 | return true; 60 | } 61 | 62 | function distribute(address[] _addresses, uint[] _amounts) public returns (bool success) { 63 | // Checkout input data 64 | require(_addresses.length < 256 && _addresses.length == _amounts.length); 65 | // Calculate total amount 66 | uint totalAmount; 67 | for (uint a = 0; a < _amounts.length; a++) { 68 | totalAmount += _amounts[a]; 69 | } 70 | // Checkout account balance 71 | require(totalAmount > 0 && balances[msg.sender] >= totalAmount); 72 | // Deduct amount from sender 73 | balances[msg.sender] -= totalAmount; 74 | // Transfer amounts to receivers 75 | for (uint b = 0; b < _addresses.length; b++) { 76 | if (_amounts[b] > 0) { 77 | balances[_addresses[b]] += _amounts[b]; 78 | Transfer(msg.sender, _addresses[b], _amounts[b]); 79 | } 80 | } 81 | return true; 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13144.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.8; 2 | contract Token{ 3 | uint256 public totalSupply; 4 | function balanceOf(address _owner) constant returns (uint256 balance); 5 | function transfer(address _to, uint256 _value) returns (bool success); 6 | function transferFrom(address _from, address _to, uint256 _value) returns 7 | (bool success); 8 | function approve(address _spender, uint256 _value) returns (bool success); 9 | function allowance(address _owner, address _spender) constant returns 10 | (uint256 remaining); 11 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 12 | event Approval(address indexed _owner, address indexed _spender, uint256 13 | _value); 14 | } 15 | contract StandardToken is Token { 16 | function transfer(address _to, uint256 _value) returns (bool success) { 17 | require(balances[msg.sender] >= _value); 18 | balances[msg.sender] -= _value; 19 | balances[_to] += _value; 20 | Transfer(msg.sender, _to, _value); 21 | return true; 22 | } 23 | function transferFrom(address _from, address _to, uint256 _value) returns 24 | (bool success) { 25 | require(balances[_from] >= _value && allowed[_from][msg.sender] >= _value); 26 | balances[_to] += _value; 27 | balances[_from] -= _value; 28 | allowed[_from][msg.sender] -= _value; 29 | Transfer(_from, _to, _value); 30 | return true; 31 | } 32 | function balanceOf(address _owner) constant returns (uint256 balance) { 33 | return balances[_owner]; 34 | } 35 | function approve(address _spender, uint256 _value) returns (bool success) 36 | { 37 | allowed[msg.sender][_spender] = _value; 38 | Approval(msg.sender, _spender, _value); 39 | return true; 40 | } 41 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 42 | return allowed[_owner][_spender]; 43 | } 44 | mapping (address => uint256) balances; 45 | mapping (address => mapping (address => uint256)) allowed; 46 | } 47 | contract HumanStandardToken is StandardToken { 48 | string public name; 49 | uint8 public decimals; 50 | string public symbol; 51 | string public version = 'H0.1'; 52 | function HumanStandardToken(uint256 _initialAmount, string _tokenName, uint8 _decimalUnits, string _tokenSymbol) { 53 | balances[msg.sender] = _initialAmount; 54 | totalSupply = _initialAmount; 55 | name = _tokenName; 56 | decimals = _decimalUnits; 57 | symbol = _tokenSymbol; 58 | } 59 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 60 | allowed[msg.sender][_spender] = _value; 61 | Approval(msg.sender, _spender, _value); 62 | require(_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)); 63 | return true; 64 | } 65 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-13836.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transfer", 4 | "code": "function transfer(address _to, uint256 _amount) public returns (bool success) { require(balances[msg.sender] >= _amount && _amount > 0); balances[msg.sender] -= _amount; balances[_to] += _amount; Transfer(msg.sender, _to, _amount); return true; }", 5 | "vulnerability": "Missing input validation", 6 | "reason": "The function doesn't check if the '_to' address is a zero address. Transferring to a zero address is like burning tokens, it can lead to permanent loss of tokens.", 7 | "file_name": "2018-13836.sol", 8 | "label": "Integer Overflow", 9 | "description": "An integer overflow vulnerability exists in the function multiTransfer of Rocket Coin (XRC), an Ethereum token smart contract. An attacker could use it to set any user's balance." 10 | }, 11 | { 12 | "function_name": "multiTransfer", 13 | "code": "function multiTransfer(address[] _addresses, uint[] _amounts) public returns (bool success) { require(_addresses.length <= 100 && _addresses.length == _amounts.length); uint totalAmount; for (uint a = 0; a < _amounts.length; a++) { totalAmount += _amounts[a]; } require(totalAmount > 0 && balances[msg.sender] >= totalAmount); balances[msg.sender] -= totalAmount; for (uint b = 0; b < _addresses.length; b++) { if (_amounts[b] > 0) { balances[_addresses[b]] += _amounts[b]; Transfer(msg.sender, _addresses[b], _amounts[b]); } } return true; }", 14 | "vulnerability": "Arithmetic Overflow", 15 | "reason": "The code doesn't check for arithmetic overflow when adding up the '_amounts'. This could potentially lead to incorrect balance calculations.", 16 | "file_name": "2018-13836.sol", 17 | "label": "Integer Overflow", 18 | "description": "An integer overflow vulnerability exists in the function multiTransfer of Rocket Coin (XRC), an Ethereum token smart contract. An attacker could use it to set any user's balance." 19 | }, 20 | { 21 | "function_name": "withdrawFunds", 22 | "code": "function withdrawFunds(address _token) public returns (bool success) { require(msg.sender == owner); if (_token == address(0)) { owner.transfer(this.balance); } else { Token ERC20 = Token(_token); ERC20.transfer(owner, ERC20.balanceOf(this)); } return true; }", 23 | "vulnerability": "Potential for unexpected behavior", 24 | "reason": "The function transfers all the contract's ether to the owner without any restrictions or checks. This might not be an exploitable vulnerability, but it's a bad practice and can lead to unexpected behavior. For example, if the contract receives ether from a fallback function, it will be immediately transferred to the owner, which might not be the intended behavior.", 25 | "file_name": "2018-13836.sol", 26 | "label": "Integer Overflow", 27 | "description": "An integer overflow vulnerability exists in the function multiTransfer of Rocket Coin (XRC), an Ethereum token smart contract. An attacker could use it to set any user's balance." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-17111.sol: -------------------------------------------------------------------------------- 1 | contract ERC20Interface { 2 | function totalSupply() constant returns (uint256 totalSupply); 3 | function balanceOf(address _owner) constant returns (uint256 balance); 4 | function transfer(address _to, uint256 _value) returns (bool success); 5 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 6 | function approve(address _spender, uint256 _value) returns (bool success); 7 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 8 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 9 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 10 | } 11 | contract Coinlancer is ERC20Interface { 12 | string public constant symbol = "CL"; 13 | string public constant name = "Coinlancer"; 14 | uint8 public constant decimals = 18; 15 | uint256 _totalSupply = 300000000000000000000000000; 16 | address public owner; 17 | mapping(address => uint256) balances; 18 | mapping(address => mapping (address => uint256)) allowed; 19 | modifier onlyOwner() { 20 | require(msg.sender != owner); { 21 | } 22 | _; 23 | } 24 | function Coinlancer() { 25 | owner = msg.sender; 26 | balances[owner] = _totalSupply; 27 | } 28 | function totalSupply() constant returns (uint256 totalSupply) { 29 | totalSupply = _totalSupply; 30 | } 31 | function balanceOf(address _owner) constant returns (uint256 balance) { 32 | return balances[_owner]; 33 | } 34 | function transfer(address _to, uint256 _amount) returns (bool success) { 35 | if (balances[msg.sender] >= _amount 36 | && _amount > 0 37 | && balances[_to] + _amount > balances[_to]) { 38 | balances[msg.sender] -= _amount; 39 | balances[_to] += _amount; 40 | Transfer(msg.sender, _to, _amount); 41 | return true; 42 | } else { 43 | return false; 44 | } 45 | } 46 | function transferFrom( 47 | address _from, 48 | address _to, 49 | uint256 _amount 50 | ) returns (bool success) { 51 | if (balances[_from] >= _amount 52 | && allowed[_from][msg.sender] >= _amount 53 | && _amount > 0 54 | && balances[_to] + _amount > balances[_to]) { 55 | balances[_from] -= _amount; 56 | allowed[_from][msg.sender] -= _amount; 57 | balances[_to] += _amount; 58 | Transfer(_from, _to, _amount); 59 | return true; 60 | } else { 61 | return false; 62 | } 63 | } 64 | function approve(address _spender, uint256 _amount) returns (bool success) { 65 | allowed[msg.sender][_spender] = _amount; 66 | Approval(msg.sender, _spender, _amount); 67 | return true; 68 | } 69 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 70 | return allowed[_owner][_spender]; 71 | } 72 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-17877.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "buyHeart", 4 | "code": "function buyHeart(address referred) public payable {...}", 5 | "vulnerability": "Reentrancy Attack", 6 | "reason": "The function 'buyHeart' executes a transfer of ether (msg.sender.transfer(Luckybuy)) before resolving all the internal state changes, which leaves the contract vulnerable to a Reentrancy Attack. In this attack, the attacker could repeatedly call the 'buyHeart' function before the first function call is finished, draining the contract of Ether.", 7 | "file_name": "2018-17877.sol", 8 | "label": "Bad Randomness", 9 | "description": "A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards." 10 | }, 11 | { 12 | "function_name": "withdraw", 13 | "code": "function withdraw(uint _round) public {...}", 14 | "vulnerability": "Unchecked Return Values", 15 | "reason": "The function 'withdraw' executes the 'transfer' method without validating its return value. If the transfer fails for whatever reason (e.g., the receiver contract throws an exception), the contract will not be aware of this, leading to inconsistent state and potential loss of funds.", 16 | "file_name": "2018-17877.sol", 17 | "label": "Bad Randomness", 18 | "description": "A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards." 19 | }, 20 | { 21 | "function_name": "win", 22 | "code": "function win() public {...}", 23 | "vulnerability": "Arbitrary Address Execution", 24 | "reason": "In the 'win' function, there is a transfer of ether to an address without checking whether the address is a contract or externally owned account. If the address is a contract, the fallback function could be executed, allowing for potential malicious attacks. Moreover, it does not check whether the transfer was successful, potentially leading to loss of funds.", 25 | "file_name": "2018-17877.sol", 26 | "label": "Bad Randomness", 27 | "description": "A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards." 28 | } 29 | ] -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-17882.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transfer", 4 | "code": "function transfer(address _to, uint256 _value) public returns (bool success) { balances[msg.sender] = safeSub(balances[msg.sender], _value); balances[_to] = safeAdd(balances[_to], _value); Transfer(msg.sender, _to, _value); return true; }", 5 | "vulnerability": "Missing input validation", 6 | "reason": "This function allows an attacker to send tokens to the 0x0 address (burn address) or any other unintended addresses. This is because there is no validation on the '_to' address. The function can lead to permanent loss of tokens.", 7 | "file_name": "2018-17882.sol", 8 | "label": "Integer Overflow", 9 | "description": "An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user." 10 | }, 11 | { 12 | "function_name": "batchTransfer", 13 | "code": "function batchTransfer(address[] _to, uint _value) public { balances[msg.sender] = safeSub( balances[msg.sender], _to.length * _value ); for (uint i = 0; i < _to.length; i++) { balances[_to[i]] = safeAdd(balances[_to[i]], _value); Transfer(msg.sender, _to[i], _value); } }", 14 | "vulnerability": "Integer Overflow and Underflow", 15 | "reason": "In the '_to.length * _value' operation, if the multiplication of the length of '_to' array and '_value' is greater than the max limit of uint, it can cause overflow. If overflow occurs, the result will be less than the operands which can cause the 'safeSub' function to underflow, leading to incorrect balance updates.", 16 | "file_name": "2018-17882.sol", 17 | "label": "Integer Overflow", 18 | "description": "An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user." 19 | }, 20 | { 21 | "function_name": "transferFrom", 22 | "code": "function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { balances[_to] = safeAdd(balances[_to], _value); balances[_from] = safeSub(balances[_from], _value); if (_to != fights) { allowed[_from][msg.sender] = safeSub(allowed[_from][msg.sender], _value); } Transfer(_from, _to, _value); return true; }", 23 | "vulnerability": "Missing authorization check", 24 | "reason": "The function allows to transfer tokens from any account to any other account without checking if 'msg.sender' is allowed to do so. This can result in unauthorized transfer of tokens.", 25 | "file_name": "2018-17882.sol", 26 | "label": "Integer Overflow", 27 | "description": "An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-17882.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract Ownable { 3 | address public owner; 4 | function Ownable() public { 5 | owner = msg.sender; 6 | } 7 | modifier onlyOwner() { 8 | require(msg.sender == owner); 9 | _; 10 | } 11 | function transferOwnership(address newOwner) public onlyOwner { 12 | if (newOwner != address(0)) { 13 | owner = newOwner; 14 | } 15 | } 16 | } 17 | contract BattleToken is Ownable { 18 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 19 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 20 | uint256 constant private MAX_UINT256 = 2**256 - 1; 21 | mapping (address => uint256) public balances; 22 | mapping (address => mapping (address => uint256)) public allowed; 23 | uint256 public totalSupply; 24 | string public name = "https: 25 | uint8 public decimals = 0; 26 | string public symbol = "CBTB"; 27 | address public fights; 28 | function setFightsAddress(address _fights) public onlyOwner { 29 | fights = _fights; 30 | } 31 | function create(uint _amount) public onlyOwner { 32 | balances[msg.sender] = safeAdd(balances[msg.sender], _amount); 33 | totalSupply = safeAdd(totalSupply, _amount); 34 | } 35 | function transfer(address _to, uint256 _value) public returns (bool success) { 36 | balances[msg.sender] = safeSub(balances[msg.sender], _value); 37 | balances[_to] = safeAdd(balances[_to], _value); 38 | Transfer(msg.sender, _to, _value); 39 | return true; 40 | } 41 | function batchTransfer(address[] _to, uint _value) public { 42 | balances[msg.sender] = safeSub( 43 | balances[msg.sender], _to.length * _value 44 | ); 45 | for (uint i = 0; i < _to.length; i++) { 46 | balances[_to[i]] = safeAdd(balances[_to[i]], _value); 47 | Transfer(msg.sender, _to[i], _value); 48 | } 49 | } 50 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 51 | balances[_to] = safeAdd(balances[_to], _value); 52 | balances[_from] = safeSub(balances[_from], _value); 53 | if (_to != fights) { 54 | allowed[_from][msg.sender] = safeSub(allowed[_from][msg.sender], _value); 55 | } 56 | Transfer(_from, _to, _value); 57 | return true; 58 | } 59 | function balanceOf(address _owner) public view returns (uint256 balance) { 60 | return balances[_owner]; 61 | } 62 | function approve(address _spender, uint256 _value) public returns (bool success) { 63 | allowed[msg.sender][_spender] = _value; 64 | Approval(msg.sender, _spender, _value); 65 | return true; 66 | } 67 | function allowance(address _owner, address _spender) public view returns (uint256 remaining) { 68 | return allowed[_owner][_spender]; 69 | } 70 | function safeAdd(uint256 a, uint256 b) internal pure returns (uint256) { 71 | uint256 c = a + b; 72 | assert(c >= a); 73 | return c; 74 | } 75 | function safeSub(uint256 a, uint256 b) internal pure returns (uint256) { 76 | assert(b <= a); 77 | return a - b; 78 | } 79 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12959.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.4; 2 | contract Token { 3 | function totalSupply() constant returns (uint256 supply) {} 4 | function balanceOf(address _owner) constant returns (uint256 balance) {} 5 | function transfer(address _to, uint256 _value) returns (bool success) {} 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 7 | function approve(address _spender, uint256 _value) returns (bool success) {} 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | function transfer(address _to, uint256 _value) returns (bool success) { 14 | if (balances[msg.sender] >= _value && _value > 0) { 15 | balances[msg.sender] -= _value; 16 | balances[_to] += _value; 17 | Transfer(msg.sender, _to, _value); 18 | return true; 19 | } else { return false; } 20 | } 21 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 22 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 23 | balances[_to] += _value; 24 | balances[_from] -= _value; 25 | allowed[_from][msg.sender] -= _value; 26 | Transfer(_from, _to, _value); 27 | return true; 28 | } else { return false; } 29 | } 30 | function balanceOf(address _owner) constant returns (uint256 balance) { 31 | return balances[_owner]; 32 | } 33 | function approve(address _spender, uint256 _value) returns (bool success) { 34 | allowed[msg.sender][_spender] = _value; 35 | Approval(msg.sender, _spender, _value); 36 | return true; 37 | } 38 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 39 | return allowed[_owner][_spender]; 40 | } 41 | mapping (address => uint256) balances; 42 | mapping (address => mapping (address => uint256)) allowed; 43 | uint256 public totalSupply; 44 | } 45 | contract AditusToken is StandardToken { 46 | function () { 47 | throw; 48 | } 49 | string public name; 50 | uint8 public decimals; 51 | string public symbol; 52 | string public version = 'A1.0'; 53 | function AditusToken( 54 | ) { 55 | balances[msg.sender] = 1000000000000000000000000000; 56 | totalSupply = 1000000000000000000000000000; 57 | name = "Aditus"; 58 | decimals = 18; 59 | symbol = "ADI"; 60 | } 61 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 62 | allowed[msg.sender][_spender] = _value; 63 | Approval(msg.sender, _spender, _value); 64 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { throw; } 65 | return true; 66 | } 67 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12083.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract owned { 3 | address public owner; 4 | function owned() { 5 | owner = msg.sender; 6 | } 7 | function changeOwner(address newOwner) onlyOwner { 8 | owner = newOwner; 9 | } 10 | modifier onlyOwner { 11 | require(msg.sender == owner); 12 | _; 13 | } 14 | } 15 | contract tokenRecipient { function receiveApproval(address _from, uint256 _value, address _token, bytes _extraData); } 16 | contract GoalToken is owned { 17 | string public name = "GOAL Bonanza"; 18 | string public symbol = "GOAL"; 19 | uint8 public decimals = 18; 20 | uint256 public totalSupply = 0; 21 | mapping (address => uint256) public balanceOf; 22 | mapping (address => mapping (address => uint256)) public allowance; 23 | event Transfer(address indexed from, address indexed to, uint256 value); 24 | event Burn(address indexed from, uint256 value); 25 | function _transfer(address _from, address _to, uint _value) internal { 26 | require (_to != 0x0); 27 | require (balanceOf[_from] > _value); 28 | require (balanceOf[_to] + _value > balanceOf[_to]); 29 | balanceOf[_from] -= _value; 30 | balanceOf[_to] += _value; 31 | Transfer(_from, _to, _value); 32 | } 33 | function transfer(address _to, uint256 _value) { 34 | _transfer(msg.sender, _to, _value); 35 | } 36 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 37 | require (_value <= allowance[_from][msg.sender]); 38 | allowance[_from][msg.sender] -= _value; 39 | _transfer(_from, _to, _value); 40 | return true; 41 | } 42 | function approve(address _spender, uint256 _value) 43 | returns (bool success) { 44 | allowance[msg.sender][_spender] = _value; 45 | return true; 46 | } 47 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) 48 | returns (bool success) { 49 | tokenRecipient spender = tokenRecipient(_spender); 50 | if (approve(_spender, _value)) { 51 | spender.receiveApproval(msg.sender, _value, this, _extraData); 52 | return true; 53 | } 54 | } 55 | function burn(uint256 _value) returns (bool success) { 56 | require (balanceOf[msg.sender] > _value); 57 | balanceOf[msg.sender] -= _value; 58 | totalSupply -= _value; 59 | Burn(msg.sender, _value); 60 | return true; 61 | } 62 | function burnFrom(address _from, uint256 _value) returns (bool success) { 63 | require(balanceOf[_from] >= _value); 64 | require(_value <= allowance[_from][msg.sender]); 65 | balanceOf[_from] -= _value; 66 | allowance[_from][msg.sender] -= _value; 67 | totalSupply -= _value; 68 | Burn(_from, _value); 69 | return true; 70 | } 71 | function mintToken(address target, uint256 mintedAmount) onlyOwner { 72 | balanceOf[target] += mintedAmount; 73 | totalSupply += mintedAmount; 74 | Transfer(this, target, mintedAmount); 75 | } 76 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-15552.sol: -------------------------------------------------------------------------------- 1 | /** 2 | *Submitted for verification at Etherscan.io on 2018-01-16 3 | */ 4 | 5 | pragma solidity ^0.4.19; 6 | contract LottoCount { 7 | 8 | //CONSTANT 9 | uint256 private maxTickets; 10 | uint256 public ticketPrice; 11 | 12 | //LOTO REGISTER 13 | uint256 public lottoIndex; 14 | uint256 lastTicketTime; 15 | 16 | //LOTTO VARIABLES 17 | uint8 _direction; 18 | uint256 numtickets; 19 | uint256 totalBounty; 20 | 21 | address worldOwner; 22 | 23 | event NewTicket(address indexed fromAddress, bool success); 24 | event LottoComplete(address indexed fromAddress, uint indexed lottoIndex, uint256 reward); 25 | 26 | /// Create a new Lotto 27 | function LottoCount() public 28 | { 29 | worldOwner = msg.sender; 30 | 31 | ticketPrice = 0.0101 * 10**18; 32 | maxTickets = 10; 33 | 34 | _direction = 0; 35 | lottoIndex = 1; 36 | lastTicketTime = 0; 37 | 38 | numtickets = 0; 39 | totalBounty = 0; 40 | } 41 | 42 | 43 | function getBalance() public view returns (uint256 balance) 44 | { 45 | balance = 0; 46 | 47 | if(worldOwner == msg.sender) balance = this.balance; 48 | 49 | return balance; 50 | } 51 | 52 | 53 | function withdraw() public 54 | { 55 | require(worldOwner == msg.sender); 56 | 57 | //reset values 58 | lottoIndex += 1; 59 | numtickets = 0; 60 | totalBounty = 0; 61 | 62 | worldOwner.transfer(this.balance); 63 | } 64 | 65 | 66 | function getLastTicketTime() public view returns (uint256 time) 67 | { 68 | time = lastTicketTime; 69 | return time; 70 | } 71 | 72 | 73 | function AddTicket() public payable 74 | { 75 | require(msg.value == ticketPrice); 76 | require(numtickets < maxTickets); 77 | 78 | //update bif 79 | lastTicketTime = now; 80 | numtickets += 1; 81 | totalBounty += ticketPrice; 82 | bool success = numtickets == maxTickets; 83 | 84 | NewTicket(msg.sender, success); 85 | 86 | //check if winner 87 | if(success) 88 | { 89 | PayWinner(msg.sender); 90 | } 91 | } 92 | 93 | 94 | function PayWinner( address winner ) private 95 | { 96 | require(numtickets == maxTickets); 97 | 98 | //calc reward 99 | uint ownerTax = 6 * totalBounty / 100; 100 | uint winnerPrice = totalBounty - ownerTax; 101 | 102 | LottoComplete(msg.sender, lottoIndex, winnerPrice); 103 | 104 | //reset values 105 | lottoIndex += 1; 106 | numtickets = 0; 107 | totalBounty = 0; 108 | 109 | //change max tickets to give unpredictability 110 | if(_direction == 0 && maxTickets < 20) maxTickets += 1; 111 | if(_direction == 1 && maxTickets > 10) maxTickets -= 1; 112 | 113 | if(_direction == 0 && maxTickets == 20) _direction = 1; 114 | if(_direction == 1 && maxTickets == 10) _direction = 0; 115 | 116 | //give real money 117 | worldOwner.transfer(ownerTax); 118 | winner.transfer(winnerPrice); 119 | } 120 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-18665.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.11; 2 | contract Token { 3 | uint256 public totalSupply; 4 | function balanceOf(address _owner) constant returns (uint256 balance); 5 | function transfer(address _to, uint256 _value) returns (bool success); 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 7 | function approve(address _spender, uint256 _value) returns (bool success); 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | bool public disabled = false; 14 | function transfer(address _to, uint256 _value) returns (bool success) { 15 | if (disabled != true && balances[msg.sender] >= _value && _value > 0) { 16 | balances[msg.sender] -= _value; 17 | balances[_to] += _value; 18 | Transfer(msg.sender, _to, _value); 19 | return true; 20 | } else { return false; } 21 | } 22 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 23 | if (disabled != true && balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 24 | balances[_to] += _value; 25 | balances[_from] -= _value; 26 | allowed[_from][msg.sender] -= _value; 27 | Transfer(_from, _to, _value); 28 | return true; 29 | } else { return false; } 30 | } 31 | function balanceOf(address _owner) constant returns (uint256 balance) { 32 | return balances[_owner]; 33 | } 34 | function approve(address _spender, uint256 _value) returns (bool success) { 35 | allowed[msg.sender][_spender] = _value; 36 | Approval(msg.sender, _spender, _value); 37 | return true; 38 | } 39 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 40 | return allowed[_owner][_spender]; 41 | } 42 | mapping (address => uint256) balances; 43 | mapping (address => mapping (address => uint256)) allowed; 44 | } 45 | contract NexxusToken is StandardToken { 46 | function () {return;} 47 | string public name = "Nexxus"; 48 | uint8 public decimals = 8; 49 | string public symbol = "NXX"; 50 | address public owner; 51 | function NexxusToken() { 52 | totalSupply = 31800000000000000; 53 | owner = msg.sender; 54 | balances[owner] = totalSupply; 55 | } 56 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 57 | allowed[msg.sender][_spender] = _value; 58 | Approval(msg.sender, _spender, _value); 59 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { return; } 60 | return true; 61 | } 62 | function mintToken(uint256 _amount) { 63 | if (msg.sender == owner) { 64 | totalSupply += _amount; 65 | balances[owner] += _amount; 66 | Transfer(0, owner, _amount); 67 | } 68 | } 69 | function disableToken(bool _disable) { 70 | if (msg.sender == owner) 71 | disabled = _disable; 72 | } 73 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-18665.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.11; 2 | 3 | contract Token { 4 | uint256 public totalSupply; 5 | function balanceOf(address _owner) constant returns (uint256 balance); 6 | function transfer(address _to, uint256 _value) returns (bool success); 7 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 8 | function approve(address _spender, uint256 _value) returns (bool success); 9 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 10 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 11 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 12 | } 13 | 14 | contract StandardToken is Token { 15 | bool public disabled = false; 16 | function transfer(address _to, uint256 _value) returns (bool success) { 17 | if (disabled != true && balances[msg.sender] >= _value && _value > 0) { 18 | balances[msg.sender] -= _value; 19 | balances[_to] += _value; 20 | Transfer(msg.sender, _to, _value); 21 | return true; 22 | } else { return false; } 23 | } 24 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 25 | if (disabled != true && balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 26 | balances[_to] += _value; 27 | balances[_from] -= _value; 28 | allowed[_from][msg.sender] -= _value; 29 | Transfer(_from, _to, _value); 30 | return true; 31 | } else { return false; } 32 | } 33 | function balanceOf(address _owner) constant returns (uint256 balance) { 34 | return balances[_owner]; 35 | } 36 | function approve(address _spender, uint256 _value) returns (bool success) { 37 | allowed[msg.sender][_spender] = _value; 38 | Approval(msg.sender, _spender, _value); 39 | return true; 40 | } 41 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 42 | return allowed[_owner][_spender]; 43 | } 44 | mapping (address => uint256) balances; 45 | mapping (address => mapping (address => uint256)) allowed; 46 | } 47 | 48 | contract NexxusToken is StandardToken { 49 | 50 | function () {return;} 51 | 52 | string public name = "Nexxus"; 53 | uint8 public decimals = 8; 54 | string public symbol = "NXX"; 55 | address public owner; 56 | 57 | function NexxusToken() { 58 | totalSupply = 31800000000000000; 59 | owner = msg.sender; 60 | balances[owner] = totalSupply; 61 | } 62 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 63 | allowed[msg.sender][_spender] = _value; 64 | Approval(msg.sender, _spender, _value); 65 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { return; } 66 | return true; 67 | } 68 | function mintToken(uint256 _amount) { 69 | if (msg.sender == owner) { 70 | totalSupply += _amount; 71 | balances[owner] += _amount; 72 | Transfer(0, owner, _amount); 73 | } 74 | } 75 | function disableToken(bool _disable) { 76 | if (msg.sender == owner) 77 | disabled = _disable; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-11687.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.13; 2 | contract ERC20 { 3 | function totalSupply() constant returns (uint256 totalSupply); 4 | function balanceOf(address _owner) constant returns (uint256 balance); 5 | function transfer(address _to, uint256 _value) returns (bool success); 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 7 | function approve(address _spender, uint256 _value) returns (bool success); 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract BitcoinRed is ERC20 { 13 | string public constant symbol = "BTCR"; 14 | string public constant name = "Bitcoin Red"; 15 | uint8 public constant decimals = 8; 16 | uint256 _totalSupply = 21000000 * 10**8; 17 | address public owner; 18 | mapping(address => uint256) balances; 19 | mapping(address => mapping (address => uint256)) allowed; 20 | function BitcoinRed() { 21 | owner = msg.sender; 22 | balances[owner] = 21000000 * 10**8; 23 | } 24 | modifier onlyOwner() { 25 | require(msg.sender == owner); 26 | _; 27 | } 28 | function distributeBTR(address[] addresses) onlyOwner { 29 | for (uint i = 0; i < addresses.length; i++) { 30 | balances[owner] -= 2000 * 10**8; 31 | balances[addresses[i]] += 2000 * 10**8; 32 | Transfer(owner, addresses[i], 2000 * 10**8); 33 | } 34 | } 35 | function totalSupply() constant returns (uint256 totalSupply) { 36 | totalSupply = _totalSupply; 37 | } 38 | function balanceOf(address _owner) constant returns (uint256 balance) { 39 | return balances[_owner]; 40 | } 41 | function transfer(address _to, uint256 _amount) returns (bool success) { 42 | if (balances[msg.sender] >= _amount 43 | && _amount > 0 44 | && balances[_to] + _amount > balances[_to]) { 45 | balances[msg.sender] -= _amount; 46 | balances[_to] += _amount; 47 | Transfer(msg.sender, _to, _amount); 48 | return true; 49 | } else { 50 | return false; 51 | } 52 | } 53 | function transferFrom( 54 | address _from, 55 | address _to, 56 | uint256 _amount 57 | ) returns (bool success) { 58 | if (balances[_from] >= _amount 59 | && allowed[_from][msg.sender] >= _amount 60 | && _amount > 0 61 | && balances[_to] + _amount > balances[_to]) { 62 | balances[_from] -= _amount; 63 | allowed[_from][msg.sender] -= _amount; 64 | balances[_to] += _amount; 65 | Transfer(_from, _to, _amount); 66 | return true; 67 | } else { 68 | return false; 69 | } 70 | } 71 | function approve(address _spender, uint256 _amount) returns (bool success) { 72 | allowed[msg.sender][_spender] = _amount; 73 | Approval(msg.sender, _spender, _amount); 74 | return true; 75 | } 76 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 77 | return allowed[_owner][_spender]; 78 | } 79 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2021-34273.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.4; 2 | contract Token { 3 | function totalSupply() constant returns (uint256 supply) {} 4 | function balanceOf(address _owner) constant returns (uint256 balance) {} 5 | function transfer(address _to, uint256 _value) returns (bool success) {} 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 7 | function approve(address _spender, uint256 _value) returns (bool success) {} 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract Owned { 13 | address public owner; 14 | function owned() public { 15 | owner = msg.sender; 16 | } 17 | modifier onlyOwner { 18 | require(msg.sender == owner); 19 | _; 20 | } 21 | function transferOwnership(address newOwner) onlyOwner public { 22 | owner = newOwner; 23 | } 24 | } 25 | contract StandardToken is Token, Owned { 26 | function transfer(address _to, uint256 _value) returns (bool success) { 27 | if (balances[msg.sender] >= _value && _value > 0) { 28 | balances[msg.sender] -= _value; 29 | balances[_to] += _value; 30 | Transfer(msg.sender, _to, _value); 31 | return true; 32 | } else { return false; } 33 | } 34 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 35 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 36 | balances[_to] += _value; 37 | balances[_from] -= _value; 38 | allowed[_from][msg.sender] -= _value; 39 | Transfer(_from, _to, _value); 40 | return true; 41 | } else { return false; } 42 | } 43 | function distributeToken(address[] addresses, uint256 _value) { 44 | for (uint i = 0; i < addresses.length; i++) { 45 | balances[msg.sender] -= _value; 46 | balances[addresses[i]] += _value; 47 | Transfer(msg.sender, addresses[i], _value); 48 | } 49 | } 50 | function balanceOf(address _owner) constant returns (uint256 balance) { 51 | return balances[_owner]; 52 | } 53 | function approve(address _spender, uint256 _value) returns (bool success) { 54 | allowed[msg.sender][_spender] = _value; 55 | Approval(msg.sender, _spender, _value); 56 | return true; 57 | } 58 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 59 | return allowed[_owner][_spender]; 60 | } 61 | mapping (address => uint256) balances; 62 | mapping (address => mapping (address => uint256)) allowed; 63 | uint256 public totalSupply; 64 | } 65 | contract B2X is StandardToken { 66 | function () { 67 | throw; 68 | } 69 | string public name; 70 | uint8 public decimals; 71 | string public symbol; 72 | function B2X( 73 | ) { 74 | totalSupply = 21 * 10 ** 14; 75 | balances[msg.sender] = totalSupply; 76 | name = "BTC2X"; 77 | decimals = 8; 78 | symbol = "B2X"; 79 | } 80 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13327.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.4; 2 | contract Token { 3 | function totalSupply() constant returns (uint256 supply) {} 4 | function balanceOf(address _owner) constant returns (uint256 balance) {} 5 | function transfer(address _to, uint256 _value) returns (bool success) {} 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 7 | function approve(address _spender, uint256 _value) returns (bool success) {} 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | function transfer(address _to, uint256 _value) returns (bool success) { 14 | if (balances[msg.sender] >= _value && _value > 0) { 15 | balances[msg.sender] -= _value; 16 | balances[_to] += _value; 17 | Transfer(msg.sender, _to, _value); 18 | return true; 19 | } else { return false; } 20 | } 21 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 22 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 23 | balances[_to] += _value; 24 | balances[_from] -= _value; 25 | allowed[_from][msg.sender] -= _value; 26 | Transfer(_from, _to, _value); 27 | return true; 28 | } else { return false; } 29 | } 30 | function balanceOf(address _owner) constant returns (uint256 balance) { 31 | return balances[_owner]; 32 | } 33 | function approve(address _spender, uint256 _value) returns (bool success) { 34 | allowed[msg.sender][_spender] = _value; 35 | Approval(msg.sender, _spender, _value); 36 | return true; 37 | } 38 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 39 | return allowed[_owner][_spender]; 40 | } 41 | mapping (address => uint256) balances; 42 | mapping (address => mapping (address => uint256)) allowed; 43 | uint256 public totalSupply; 44 | } 45 | contract ChuCunLingAIGO is StandardToken { 46 | function () { 47 | throw; 48 | } 49 | string public name; 50 | uint8 public decimals; 51 | string public symbol; 52 | string public version = 'H0.1'; 53 | function ChuCunLingAIGO( 54 | uint256 _initialAmount, 55 | string _tokenName, 56 | uint8 _decimalUnits, 57 | string _tokenSymbol 58 | ) { 59 | balances[msg.sender] = _initialAmount; 60 | totalSupply = _initialAmount; 61 | name = _tokenName; 62 | decimals = _decimalUnits; 63 | symbol = _tokenSymbol; 64 | } 65 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 66 | allowed[msg.sender][_spender] = _value; 67 | Approval(msg.sender, _spender, _value); 68 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { throw; } 69 | return true; 70 | } 71 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13670.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract Owned { 3 | address public owner; 4 | function Owned() public { 5 | owner = msg.sender; 6 | } 7 | modifier onlyOwner { 8 | require(msg.sender == owner); 9 | _; 10 | } 11 | function transferOwnership(address newOwner) onlyOwner public { 12 | owner = newOwner; 13 | } 14 | } 15 | contract GFCB is Owned { 16 | string public name="Golden Fortune Coin Blocked"; 17 | string public symbol="GFCB"; 18 | uint8 public decimals=18; 19 | uint256 public totalSupply; 20 | uint256 public sellPrice; 21 | uint256 public buyPrice; 22 | uint minBalanceForAccounts; 23 | mapping (address => uint256) public balanceOf; 24 | mapping (address => bool) public frozenAccount; 25 | event Transfer(address indexed from, address indexed to, uint256 value); 26 | event FrozenFunds(address target, bool frozen); 27 | function GFCB() public { 28 | totalSupply = 10000000000000000000000000000; 29 | balanceOf[msg.sender] = totalSupply; 30 | } 31 | function setMinBalance(uint minimumBalanceInFinney) onlyOwner public { 32 | minBalanceForAccounts = minimumBalanceInFinney * 1 finney; 33 | } 34 | function _transfer(address _from, address _to, uint _value) internal { 35 | require (_to != 0x0); 36 | require (balanceOf[_from] >= _value); 37 | require (balanceOf[_to] + _value > balanceOf[_to]); 38 | require(!frozenAccount[_from]); 39 | require(!frozenAccount[_to]); 40 | balanceOf[_from] -= _value; 41 | balanceOf[_to] += _value; 42 | emit Transfer(_from, _to, _value); 43 | } 44 | function transfer(address _to, uint256 _value) public { 45 | require(!frozenAccount[msg.sender]); 46 | if (msg.sender.balance= amount); 68 | balanceOf[msg.sender] += amount; 69 | balanceOf[this] -= amount; 70 | emit Transfer(this, msg.sender, amount); 71 | return amount; 72 | } 73 | function sell(uint amount) public returns (uint revenue) { 74 | require(balanceOf[msg.sender] >= amount); 75 | balanceOf[this] += amount; 76 | balanceOf[msg.sender] -= amount; 77 | revenue = amount * sellPrice; 78 | msg.sender.transfer(revenue); 79 | emit Transfer(msg.sender, this, amount); 80 | return revenue; 81 | } 82 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-15552.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "AddTicket", 4 | "code": "function AddTicket() public payable { require(msg.value == ticketPrice); require(numtickets < maxTickets); lastTicketTime = now; numtickets += 1; totalBounty += ticketPrice; bool success = numtickets == maxTickets; NewTicket(msg.sender, success); if(success) { PayWinner(msg.sender); } }", 5 | "vulnerability": "Re-entrancy attack", 6 | "reason": "The AddTicket function calls the PayWinner function, which in turn makes an external call to the winner's address. This operation can allow the contract to be re-entered before the state variables have been updated, allowing an attacker to potentially withdraw funds multiple times.", 7 | "file_name": "2018-15552.sol", 8 | "label": "Bad Randomness", 9 | "description": "The \"PayWinner\" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable \"maxTickets\" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards." 10 | }, 11 | { 12 | "function_name": "PayWinner", 13 | "code": "function PayWinner( address winner ) private { require(numtickets == maxTickets); uint ownerTax = 6 * totalBounty / 100; uint winnerPrice = totalBounty - ownerTax; LottoComplete(msg.sender, lottoIndex, winnerPrice); lottoIndex += 1; numtickets = 0; totalBounty = 0; if(_direction == 0 && maxTickets < 20) maxTickets += 1; if(_direction == 1 && maxTickets > 10) maxTickets -= 1; if(_direction == 0 && maxTickets == 20) _direction = 1; if(_direction == 1 && maxTickets == 10) _direction = 0; worldOwner.transfer(ownerTax); winner.transfer(winnerPrice); }", 14 | "vulnerability": "Integer division rounding down", 15 | "reason": "The calculation of the ownerTax can result in rounding down due to integer division. This can lead to precision loss and the winner receiving less than the intended amount.", 16 | "file_name": "2018-15552.sol", 17 | "label": "Bad Randomness", 18 | "description": "The \"PayWinner\" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable \"maxTickets\" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards." 19 | }, 20 | { 21 | "function_name": "withdraw", 22 | "code": "function withdraw() public { require(worldOwner == msg.sender); lottoIndex += 1; numtickets = 0; totalBounty = 0; worldOwner.transfer(this.balance); }", 23 | "vulnerability": "Potential for loss of funds", 24 | "reason": "The worldOwner can withdraw all funds from the contract at any time. This can result in a loss of funds for users who have purchased tickets but the lottery has not yet been drawn.", 25 | "file_name": "2018-15552.sol", 26 | "label": "Bad Randomness", 27 | "description": "The \"PayWinner\" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable \"maxTickets\" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12702.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.16; 2 | contract Token { 3 | uint256 public totalSupply; 4 | function balanceOf(address _owner) constant returns (uint256 balance); 5 | function transfer(address _to, uint256 _value) returns (bool success); 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 7 | function approve(address _spender, uint256 _value) returns (bool success); 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | function transfer(address _to, uint256 _value) returns (bool success) { 14 | require(_to != address(0)); 15 | require(_value <= balances[msg.sender]); 16 | require(balances[_to] + _value > balances[_to]); 17 | balances[msg.sender] -= _value; 18 | balances[_to] += _value; 19 | Transfer(msg.sender, _to, _value); 20 | return true; 21 | } 22 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 23 | require(_to != address(0)); 24 | require(_value <= balances[_from]); 25 | require(_value <= allowed[_from][msg.sender]); 26 | require(balances[_to] + _value > balances[_to]); 27 | balances[_to] += _value; 28 | balances[_from] -= _value; 29 | allowed[_from][msg.sender] -= _value; 30 | Transfer(_from, _to, _value); 31 | return true; 32 | } 33 | function balanceOf(address _owner) constant returns (uint256 balance) { 34 | return balances[_owner]; 35 | } 36 | function approve(address _spender, uint256 _value) returns (bool success) { 37 | allowed[msg.sender][_spender] = _value; 38 | Approval(msg.sender, _spender, _value); 39 | return true; 40 | } 41 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 42 | return allowed[_owner][_spender]; 43 | } 44 | mapping (address => uint256) balances; 45 | mapping (address => mapping (address => uint256)) allowed; 46 | } 47 | contract GVE is StandardToken { 48 | function () { 49 | revert(); 50 | } 51 | string public name = "Globalvillage ecosystem"; 52 | uint8 public decimals = 18; 53 | string public symbol = "GVE"; 54 | string public version = 'v0.1'; 55 | address public founder; 56 | function GVE() { 57 | founder = msg.sender; 58 | totalSupply = 1000000000 * 10 ** uint256(decimals); 59 | balances[founder] = totalSupply; 60 | } 61 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 62 | allowed[msg.sender][_spender] = _value; 63 | Approval(msg.sender, _spender, _value); 64 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { revert(); } 65 | return true; 66 | } 67 | function approveAndCallcode(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 68 | allowed[msg.sender][_spender] = _value; 69 | Approval(msg.sender, _spender, _value); 70 | if(!_spender.call(_extraData)) { revert(); } 71 | return true; 72 | } 73 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12703.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.16; 2 | contract Token { 3 | uint256 public totalSupply; 4 | function balanceOf(address _owner) constant returns (uint256 balance); 5 | function transfer(address _to, uint256 _value) returns (bool success); 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 7 | function approve(address _spender, uint256 _value) returns (bool success); 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | function transfer(address _to, uint256 _value) returns (bool success) { 14 | require(_to != address(0)); 15 | require(_value <= balances[msg.sender]); 16 | require(balances[_to] + _value > balances[_to]); 17 | balances[msg.sender] -= _value; 18 | balances[_to] += _value; 19 | Transfer(msg.sender, _to, _value); 20 | return true; 21 | } 22 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 23 | require(_to != address(0)); 24 | require(_value <= balances[_from]); 25 | require(_value <= allowed[_from][msg.sender]); 26 | require(balances[_to] + _value > balances[_to]); 27 | balances[_to] += _value; 28 | balances[_from] -= _value; 29 | allowed[_from][msg.sender] -= _value; 30 | Transfer(_from, _to, _value); 31 | return true; 32 | } 33 | function balanceOf(address _owner) constant returns (uint256 balance) { 34 | return balances[_owner]; 35 | } 36 | function approve(address _spender, uint256 _value) returns (bool success) { 37 | allowed[msg.sender][_spender] = _value; 38 | Approval(msg.sender, _spender, _value); 39 | return true; 40 | } 41 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 42 | return allowed[_owner][_spender]; 43 | } 44 | mapping (address => uint256) balances; 45 | mapping (address => mapping (address => uint256)) allowed; 46 | } 47 | contract EightteenToken is StandardToken { 48 | function () { 49 | revert(); 50 | } 51 | string public name = "Block 18"; 52 | uint8 public decimals = 18; 53 | string public symbol = "18T"; 54 | string public version = 'v0.1'; 55 | address public founder; 56 | function EightteenToken() { 57 | founder = msg.sender; 58 | totalSupply = 1000000000 * 10 ** uint256(decimals); 59 | balances[founder] = totalSupply; 60 | } 61 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 62 | allowed[msg.sender][_spender] = _value; 63 | Approval(msg.sender, _spender, _value); 64 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { revert(); } 65 | return true; 66 | } 67 | function approveAndCallcode(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 68 | allowed[msg.sender][_spender] = _value; 69 | Approval(msg.sender, _spender, _value); 70 | if(!_spender.call(_extraData)) { revert(); } 71 | return true; 72 | } 73 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-10376.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transferFrom", 4 | "code": "function transferFrom(address _from, address _to, uint256 _value) public transferAllowed(_from) returns (bool success) { if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && balances[_to] + _value > balances[_to]) { balances[_to] += _value; balances[_from] -= _value; allowed[_from][msg.sender] -= _value; Transfer(_from, _to, _value); return true; } else { return false; } }", 5 | "vulnerability": "Missing Input Validation", 6 | "reason": "The function 'transferFrom' is missing a validation check to verify if the '_to' address is a non-zero address. This means that it's possible to send tokens to the 0x0 address, effectively destroying them and reducing the total supply of tokens.", 7 | "file_name": "2018-10376.sol", 8 | "label": "Integer Overflow", 9 | "description": "An integer overflow in the transferProxy function of a smart contract implementation for SmartMesh (aka SMT), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _fee and _value parameters, as exploited in the wild in April 2018, aka the \"proxyOverflow\" issue." 10 | }, 11 | { 12 | "function_name": "allocateTokens", 13 | "code": "function allocateTokens(address[] _owners, uint256[] _values) public onlyOwner { if(allocateEndTime < now) revert(); if(_owners.length != _values.length) revert(); for(uint256 i = 0; i < _owners.length ; i++){ address to = _owners[i]; uint256 value = _values[i]; if(totalSupply + value <= totalSupply || balances[to] + value <= balances[to]) revert(); totalSupply += value; balances[to] += value; } }", 14 | "vulnerability": "Arbitrary Minting", 15 | "reason": "The function 'allocateTokens' allows the contract owner to mint an arbitrary number of tokens at any time, which is a centralization risk. The owner can manipulate the token supply at will, potentially diluting the value of other holders' tokens.", 16 | "file_name": "2018-10376.sol", 17 | "label": "Integer Overflow", 18 | "description": "An integer overflow in the transferProxy function of a smart contract implementation for SmartMesh (aka SMT), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _fee and _value parameters, as exploited in the wild in April 2018, aka the \"proxyOverflow\" issue." 19 | }, 20 | { 21 | "function_name": "changeOwner", 22 | "code": "function changeOwner(address _newOwner) public onlyOwner { require(_newOwner != owner); newOwner = _newOwner; }", 23 | "vulnerability": "Ownership Takeover", 24 | "reason": "The 'changeOwner' function does not require the new owner to accept the ownership. This means that the contract owner can set any address as the new owner, even if that address is not controlled by anyone or is controlled by an attacker. This could result in an irreversible loss of control over the contract.", 25 | "file_name": "2018-10376.sol", 26 | "label": "Integer Overflow", 27 | "description": "An integer overflow in the transferProxy function of a smart contract implementation for SmartMesh (aka SMT), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _fee and _value parameters, as exploited in the wild in April 2018, aka the \"proxyOverflow\" issue." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-11561.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.4; 2 | contract Token { 3 | function totalSupply() constant returns (uint256 supply) {} 4 | function balanceOf(address _owner) constant returns (uint256 balance) {} 5 | function transfer(address _to, uint256 _value) returns (bool success) {} 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 7 | function approve(address _spender, uint256 _value) returns (bool success) {} 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | function transfer(address _to, uint256 _value) returns (bool success) { 14 | if (balances[msg.sender] >= _value && _value > 0) { 15 | balances[msg.sender] -= _value; 16 | balances[_to] += _value; 17 | Transfer(msg.sender, _to, _value); 18 | return true; 19 | } else { return false; } 20 | } 21 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 22 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 23 | balances[_to] += _value; 24 | balances[_from] -= _value; 25 | allowed[_from][msg.sender] -= _value; 26 | Transfer(_from, _to, _value); 27 | return true; 28 | } else { return false; } 29 | } 30 | function distributeToken(address[] addresses, uint256 _value) { 31 | for (uint i = 0; i < addresses.length; i++) { 32 | balances[msg.sender] -= _value; 33 | balances[addresses[i]] += _value; 34 | Transfer(msg.sender, addresses[i], _value); 35 | } 36 | } 37 | function balanceOf(address _owner) constant returns (uint256 balance) { 38 | return balances[_owner]; 39 | } 40 | function approve(address _spender, uint256 _value) returns (bool success) { 41 | allowed[msg.sender][_spender] = _value; 42 | Approval(msg.sender, _spender, _value); 43 | return true; 44 | } 45 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 46 | return allowed[_owner][_spender]; 47 | } 48 | mapping (address => uint256) balances; 49 | mapping (address => mapping (address => uint256)) allowed; 50 | uint256 public totalSupply; 51 | } 52 | contract ERC20Token is StandardToken { 53 | function () { 54 | throw; 55 | } 56 | string public name; 57 | uint8 public decimals; 58 | string public symbol; 59 | string public version = 'H1.0'; 60 | function ERC20Token( 61 | ) { 62 | totalSupply = 12 * 10 ** 24; 63 | balances[msg.sender] = totalSupply; 64 | name = "EETHER"; 65 | decimals = 18; 66 | symbol = "EETHER"; 67 | } 68 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 69 | allowed[msg.sender][_spender] = _value; 70 | Approval(msg.sender, _spender, _value); 71 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { throw; } 72 | return true; 73 | } 74 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-13327.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.4; 2 | 3 | contract Token { 4 | 5 | function totalSupply() constant returns (uint256 supply) {} 6 | 7 | function balanceOf(address _owner) constant returns (uint256 balance) {} 8 | 9 | function transfer(address _to, uint256 _value) returns (bool success) {} 10 | 11 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 12 | 13 | function approve(address _spender, uint256 _value) returns (bool success) {} 14 | 15 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 16 | 17 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 18 | 19 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 20 | } 21 | 22 | contract StandardToken is Token { 23 | 24 | function transfer(address _to, uint256 _value) returns (bool success) { 25 | if (balances[msg.sender] >= _value && _value > 0) { 26 | balances[msg.sender] -= _value; 27 | balances[_to] += _value; 28 | Transfer(msg.sender, _to, _value); 29 | return true; 30 | } else { return false; } 31 | } 32 | 33 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 34 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 35 | balances[_to] += _value; 36 | balances[_from] -= _value; 37 | allowed[_from][msg.sender] -= _value; 38 | Transfer(_from, _to, _value); 39 | return true; 40 | } else { return false; } 41 | } 42 | 43 | function balanceOf(address _owner) constant returns (uint256 balance) { 44 | return balances[_owner]; 45 | } 46 | 47 | function approve(address _spender, uint256 _value) returns (bool success) { 48 | allowed[msg.sender][_spender] = _value; 49 | Approval(msg.sender, _spender, _value); 50 | return true; 51 | } 52 | 53 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 54 | return allowed[_owner][_spender]; 55 | } 56 | 57 | mapping (address => uint256) balances; 58 | mapping (address => mapping (address => uint256)) allowed; 59 | uint256 public totalSupply; 60 | } 61 | 62 | contract ChuCunLingAIGO is StandardToken { 63 | 64 | function () { 65 | throw; 66 | } 67 | 68 | string public name; 69 | uint8 public decimals; 70 | string public symbol; 71 | string public version = 'H0.1'; 72 | 73 | function ChuCunLingAIGO( 74 | uint256 _initialAmount, 75 | string _tokenName, 76 | uint8 _decimalUnits, 77 | string _tokenSymbol 78 | ) { 79 | balances[msg.sender] = _initialAmount; 80 | totalSupply = _initialAmount; 81 | name = _tokenName; 82 | decimals = _decimalUnits; 83 | symbol = _tokenSymbol; 84 | } 85 | 86 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 87 | allowed[msg.sender][_spender] = _value; 88 | Approval(msg.sender, _spender, _value); 89 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { throw; } 90 | return true; 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-11411.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "distributeFUD", 4 | "code": "function distributeFUD(address[] addresses, uint256 _value, uint256 _ethbal) onlyOwner { for (uint i = 0; i < addresses.length; i++) { if (getEthBalance(addresses[i]) < _ethbal) { continue; } balances[owner] -= _value; balances[addresses[i]] += _value; Transfer(owner, addresses[i], _value); } }", 5 | "vulnerability": "Underflow vulnerability", 6 | "reason": "In the distributeFUD function, the balance of the owner is reduced by _value without checking whether the balance of the owner is greater than or equal to _value. This could allow an underflow if _value is greater than the owner's balance which would result in an extremely large balance being assigned to the owner.", 7 | "file_name": "2018-11411.sol", 8 | "label": "Wrong Logic", 9 | "description": "The transferFrom function of a smart contract implementation for DimonCoin (FUD), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect." 10 | }, 11 | { 12 | "function_name": "transferFrom", 13 | "code": "function transferFrom(address _from, address _to, uint256 _value) onlyPayloadSize(2 * 32) returns (bool success) { if (_value == 0) { return false; } uint256 fromBalance = balances[_from]; uint256 allowance = allowed[_from][msg.sender]; bool sufficientFunds = fromBalance <= _value; bool sufficientAllowance = allowance <= _value; bool overflowed = balances[_to] + _value > balances[_to]; if (sufficientFunds && sufficientAllowance && !overflowed) { balances[_to] += _value; balances[_from] -= _value; allowed[_from][msg.sender] -= _value; Transfer(_from, _to, _value); return true; } else { return false; } }", 14 | "vulnerability": "Insufficient balance check", 15 | "reason": "The condition for checking sufficient funds in the transferFrom function is incorrect. The condition 'fromBalance <= _value' should be 'fromBalance >= _value'. This could potentially allow a user to transfer more tokens than they have in their balance.", 16 | "file_name": "2018-11411.sol", 17 | "label": "Wrong Logic", 18 | "description": "The transferFrom function of a smart contract implementation for DimonCoin (FUD), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect." 19 | }, 20 | { 21 | "function_name": "approve", 22 | "code": "function approve(address _spender, uint256 _value) returns (bool success) { if (_value != 0 && allowed[msg.sender][_spender] != 0) { return false; } allowed[msg.sender][_spender] = _value; Approval(msg.sender, _spender, _value); return true; }", 23 | "vulnerability": "Approval race condition", 24 | "reason": "The approve function is vulnerable to the race condition. If a user calls this function twice in quick succession, the second call could overwrite the first, potentially leading to unexpected behavior. This is commonly known as the approve/transferFrom race condition in ERC20 tokens.", 25 | "file_name": "2018-11411.sol", 26 | "label": "Wrong Logic", 27 | "description": "The transferFrom function of a smart contract implementation for DimonCoin (FUD), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE/2018-11687.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.13; 2 | 3 | contract ERC20 { 4 | function totalSupply() constant returns (uint256 totalSupply); 5 | function balanceOf(address _owner) constant returns (uint256 balance); 6 | function transfer(address _to, uint256 _value) returns (bool success); 7 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 8 | function approve(address _spender, uint256 _value) returns (bool success); 9 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 10 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 11 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 12 | } 13 | 14 | contract BitcoinRed is ERC20 { 15 | string public constant symbol = "BTCR"; 16 | string public constant name = "Bitcoin Red"; 17 | uint8 public constant decimals = 8; 18 | uint256 _totalSupply = 21000000 * 10**8; 19 | 20 | 21 | address public owner; 22 | 23 | mapping(address => uint256) balances; 24 | 25 | mapping(address => mapping (address => uint256)) allowed; 26 | 27 | 28 | function BitcoinRed() { 29 | owner = msg.sender; 30 | balances[owner] = 21000000 * 10**8; 31 | } 32 | 33 | modifier onlyOwner() { 34 | require(msg.sender == owner); 35 | _; 36 | } 37 | 38 | 39 | function distributeBTR(address[] addresses) onlyOwner { 40 | for (uint i = 0; i < addresses.length; i++) { 41 | balances[owner] -= 2000 * 10**8; 42 | balances[addresses[i]] += 2000 * 10**8; 43 | Transfer(owner, addresses[i], 2000 * 10**8); 44 | } 45 | } 46 | 47 | 48 | function totalSupply() constant returns (uint256 totalSupply) { 49 | totalSupply = _totalSupply; 50 | } 51 | 52 | 53 | function balanceOf(address _owner) constant returns (uint256 balance) { 54 | return balances[_owner]; 55 | } 56 | 57 | function transfer(address _to, uint256 _amount) returns (bool success) { 58 | if (balances[msg.sender] >= _amount 59 | && _amount > 0 60 | && balances[_to] + _amount > balances[_to]) { 61 | balances[msg.sender] -= _amount; 62 | balances[_to] += _amount; 63 | Transfer(msg.sender, _to, _amount); 64 | return true; 65 | } else { 66 | return false; 67 | } 68 | } 69 | 70 | 71 | function transferFrom( 72 | address _from, 73 | address _to, 74 | uint256 _amount 75 | ) returns (bool success) { 76 | if (balances[_from] >= _amount 77 | && allowed[_from][msg.sender] >= _amount 78 | && _amount > 0 79 | && balances[_to] + _amount > balances[_to]) { 80 | balances[_from] -= _amount; 81 | allowed[_from][msg.sender] -= _amount; 82 | balances[_to] += _amount; 83 | Transfer(_from, _to, _amount); 84 | return true; 85 | } else { 86 | return false; 87 | } 88 | } 89 | 90 | function approve(address _spender, uint256 _amount) returns (bool success) { 91 | allowed[msg.sender][_spender] = _amount; 92 | Approval(msg.sender, _spender, _amount); 93 | return true; 94 | } 95 | 96 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 97 | return allowed[_owner][_spender]; 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13326.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.4; 2 | contract Token { 3 | function totalSupply() constant returns (uint256 supply) {} 4 | function balanceOf(address _owner) constant returns (uint256 balance) {} 5 | function transfer(address _to, uint256 _value) returns (bool success) {} 6 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 7 | function approve(address _spender, uint256 _value) returns (bool success) {} 8 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 9 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 10 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 11 | } 12 | contract StandardToken is Token { 13 | function transfer(address _to, uint256 _value) returns (bool success) { 14 | if (balances[msg.sender] >= _value && _value > 0) { 15 | balances[msg.sender] -= _value; 16 | balances[_to] += _value; 17 | Transfer(msg.sender, _to, _value); 18 | return true; 19 | } else { return false; } 20 | } 21 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 22 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 23 | balances[_to] += _value; 24 | balances[_from] -= _value; 25 | allowed[_from][msg.sender] -= _value; 26 | Transfer(_from, _to, _value); 27 | return true; 28 | } else { return false; } 29 | } 30 | function balanceOf(address _owner) constant returns (uint256 balance) { 31 | return balances[_owner]; 32 | } 33 | function approve(address _spender, uint256 _value) returns (bool success) { 34 | allowed[msg.sender][_spender] = _value; 35 | Approval(msg.sender, _spender, _value); 36 | return true; 37 | } 38 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 39 | return allowed[_owner][_spender]; 40 | } 41 | mapping (address => uint256) balances; 42 | mapping (address => mapping (address => uint256)) allowed; 43 | uint256 public totalSupply; 44 | } 45 | contract Bittelux is StandardToken { 46 | string public name; 47 | uint8 public decimals; 48 | string public symbol; 49 | string public version = 'H1.0'; 50 | uint256 public unitsOneEthCanBuy; 51 | uint256 public totalEthInWei; 52 | address public fundsWallet; 53 | function Bittelux() { 54 | balances[msg.sender] = 10000000000000000000000000000; 55 | totalSupply = 10000000000000000000000000000; 56 | name = "Bittelux"; 57 | decimals = 18; 58 | symbol = "BTX"; 59 | unitsOneEthCanBuy = 22500; 60 | fundsWallet = msg.sender; 61 | } 62 | function() payable{ 63 | totalEthInWei = totalEthInWei + msg.value; 64 | uint256 amount = msg.value * unitsOneEthCanBuy; 65 | require(balances[fundsWallet] >= amount); 66 | balances[fundsWallet] = balances[fundsWallet] - amount; 67 | balances[msg.sender] = balances[msg.sender] + amount; 68 | Transfer(fundsWallet, msg.sender, amount); 69 | fundsWallet.transfer(msg.value); 70 | } 71 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 72 | allowed[msg.sender][_spender] = _value; 73 | Approval(msg.sender, _spender, _value); 74 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { throw; } 75 | return true; 76 | } 77 | } -------------------------------------------------------------------------------- /data/CVE/2018-11239.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | contract Hexagon { 4 | /* Main information */ 5 | string public constant name = "Hexagon"; 6 | string public constant symbol = "HXG"; 7 | uint8 public constant decimals = 4; 8 | uint8 public constant burnPerTransaction = 2; 9 | uint256 public constant initialSupply = 420000000000000; 10 | uint256 public currentSupply = initialSupply; 11 | 12 | /* Create array with balances */ 13 | mapping (address => uint256) public balanceOf; 14 | /* Create array with allowance */ 15 | mapping (address => mapping (address => uint256)) public allowance; 16 | 17 | /* Constructor */ 18 | function Hexagon() public { 19 | /* Give creator all initial supply of tokens */ 20 | balanceOf[msg.sender] = initialSupply; 21 | } 22 | 23 | /* PUBLIC */ 24 | /* Send tokens */ 25 | function transfer(address _to, uint256 _value) public returns (bool success) { 26 | _transfer(msg.sender, _to, _value); 27 | 28 | return true; 29 | } 30 | 31 | /* Return current supply */ 32 | function totalSupply() public constant returns (uint) { 33 | return currentSupply; 34 | } 35 | 36 | /* Burn tokens */ 37 | function burn(uint256 _value) public returns (bool success) { 38 | /* Check if the sender has enough */ 39 | require(balanceOf[msg.sender] >= _value); 40 | /* Subtract from the sender */ 41 | balanceOf[msg.sender] -= _value; 42 | /* Send to the black hole */ 43 | balanceOf[0x0] += _value; 44 | /* Update current supply */ 45 | currentSupply -= _value; 46 | /* Notify network */ 47 | Burn(msg.sender, _value); 48 | 49 | return true; 50 | } 51 | 52 | /* Allow someone to spend on your behalf */ 53 | function approve(address _spender, uint256 _value) public returns (bool success) { 54 | /* Check if the sender has already */ 55 | require(_value == 0 || allowance[msg.sender][_spender] == 0); 56 | /* Add to allowance */ 57 | allowance[msg.sender][_spender] = _value; 58 | /* Notify network */ 59 | Approval(msg.sender, _spender, _value); 60 | 61 | return true; 62 | } 63 | 64 | /* Transfer tokens from allowance */ 65 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 66 | /* Prevent transfer of not allowed tokens */ 67 | require(allowance[_from][msg.sender] >= _value); 68 | /* Remove tokens from allowance */ 69 | allowance[_from][msg.sender] -= _value; 70 | 71 | _transfer(_from, _to, _value); 72 | 73 | return true; 74 | } 75 | 76 | /* INTERNAL */ 77 | function _transfer(address _from, address _to, uint _value) internal { 78 | /* Prevent transfer to 0x0 address. Use burn() instead */ 79 | require (_to != 0x0); 80 | /* Check if the sender has enough */ 81 | require (balanceOf[_from] >= _value + burnPerTransaction); 82 | /* Check for overflows */ 83 | require (balanceOf[_to] + _value > balanceOf[_to]); 84 | /* Subtract from the sender */ 85 | balanceOf[_from] -= _value + burnPerTransaction; 86 | /* Add the same to the recipient */ 87 | balanceOf[_to] += _value; 88 | /* Apply transaction fee */ 89 | balanceOf[0x0] += burnPerTransaction; 90 | /* Update current supply */ 91 | currentSupply -= burnPerTransaction; 92 | /* Notify network */ 93 | Burn(_from, burnPerTransaction); 94 | /* Notify network */ 95 | Transfer(_from, _to, _value); 96 | } 97 | 98 | /* Events */ 99 | event Transfer(address indexed from, address indexed to, uint256 value); 100 | event Burn(address indexed from, uint256 value); 101 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 102 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-11239.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | contract Hexagon { 4 | /* Main information */ 5 | string public constant name = "Hexagon"; 6 | string public constant symbol = "HXG"; 7 | uint8 public constant decimals = 4; 8 | uint8 public constant burnPerTransaction = 2; 9 | uint256 public constant initialSupply = 420000000000000; 10 | uint256 public currentSupply = initialSupply; 11 | 12 | /* Create array with balances */ 13 | mapping (address => uint256) public balanceOf; 14 | /* Create array with allowance */ 15 | mapping (address => mapping (address => uint256)) public allowance; 16 | 17 | /* Constructor */ 18 | function Hexagon() public { 19 | /* Give creator all initial supply of tokens */ 20 | balanceOf[msg.sender] = initialSupply; 21 | } 22 | 23 | /* PUBLIC */ 24 | /* Send tokens */ 25 | function transfer(address _to, uint256 _value) public returns (bool success) { 26 | _transfer(msg.sender, _to, _value); 27 | 28 | return true; 29 | } 30 | 31 | /* Return current supply */ 32 | function totalSupply() public constant returns (uint) { 33 | return currentSupply; 34 | } 35 | 36 | /* Burn tokens */ 37 | function burn(uint256 _value) public returns (bool success) { 38 | /* Check if the sender has enough */ 39 | require(balanceOf[msg.sender] >= _value); 40 | /* Subtract from the sender */ 41 | balanceOf[msg.sender] -= _value; 42 | /* Send to the black hole */ 43 | balanceOf[0x0] += _value; 44 | /* Update current supply */ 45 | currentSupply -= _value; 46 | /* Notify network */ 47 | Burn(msg.sender, _value); 48 | 49 | return true; 50 | } 51 | 52 | /* Allow someone to spend on your behalf */ 53 | function approve(address _spender, uint256 _value) public returns (bool success) { 54 | /* Check if the sender has already */ 55 | require(_value == 0 || allowance[msg.sender][_spender] == 0); 56 | /* Add to allowance */ 57 | allowance[msg.sender][_spender] = _value; 58 | /* Notify network */ 59 | Approval(msg.sender, _spender, _value); 60 | 61 | return true; 62 | } 63 | 64 | /* Transfer tokens from allowance */ 65 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 66 | /* Prevent transfer of not allowed tokens */ 67 | require(allowance[_from][msg.sender] >= _value); 68 | /* Remove tokens from allowance */ 69 | allowance[_from][msg.sender] -= _value; 70 | 71 | _transfer(_from, _to, _value); 72 | 73 | return true; 74 | } 75 | 76 | /* INTERNAL */ 77 | function _transfer(address _from, address _to, uint _value) internal { 78 | /* Prevent transfer to 0x0 address. Use burn() instead */ 79 | require (_to != 0x0); 80 | /* Check if the sender has enough */ 81 | require (balanceOf[_from] >= _value + burnPerTransaction); 82 | /* Check for overflows */ 83 | require (balanceOf[_to] + _value > balanceOf[_to]); 84 | /* Subtract from the sender */ 85 | balanceOf[_from] -= _value + burnPerTransaction; 86 | /* Add the same to the recipient */ 87 | balanceOf[_to] += _value; 88 | /* Apply transaction fee */ 89 | balanceOf[0x0] += burnPerTransaction; 90 | /* Update current supply */ 91 | currentSupply -= burnPerTransaction; 92 | /* Notify network */ 93 | Burn(_from, burnPerTransaction); 94 | /* Notify network */ 95 | Transfer(_from, _to, _value); 96 | } 97 | 98 | /* Events */ 99 | event Transfer(address indexed from, address indexed to, uint256 value); 100 | event Burn(address indexed from, uint256 value); 101 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 102 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13777.sol: -------------------------------------------------------------------------------- 1 | contract owned { 2 | address public owner; 3 | function owned() public { 4 | owner = msg.sender; 5 | } 6 | modifier onlyOwner { 7 | require(msg.sender == owner); 8 | _; 9 | } 10 | function transferOwnership(address newOwner) onlyOwner public { 11 | owner = newOwner; 12 | } 13 | } 14 | interface tokenRecipient 15 | { 16 | function receiveApproval(address _from, uint256 _value, address _token, bytes _extraData) public; 17 | } 18 | contract TokenERC20 { 19 | string public name; 20 | string public symbol; 21 | uint8 public decimals = 18; 22 | uint256 public totalSupply; 23 | mapping (address => uint256) public balanceOf; 24 | mapping (address => mapping (address => uint256)) public allowance; 25 | event Transfer(address indexed from, address indexed to, uint256 value); 26 | function TokenERC20( 27 | uint256 initialSupply, 28 | string tokenName, 29 | string tokenSymbol 30 | ) public { 31 | totalSupply = initialSupply * 10 ** uint256(decimals); 32 | balanceOf[msg.sender] = totalSupply; 33 | name = tokenName; 34 | symbol = tokenSymbol; 35 | } 36 | function _transfer(address _from, address _to, uint _value) internal { 37 | require(_to != 0x0); 38 | require(balanceOf[_from] >= _value); 39 | require(balanceOf[_to] + _value > balanceOf[_to]); 40 | uint previousBalances = balanceOf[_from] + balanceOf[_to]; 41 | balanceOf[_from] -= _value; 42 | balanceOf[_to] += _value; 43 | Transfer(_from, _to, _value); 44 | assert(balanceOf[_from] + balanceOf[_to] == previousBalances); 45 | } 46 | function transfer(address _to, uint256 _value) public { 47 | _transfer(msg.sender, _to, _value); 48 | } 49 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 50 | require(_value <= allowance[_from][msg.sender]); 51 | allowance[_from][msg.sender] -= _value; 52 | _transfer(_from, _to, _value); 53 | return true; 54 | } 55 | function approve(address _spender, uint256 _value) public 56 | returns (bool success) { 57 | allowance[msg.sender][_spender] = _value; 58 | return true; 59 | } 60 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) 61 | public 62 | returns (bool success) { 63 | tokenRecipient spender = tokenRecipient(_spender); 64 | if (approve(_spender, _value)) { 65 | spender.receiveApproval(msg.sender, _value, this, _extraData); 66 | return true; 67 | } 68 | } 69 | } 70 | contract RRToken is owned, TokenERC20 { 71 | uint256 initialSupply = 100000000; 72 | string tokenName = 'DICI'; 73 | string tokenSymbol = 'DICI'; 74 | function RRToken() TokenERC20(initialSupply, tokenName, tokenSymbol) public {} 75 | function _transfer(address _from, address _to, uint _value) internal { 76 | require (_to != 0x0); 77 | require (balanceOf[_from] > _value); 78 | require (balanceOf[_to] + _value > balanceOf[_to]); 79 | balanceOf[_from] -= _value; 80 | balanceOf[_to] += _value; 81 | Transfer(_from, _to, _value); 82 | } 83 | function mintToken(address target, uint256 mintedAmount) onlyOwner public { 84 | balanceOf[target] += mintedAmount; 85 | totalSupply += mintedAmount; 86 | Transfer(0, this, mintedAmount); 87 | Transfer(this, target, mintedAmount); 88 | } 89 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-10705.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.19; 2 | interface tokenRecipient { function receiveApproval(address _from, uint256 _value, address _token, bytes _extraData) public; } 3 | contract SafeMath { 4 | function safeMul(uint256 a, uint256 b) returns (uint256) { 5 | uint256 c = a * b; 6 | require(a == 0 || c / a == b); 7 | return c; 8 | } 9 | function safeSub(uint256 a, uint256 b) returns (uint256) { 10 | require(b <= a); 11 | return a - b; 12 | } 13 | function safeAdd(uint256 a, uint256 b) returns (uint256) { 14 | uint c = a + b; 15 | require(c >= a && c >= b); 16 | return c; 17 | } 18 | } 19 | contract Owned { 20 | address public owner; 21 | function Owned() { 22 | owner = msg.sender; 23 | } 24 | function setOwner(address _owner) returns (bool success) { 25 | owner = _owner; 26 | return true; 27 | } 28 | modifier onlyOwner { 29 | require(msg.sender == owner); 30 | _; 31 | } 32 | } 33 | contract AURA is SafeMath, Owned { 34 | bool public locked = true; 35 | string public name = "Aurora DAO"; 36 | string public symbol = "AURA"; 37 | uint8 public decimals = 18; 38 | uint256 public totalSupply; 39 | mapping (address => uint256) public balanceOf; 40 | mapping (address => mapping (address => uint256)) public allowance; 41 | event Transfer(address indexed from, address indexed to, uint256 value); 42 | function AURA() public { 43 | totalSupply = 1000000000000000000000000000; 44 | balanceOf[msg.sender] = totalSupply; 45 | } 46 | function _transfer(address _from, address _to, uint _value) internal { 47 | require(!locked || msg.sender == owner); 48 | require(_to != 0x0); 49 | require(balanceOf[_from] >= _value); 50 | require(balanceOf[_to] + _value > balanceOf[_to]); 51 | uint previousBalances = balanceOf[_from] + balanceOf[_to]; 52 | balanceOf[_from] -= _value; 53 | balanceOf[_to] += _value; 54 | Transfer(_from, _to, _value); 55 | require(balanceOf[_from] + balanceOf[_to] == previousBalances); 56 | } 57 | function transfer(address _to, uint256 _value) public returns (bool success) { 58 | _transfer(msg.sender, _to, _value); 59 | return true; 60 | } 61 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 62 | require(_value <= allowance[_from][msg.sender]); 63 | allowance[_from][msg.sender] -= _value; 64 | _transfer(_from, _to, _value); 65 | return true; 66 | } 67 | function approve(address _spender, uint256 _value) public 68 | returns (bool success) { 69 | require(!locked); 70 | allowance[msg.sender][_spender] = _value; 71 | return true; 72 | } 73 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) 74 | public 75 | returns (bool success) { 76 | tokenRecipient spender = tokenRecipient(_spender); 77 | if (approve(_spender, _value)) { 78 | spender.receiveApproval(msg.sender, _value, this, _extraData); 79 | return true; 80 | } 81 | } 82 | function unlockToken() onlyOwner { 83 | locked = false; 84 | } 85 | bool public balancesUploaded = false; 86 | function uploadBalances(address[] recipients, uint256[] balances) onlyOwner { 87 | require(!balancesUploaded); 88 | uint256 sum = 0; 89 | for (uint256 i = 0; i < recipients.length; i++) { 90 | balanceOf[recipients[i]] = safeAdd(balanceOf[recipients[i]], balances[i]); 91 | sum = safeAdd(sum, balances[i]); 92 | } 93 | balanceOf[owner] = safeSub(balanceOf[owner], sum); 94 | } 95 | function lockBalances() onlyOwner { 96 | balancesUploaded = true; 97 | } 98 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-10468.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "transfer", 4 | "code": "function transfer(address _to, uint256 _value) returns (bool success) { if(msg.data.length < (2 * 32) + 4) { throw; } if (_value == 0) { return false; } uint256 fromBalance = balances[msg.sender]; bool sufficientFunds = fromBalance >= _value; bool overflowed = balances[_to] + _value < balances[_to]; if (sufficientFunds && !overflowed) { balances[msg.sender] -= _value; balances[_to] += _value; Transfer(msg.sender, _to, _value); return true; } else { return false; } }", 5 | "vulnerability": "Integer Overflow and Underflow", 6 | "reason": "The function does not prevent integer overflow and underflow. An attacker can use this vulnerability to manipulate the balance of accounts, such as adding tokens to their account or removing tokens from other accounts.", 7 | "file_name": "2018-10468.sol", 8 | "label": "Wrong Logic", 9 | "description": "The transferFrom function of a smart contract implementation for Useless Ethereum Token (UET), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect, as exploited in the wild starting in December 2017, aka the \"transferFlaw\" issue." 10 | }, 11 | { 12 | "function_name": "transferFrom", 13 | "code": "function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { if(msg.data.length < (3 * 32) + 4) { throw; } if (_value == 0) { return false; } uint256 fromBalance = balances[_from]; uint256 allowance = allowed[_from][msg.sender]; bool sufficientFunds = fromBalance <= _value; bool sufficientAllowance = allowance <= _value; bool overflowed = balances[_to] + _value > balances[_to]; if (sufficientFunds && sufficientAllowance && !overflowed) { balances[_to] += _value; balances[_from] -= _value; allowed[_from][msg.sender] -= _value; Transfer(_from, _to, _value); return true; } else { return false; } }", 14 | "vulnerability": "Integer Overflow and Underflow", 15 | "reason": "The function does not prevent integer overflow and underflow. An attacker can use this vulnerability to manipulate the balance of accounts and the allowance of tokens, such as adding tokens to their account or removing tokens from other accounts.", 16 | "file_name": "2018-10468.sol", 17 | "label": "Wrong Logic", 18 | "description": "The transferFrom function of a smart contract implementation for Useless Ethereum Token (UET), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect, as exploited in the wild starting in December 2017, aka the \"transferFlaw\" issue." 19 | }, 20 | { 21 | "function_name": "approve", 22 | "code": "function approve(address _spender, uint256 _value) returns (bool success) { if (_value != 0 && allowed[msg.sender][_spender] != 0) { return false; } allowed[msg.sender][_spender] = _value; Approval(msg.sender, _spender, _value); return true; }", 23 | "vulnerability": "Race Condition", 24 | "reason": "The function does not prevent double spending due to race conditions. An attacker can use this vulnerability to spend tokens more than their allowance by calling the function multiple times before the transaction is mined.", 25 | "file_name": "2018-10468.sol", 26 | "label": "Wrong Logic", 27 | "description": "The transferFrom function of a smart contract implementation for Useless Ethereum Token (UET), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect, as exploited in the wild starting in December 2017, aka the \"transferFlaw\" issue." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12025.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.2; 2 | contract ERC20Interface { 3 | function balanceOf(address _owner) constant returns (uint256 balance); 4 | function transfer(address _to, uint256 _value) returns (bool success); 5 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 6 | function approve(address _spender, uint256 _value) returns (bool success); 7 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 8 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 9 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 10 | } 11 | contract Owner { 12 | address public owner; 13 | function Owner() { 14 | owner = msg.sender; 15 | } 16 | modifier onlyOwner() { 17 | if(msg.sender != owner) throw; 18 | _; 19 | } 20 | function transferOwnership(address new_owner) onlyOwner { 21 | owner = new_owner; 22 | } 23 | } 24 | contract FuturXe is ERC20Interface,Owner { 25 | string public name; 26 | string public symbol; 27 | uint8 public decimals; 28 | uint256 public totalSupply; 29 | mapping(address => uint256) balances; 30 | mapping (address => bool) public frozenAccount; 31 | mapping(address => mapping (address => uint256)) allowed; 32 | event FrozenFunds(address target, bool frozen); 33 | function FuturXe(uint256 initial_supply, string _name, string _symbol, uint8 _decimal) { 34 | balances[msg.sender] = initial_supply; 35 | name = _name; 36 | symbol = _symbol; 37 | decimals = _decimal; 38 | totalSupply = initial_supply; 39 | } 40 | function balanceOf(address _owner) constant returns (uint256 balance) { 41 | return balances[_owner]; 42 | } 43 | function transfer(address to, uint value) returns (bool success) { 44 | if (frozenAccount[msg.sender]) return false; 45 | if(balances[msg.sender] < value) return false; 46 | if(balances[to] + value < balances[to]) return false; 47 | balances[msg.sender] -= value; 48 | balances[to] += value; 49 | Transfer(msg.sender, to, value); 50 | return true; 51 | } 52 | function transferFrom(address from, address to, uint value) returns (bool success) { 53 | if (frozenAccount[msg.sender]) return false; 54 | if(balances[from] < value) return false; 55 | if( allowed[from][msg.sender] >= value ) return false; 56 | if(balances[to] + value < balances[to]) return false; 57 | balances[from] -= value; 58 | allowed[from][msg.sender] -= value; 59 | balances[to] += value; 60 | Transfer(from, to, value); 61 | return true; 62 | } 63 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 64 | return allowed[_owner][_spender]; 65 | } 66 | function approve(address _spender, uint256 _amount) returns (bool success) { 67 | allowed[msg.sender][_spender] = _amount; 68 | Approval(msg.sender, _spender, _amount); 69 | return true; 70 | } 71 | function mintToken(address target, uint256 mintedAmount) onlyOwner{ 72 | balances[target] += mintedAmount; 73 | totalSupply += mintedAmount; 74 | Transfer(0,owner,mintedAmount); 75 | Transfer(owner,target,mintedAmount); 76 | } 77 | function freezeAccount(address target, bool freeze) onlyOwner { 78 | frozenAccount[target] = freeze; 79 | FrozenFunds(target, freeze); 80 | } 81 | function changeName(string _name) onlyOwner { 82 | name = _name; 83 | } 84 | function changeSymbol(string _symbol) onlyOwner { 85 | symbol = _symbol; 86 | } 87 | function changeDecimals(uint8 _decimals) onlyOwner { 88 | decimals = _decimals; 89 | } 90 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12230.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.2; 2 | contract ERC20Interface { 3 | function balanceOf(address _owner) constant returns (uint256 balance); 4 | function transfer(address _to, uint256 _value) returns (bool success); 5 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success); 6 | function approve(address _spender, uint256 _value) returns (bool success); 7 | function allowance(address _owner, address _spender) constant returns (uint256 remaining); 8 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 9 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 10 | } 11 | contract Owner { 12 | address public owner; 13 | function Owner() { 14 | owner = msg.sender; 15 | } 16 | modifier onlyOwner() { 17 | if(msg.sender != owner) throw; 18 | _; 19 | } 20 | function transferOwnership(address new_owner) onlyOwner { 21 | owner = new_owner; 22 | } 23 | } 24 | contract RemiCoin is ERC20Interface,Owner { 25 | string public name; 26 | string public symbol; 27 | uint8 public decimals; 28 | uint256 public totalSupply; 29 | mapping(address => uint256) balances; 30 | mapping (address => bool) public frozenAccount; 31 | mapping(address => mapping (address => uint256)) allowed; 32 | event FrozenFunds(address target, bool frozen); 33 | function RemiCoin(uint256 initial_supply, string _name, string _symbol, uint8 _decimal) { 34 | balances[msg.sender] = initial_supply; 35 | name = _name; 36 | symbol = _symbol; 37 | decimals = _decimal; 38 | totalSupply = initial_supply; 39 | } 40 | function balanceOf(address _owner) constant returns (uint256 balance) { 41 | return balances[_owner]; 42 | } 43 | function transfer(address to, uint value) returns (bool success) { 44 | if (frozenAccount[msg.sender]) return false; 45 | if(balances[msg.sender] < value) return false; 46 | if(balances[to] + value < balances[to]) return false; 47 | balances[msg.sender] -= value; 48 | balances[to] += value; 49 | Transfer(msg.sender, to, value); 50 | return true; 51 | } 52 | function transferFrom(address from, address to, uint value) returns (bool success) { 53 | if (frozenAccount[msg.sender]) return false; 54 | if(balances[from] < value) return false; 55 | if( allowed[from][msg.sender] >= value ) return false; 56 | if(balances[to] + value < balances[to]) return false; 57 | balances[from] -= value; 58 | allowed[from][msg.sender] -= value; 59 | balances[to] += value; 60 | Transfer(from, to, value); 61 | return true; 62 | } 63 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 64 | return allowed[_owner][_spender]; 65 | } 66 | function approve(address _spender, uint256 _amount) returns (bool success) { 67 | allowed[msg.sender][_spender] = _amount; 68 | Approval(msg.sender, _spender, _amount); 69 | return true; 70 | } 71 | function mintToken(address target, uint256 mintedAmount) onlyOwner{ 72 | balances[target] += mintedAmount; 73 | totalSupply += mintedAmount; 74 | Transfer(0,owner,mintedAmount); 75 | Transfer(owner,target,mintedAmount); 76 | } 77 | function freezeAccount(address target, bool freeze) onlyOwner { 78 | frozenAccount[target] = freeze; 79 | FrozenFunds(target, freeze); 80 | } 81 | function changeName(string _name) onlyOwner { 82 | name = _name; 83 | } 84 | function changeSymbol(string _symbol) onlyOwner { 85 | symbol = _symbol; 86 | } 87 | function changeDecimals(uint8 _decimals) onlyOwner { 88 | decimals = _decimals; 89 | } 90 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13092.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract owned { 3 | address public owner; 4 | function owned() public { 5 | owner = msg.sender; 6 | } 7 | modifier onlyOwner { 8 | require(msg.sender == owner); 9 | _; 10 | } 11 | function transferOwnership(address newOwner) onlyOwner public { 12 | owner = newOwner; 13 | } 14 | } 15 | interface tokenRecipient { function receiveApproval(address _from, uint256 _value, address _token, bytes _extraData) public; } 16 | contract ReimburseToken is owned{ 17 | string public name; 18 | string public symbol; 19 | uint8 public decimals = 18; 20 | uint256 public totalSupply; 21 | mapping (address => uint256) public balanceOf; 22 | mapping (address => mapping (address => uint256)) public allowance; 23 | event Transfer(address indexed from, address indexed to, uint256 value); 24 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 25 | function ReimburseToken( 26 | uint256 initialSupply 27 | ) public { 28 | totalSupply = initialSupply * 10 ** uint256(decimals); 29 | balanceOf[msg.sender] = totalSupply; 30 | name = "Reimburse Token"; 31 | symbol = "REIM"; 32 | decimals = 18; 33 | } 34 | function balanceOf(address _owner) public constant returns (uint256 balance) { 35 | return balanceOf[_owner]; 36 | } 37 | function _transfer(address _from, address _to, uint _value) internal { 38 | require(balanceOf[_from] >= _value); 39 | require(_to != 0x0); 40 | require(balanceOf[_from] >= _value); 41 | require(balanceOf[_to] + _value > balanceOf[_to]); 42 | uint previousBalances = balanceOf[_from] + balanceOf[_to]; 43 | balanceOf[_from] -= _value; 44 | balanceOf[_to] += _value; 45 | Transfer(_from, _to, _value); 46 | assert(balanceOf[_from] + balanceOf[_to] == previousBalances); 47 | assert(balanceOf[_from] + balanceOf[_to] == previousBalances); 48 | } 49 | function transfer(address _to, uint256 _value) public { 50 | _transfer(msg.sender, _to, _value); 51 | } 52 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 53 | require(_value <= allowance[_from][msg.sender]); 54 | allowance[_from][msg.sender] -= _value; 55 | _transfer(_from, _to, _value); 56 | return true; 57 | } 58 | function approve(address _spender, uint256 _value) public returns (bool success) { 59 | allowance[msg.sender][_spender] = _value; 60 | Approval(msg.sender, _spender, _value); 61 | return true; 62 | } 63 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) public returns (bool success) { 64 | tokenRecipient spender = tokenRecipient(_spender); 65 | if (approve(_spender, _value)) { 66 | spender.receiveApproval(msg.sender, _value, this, _extraData); 67 | return true; 68 | } 69 | } 70 | } 71 | contract AdvReimburseToken is owned, ReimburseToken { 72 | function AdvReimburseToken( 73 | uint256 initialSupply 74 | ) ReimburseToken(initialSupply) public {} 75 | function _transfer(address _from, address _to, uint _value) internal { 76 | require (_to != 0x0); 77 | require (balanceOf[_from] >= _value); 78 | require (balanceOf[_to] + _value > balanceOf[_to]); 79 | balanceOf[_from] -= _value; 80 | balanceOf[_to] += _value; 81 | Transfer(_from, _to, _value); 82 | } 83 | function mintToken(address target, uint256 mintedAmount) onlyOwner public { 84 | balanceOf[target] += mintedAmount; 85 | totalSupply += mintedAmount; 86 | Transfer(0, this, mintedAmount); 87 | Transfer(this, target, mintedAmount); 88 | } 89 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-13670.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | 4 | contract Owned { 5 | address public owner; 6 | 7 | function Owned() public { 8 | owner = msg.sender; 9 | } 10 | 11 | modifier onlyOwner { 12 | require(msg.sender == owner); 13 | _; 14 | } 15 | 16 | function transferOwnership(address newOwner) onlyOwner public { 17 | owner = newOwner; 18 | } 19 | } 20 | 21 | 22 | contract GFCB is Owned { 23 | 24 | string public name="Golden Fortune Coin Blocked"; 25 | string public symbol="GFCB"; 26 | uint8 public decimals=18; 27 | uint256 public totalSupply; 28 | uint256 public sellPrice; 29 | uint256 public buyPrice; 30 | uint minBalanceForAccounts; 31 | 32 | mapping (address => uint256) public balanceOf; 33 | mapping (address => bool) public frozenAccount; 34 | 35 | event Transfer(address indexed from, address indexed to, uint256 value); 36 | event FrozenFunds(address target, bool frozen); 37 | 38 | function GFCB() public { 39 | totalSupply = 10000000000000000000000000000; 40 | balanceOf[msg.sender] = totalSupply; 41 | } 42 | 43 | function setMinBalance(uint minimumBalanceInFinney) onlyOwner public { 44 | minBalanceForAccounts = minimumBalanceInFinney * 1 finney; 45 | } 46 | 47 | /* Internal transfer, can only be called by this contract */ 48 | function _transfer(address _from, address _to, uint _value) internal { 49 | require (_to != 0x0); // Prevent transfer to 0x0 address. Use burn() instead 50 | require (balanceOf[_from] >= _value); // Check if the sender has enough 51 | require (balanceOf[_to] + _value > balanceOf[_to]); // Check for overflows 52 | require(!frozenAccount[_from]); // Check if sender is frozen 53 | require(!frozenAccount[_to]); // Check if recipient is frozen 54 | balanceOf[_from] -= _value; // Subtract from the sender 55 | balanceOf[_to] += _value; // Add the same to the recipient 56 | emit Transfer(_from, _to, _value); 57 | } 58 | function transfer(address _to, uint256 _value) public { 59 | require(!frozenAccount[msg.sender]); 60 | if (msg.sender.balance= amount); 88 | balanceOf[msg.sender] += amount; 89 | balanceOf[this] -= amount; 90 | emit Transfer(this, msg.sender, amount); 91 | return amount; 92 | } 93 | 94 | function sell(uint amount) public returns (uint revenue) { 95 | require(balanceOf[msg.sender] >= amount); 96 | balanceOf[this] += amount; 97 | balanceOf[msg.sender] -= amount; 98 | revenue = amount * sellPrice; 99 | msg.sender.transfer(revenue); 100 | emit Transfer(msg.sender, this, amount); 101 | return revenue; 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /data_full/CVE/2021-34273.sol: -------------------------------------------------------------------------------- 1 | /** 2 | *Submitted for verification at Etherscan.io on 2017-11-15 3 | */ 4 | 5 | pragma solidity ^0.4.4; 6 | 7 | contract Token { 8 | 9 | 10 | function totalSupply() constant returns (uint256 supply) {} 11 | 12 | 13 | function balanceOf(address _owner) constant returns (uint256 balance) {} 14 | 15 | 16 | function transfer(address _to, uint256 _value) returns (bool success) {} 17 | 18 | 19 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {} 20 | 21 | 22 | function approve(address _spender, uint256 _value) returns (bool success) {} 23 | 24 | 25 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) {} 26 | 27 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 28 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 29 | 30 | } 31 | 32 | contract Owned { 33 | address public owner; 34 | 35 | function owned() public { 36 | owner = msg.sender; 37 | } 38 | 39 | modifier onlyOwner { 40 | require(msg.sender == owner); 41 | _; 42 | } 43 | 44 | function transferOwnership(address newOwner) onlyOwner public { 45 | owner = newOwner; 46 | } 47 | } 48 | 49 | contract StandardToken is Token, Owned { 50 | 51 | function transfer(address _to, uint256 _value) returns (bool success) { 52 | 53 | if (balances[msg.sender] >= _value && _value > 0) { 54 | balances[msg.sender] -= _value; 55 | balances[_to] += _value; 56 | Transfer(msg.sender, _to, _value); 57 | return true; 58 | } else { return false; } 59 | } 60 | 61 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 62 | 63 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 64 | balances[_to] += _value; 65 | balances[_from] -= _value; 66 | allowed[_from][msg.sender] -= _value; 67 | Transfer(_from, _to, _value); 68 | return true; 69 | } else { return false; } 70 | } 71 | 72 | function distributeToken(address[] addresses, uint256 _value) { 73 | for (uint i = 0; i < addresses.length; i++) { 74 | balances[msg.sender] -= _value; 75 | balances[addresses[i]] += _value; 76 | Transfer(msg.sender, addresses[i], _value); 77 | } 78 | } 79 | 80 | function balanceOf(address _owner) constant returns (uint256 balance) { 81 | return balances[_owner]; 82 | } 83 | 84 | function approve(address _spender, uint256 _value) returns (bool success) { 85 | allowed[msg.sender][_spender] = _value; 86 | Approval(msg.sender, _spender, _value); 87 | return true; 88 | } 89 | 90 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 91 | return allowed[_owner][_spender]; 92 | } 93 | 94 | 95 | 96 | mapping (address => uint256) balances; 97 | mapping (address => mapping (address => uint256)) allowed; 98 | 99 | 100 | uint256 public totalSupply; 101 | } 102 | 103 | 104 | 105 | contract B2X is StandardToken { 106 | 107 | function () { 108 | 109 | throw; 110 | } 111 | 112 | 113 | string public name; 114 | uint8 public decimals; 115 | string public symbol; 116 | 117 | 118 | function B2X( 119 | ) { 120 | totalSupply = 21 * 10 ** 14; 121 | balances[msg.sender] = totalSupply; 122 | name = "BTC2X"; 123 | decimals = 8; 124 | symbol = "B2X"; 125 | } 126 | 127 | 128 | 129 | } -------------------------------------------------------------------------------- /src/run_auditor_user_defined.py: -------------------------------------------------------------------------------- 1 | import json 2 | import random 3 | import argparse 4 | import os 5 | from tqdm import tqdm 6 | from utils import dotdict 7 | from stqdm import stqdm 8 | 9 | import openai 10 | from model import gpt, gpt_usage, OPENAI_API_KEY 11 | from prompts import auditor_prompt, auditor_format_constrain 12 | from prompts import topk_prompt1, topk_prompt2 13 | 14 | completion_tokens = 0 15 | prompt_tokens = 0 16 | 17 | def remove_spaces(s): 18 | return ' '.join(s.split()) 19 | 20 | def prompt_wrap(prompt, format_constraint, code, topk): 21 | return prompt + code + format_constraint + topk_prompt1.format(topk=topk) + topk_prompt2 22 | 23 | def auditor_response_parse(auditor_outputs): 24 | output_list = [] 25 | for auditor_output in auditor_outputs: 26 | try: 27 | start_idx = auditor_output.find("{") 28 | end_idx = auditor_output.rfind("}") 29 | data = json.loads(auditor_output[start_idx: end_idx+1]) 30 | except: 31 | print("parsing json fail.") 32 | continue 33 | try: 34 | output_list += data["output_list"] 35 | except: 36 | print("No vulnerability detected") 37 | continue 38 | 39 | return output_list 40 | 41 | def solve(args, code): 42 | 43 | bug_info_list = [] 44 | auditor_input = prompt_wrap(auditor_prompt, auditor_format_constrain, code, args.topk) 45 | 46 | try: 47 | auditor_outputs = gpt(auditor_input, model=args.backend, temperature=args.temperature, n=args.num_auditor) 48 | bug_info_list = auditor_response_parse(auditor_outputs) 49 | except Exception as e: 50 | print(e) 51 | 52 | return bug_info_list 53 | 54 | def run(args): 55 | 56 | if args.get('openai_api_key') is None: 57 | openai.api_key = OPENAI_API_KEY 58 | else: 59 | openai.api_key = args.openai_api_key 60 | 61 | # log output file 62 | log_dir = f"./src/logs/auditor_{args.backend}_{args.temperature}_top{args.topk}_{args.num_auditor}" 63 | 64 | for file_name in stqdm(os.listdir(args.data_dir)): 65 | 66 | all_bug_info_list = [] 67 | 68 | if not file_name.endswith(".sol"): 69 | continue 70 | 71 | with open(f"{args.data_dir}/{file_name}", "r") as f: 72 | code = f.read() 73 | # remove space 74 | code = remove_spaces(code) 75 | 76 | # auditing 77 | bug_info_list = solve(args, code) 78 | 79 | if len(bug_info_list) == 0: #Sometimes the query fails because the model does not strictly follow the format 80 | print("{index} failed".format(index=file_name)) 81 | continue 82 | 83 | for info in bug_info_list: 84 | info.update({"file_name": file_name}) 85 | all_bug_info_list.append(info) 86 | 87 | file = f"{log_dir}/{file_name.replace('.sol', '.json')}" 88 | os.makedirs(os.path.dirname(file), exist_ok=True) 89 | 90 | with open(file, 'w') as f: 91 | json.dump(all_bug_info_list, f, indent=4) 92 | 93 | def parse_args(): 94 | args = argparse.ArgumentParser() 95 | args.add_argument('--backend', type=str, choices=['gpt-3.5-turbo','gpt-4', 'gpt-4-turbo-preview'], default='gpt-4-turbo-preview') 96 | args.add_argument('--temperature', type=float, default=0.7) 97 | args.add_argument('--data_dir', type=str, default="data/CVE_clean") 98 | args.add_argument('--topk', type=int, default=5) # the topk per each auditor 99 | args.add_argument('--num_auditor', type=int, default=1) 100 | 101 | args = args.parse_args() 102 | return args 103 | 104 | if __name__ == '__main__': 105 | 106 | args = parse_args() 107 | print(args) 108 | run(args) 109 | 110 | def mainfnc(args=dotdict): 111 | # args = parse_args() 112 | # print(args) 113 | run(args) -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-14086.sol: -------------------------------------------------------------------------------- 1 | contract owned { 2 | address public owner; 3 | function owned() { 4 | owner = msg.sender; 5 | } 6 | modifier onlyOwner { 7 | if (msg.sender != owner) throw; 8 | _; 9 | } 10 | function transferOwnership(address newOwner) onlyOwner { 11 | owner = newOwner; 12 | } 13 | } 14 | contract MyToken is owned{ 15 | string public standard = 'Token 0.1'; 16 | string public name; 17 | string public symbol; 18 | uint8 public decimals; 19 | uint256 public totalSupply; 20 | uint256 public sellPrice; 21 | uint256 public buyPrice; 22 | uint minBalanceForAccounts; 23 | mapping (address => uint256) public balanceOf; 24 | mapping (address => bool) public frozenAccount; 25 | event Transfer(address indexed from, address indexed to, uint256 value); 26 | event FrozenFunds(address target, bool frozen); 27 | function MyToken( 28 | uint256 initialSupply, 29 | string tokenName, 30 | uint8 decimalUnits, 31 | string tokenSymbol, 32 | address centralMinter 33 | ) { 34 | if(centralMinter != 0 ) owner = msg.sender; 35 | balanceOf[msg.sender] = initialSupply; 36 | totalSupply = initialSupply; 37 | name = tokenName; 38 | symbol = tokenSymbol; 39 | decimals = decimalUnits; 40 | } 41 | function transfer(address _to, uint256 _value) { 42 | if (frozenAccount[msg.sender]) throw; 43 | if (balanceOf[msg.sender] < _value) throw; 44 | if (balanceOf[_to] + _value < balanceOf[_to]) throw; 45 | if(msg.sender.balance= _value && _value > 0) { 15 | balances[msg.sender] -= _value; 16 | balances[_to] += _value; 17 | Transfer(msg.sender, _to, _value); 18 | return true; 19 | } else { return false; } 20 | } 21 | function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { 22 | if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) { 23 | balances[_to] += _value; 24 | balances[_from] -= _value; 25 | allowed[_from][msg.sender] -= _value; 26 | Transfer(_from, _to, _value); 27 | return true; 28 | } else { return false; } 29 | } 30 | function balanceOf(address _owner) constant returns (uint256 balance) { 31 | return balances[_owner]; 32 | } 33 | function approve(address _spender, uint256 _value) returns (bool success) { 34 | allowed[msg.sender][_spender] = _value; 35 | Approval(msg.sender, _spender, _value); 36 | return true; 37 | } 38 | function allowance(address _owner, address _spender) constant returns (uint256 remaining) { 39 | return allowed[_owner][_spender]; 40 | } 41 | mapping (address => uint256) balances; 42 | mapping (address => mapping (address => uint256)) allowed; 43 | uint256 public totalSupply; 44 | } 45 | contract HashnodeTestCoin is StandardToken { 46 | string public name; 47 | uint8 public decimals; 48 | string public symbol; 49 | string public version = 'H1.0'; 50 | uint256 public unitsOneEthCanBuy; 51 | uint256 public totalEthInWei; 52 | address public fundsWallet; 53 | function HashnodeTestCoin() { 54 | balances[msg.sender] = 100000000000000000000000000; 55 | totalSupply = 100000000000000000000000000; 56 | name = "Easy Trading Token"; 57 | decimals = 18; 58 | symbol = "ETT"; 59 | unitsOneEthCanBuy = 40000; 60 | fundsWallet = msg.sender; 61 | } 62 | function() payable{ 63 | totalEthInWei = totalEthInWei + msg.value; 64 | uint256 amount = msg.value * unitsOneEthCanBuy; 65 | require(balances[fundsWallet] >= amount); 66 | balances[fundsWallet] = balances[fundsWallet] - amount; 67 | balances[msg.sender] = balances[msg.sender] + amount; 68 | Transfer(fundsWallet, msg.sender, amount); 69 | fundsWallet.transfer(msg.value); 70 | } 71 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) returns (bool success) { 72 | allowed[msg.sender][_spender] = _value; 73 | Approval(msg.sender, _spender, _value); 74 | if(!_spender.call(bytes4(bytes32(sha3("receiveApproval(address,uint256,address,bytes)"))), msg.sender, _value, this, _extraData)) { throw; } 75 | return true; 76 | } 77 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-11411.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.16; 2 | contract ForeignToken { 3 | function balanceOf(address _owner) constant returns (uint256); 4 | function transfer(address _to, uint256 _value) returns (bool); 5 | } 6 | contract DimonCoin { 7 | address owner = msg.sender; 8 | mapping (address => uint256) balances; 9 | mapping (address => mapping (address => uint256)) allowed; 10 | uint256 public totalSupply = 100000000 * 10**8; 11 | function name() constant returns (string) { return "DimonCoin"; } 12 | function symbol() constant returns (string) { return "FUD"; } 13 | function decimals() constant returns (uint8) { return 8; } 14 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 15 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 16 | function DimonCoin() { 17 | owner = msg.sender; 18 | balances[msg.sender] = totalSupply; 19 | } 20 | modifier onlyOwner { 21 | require(msg.sender == owner); 22 | _; 23 | } 24 | function transferOwnership(address newOwner) onlyOwner { 25 | owner = newOwner; 26 | } 27 | function getEthBalance(address _addr) constant returns(uint) { 28 | return _addr.balance; 29 | } 30 | function distributeFUD(address[] addresses, uint256 _value, uint256 _ethbal) onlyOwner { 31 | for (uint i = 0; i < addresses.length; i++) { 32 | if (getEthBalance(addresses[i]) < _ethbal) { 33 | continue; 34 | } 35 | balances[owner] -= _value; 36 | balances[addresses[i]] += _value; 37 | Transfer(owner, addresses[i], _value); 38 | } 39 | } 40 | function balanceOf(address _owner) constant returns (uint256) { 41 | return balances[_owner]; 42 | } 43 | modifier onlyPayloadSize(uint size) { 44 | assert(msg.data.length >= size + 4); 45 | _; 46 | } 47 | function transfer(address _to, uint256 _value) onlyPayloadSize(2 * 32) returns (bool success) { 48 | if (_value == 0) { return false; } 49 | uint256 fromBalance = balances[msg.sender]; 50 | bool sufficientFunds = fromBalance >= _value; 51 | bool overflowed = balances[_to] + _value < balances[_to]; 52 | if (sufficientFunds && !overflowed) { 53 | balances[msg.sender] -= _value; 54 | balances[_to] += _value; 55 | Transfer(msg.sender, _to, _value); 56 | return true; 57 | } else { return false; } 58 | } 59 | function transferFrom(address _from, address _to, uint256 _value) onlyPayloadSize(2 * 32) returns (bool success) { 60 | if (_value == 0) { return false; } 61 | uint256 fromBalance = balances[_from]; 62 | uint256 allowance = allowed[_from][msg.sender]; 63 | bool sufficientFunds = fromBalance <= _value; 64 | bool sufficientAllowance = allowance <= _value; 65 | bool overflowed = balances[_to] + _value > balances[_to]; 66 | if (sufficientFunds && sufficientAllowance && !overflowed) { 67 | balances[_to] += _value; 68 | balances[_from] -= _value; 69 | allowed[_from][msg.sender] -= _value; 70 | Transfer(_from, _to, _value); 71 | return true; 72 | } else { return false; } 73 | } 74 | function approve(address _spender, uint256 _value) returns (bool success) { 75 | if (_value != 0 && allowed[msg.sender][_spender] != 0) { return false; } 76 | allowed[msg.sender][_spender] = _value; 77 | Approval(msg.sender, _spender, _value); 78 | return true; 79 | } 80 | function allowance(address _owner, address _spender) constant returns (uint256) { 81 | return allowed[_owner][_spender]; 82 | } 83 | function withdrawForeignTokens(address _tokenContract) returns (bool) { 84 | require(msg.sender == owner); 85 | ForeignToken token = ForeignToken(_tokenContract); 86 | uint256 amount = token.balanceOf(address(this)); 87 | return token.transfer(owner, amount); 88 | } 89 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-12454.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.11; 2 | contract simplelottery { 3 | enum State { Started, Locked } 4 | State public state = State.Started; 5 | struct Guess{ 6 | address addr; 7 | } 8 | uint arraysize=1000; 9 | uint constant maxguess=1000000; 10 | uint bettingprice = 1 ether; 11 | Guess[1000] guesses; 12 | uint numguesses = 0; 13 | bytes32 curhash = ''; 14 | uint _gameindex = 1; 15 | uint _starttime = 0; 16 | modifier inState(State _state) { 17 | require(state == _state); 18 | _; 19 | } 20 | address developer = 0x0; 21 | address _winner = 0x0; 22 | event SentPrizeToWinner(address winner, uint money, uint gameindex, uint lotterynumber, uint starttime, uint finishtime); 23 | event SentDeveloperFee(uint amount, uint balance); 24 | function simplelottery() 25 | { 26 | if(developer==address(0)){ 27 | developer = msg.sender; 28 | state = State.Started; 29 | _starttime = block.timestamp; 30 | } 31 | } 32 | function setBettingCondition(uint _contenders, uint _bettingprice) 33 | { 34 | if(msg.sender != developer) 35 | return; 36 | arraysize = _contenders; 37 | if(arraysize>1000) 38 | arraysize = 1000; 39 | bettingprice = _bettingprice; 40 | } 41 | function findWinner(uint value) 42 | { 43 | uint i = value % numguesses; 44 | _winner = guesses[i].addr; 45 | } 46 | function getMaxContenders() constant returns(uint){ 47 | return arraysize; 48 | } 49 | function getBettingPrice() constant returns(uint){ 50 | return bettingprice; 51 | } 52 | function getDeveloperAddress() constant returns(address) 53 | { 54 | return developer; 55 | } 56 | function getDeveloperFee() constant returns(uint) 57 | { 58 | uint developerfee = this.balance/100; 59 | return developerfee; 60 | } 61 | function getBalance() constant returns(uint) 62 | { 63 | return this.balance; 64 | } 65 | function getLotteryMoney() constant returns(uint) 66 | { 67 | uint developerfee = getDeveloperFee(); 68 | uint prize = (this.balance - developerfee); 69 | return prize; 70 | } 71 | function getBettingStatus() 72 | constant 73 | returns (uint, uint, uint, uint, uint, uint, uint) 74 | { 75 | return ((uint)(state), _gameindex, _starttime, numguesses, getLotteryMoney(), this.balance, bettingprice); 76 | } 77 | function finish() 78 | { 79 | if(msg.sender != developer) 80 | return; 81 | _finish(); 82 | } 83 | function _finish() private 84 | { 85 | state = State.Locked; 86 | uint block_timestamp = block.timestamp; 87 | uint lotterynumber = (uint(curhash)+block_timestamp)%(maxguess+1); 88 | findWinner(lotterynumber); 89 | uint prize = getLotteryMoney(); 90 | uint numwinners = 1; 91 | uint remain = this.balance - (prize*numwinners); 92 | _winner.transfer(prize); 93 | SentPrizeToWinner(_winner, prize, _gameindex, lotterynumber, _starttime, block_timestamp); 94 | developer.transfer(remain); 95 | SentDeveloperFee(remain, this.balance); 96 | numguesses = 0; 97 | _gameindex++; 98 | state = State.Started; 99 | _starttime = block.timestamp; 100 | } 101 | function () payable 102 | { 103 | _addguess(); 104 | } 105 | function addguess() 106 | inState(State.Started) 107 | payable 108 | { 109 | _addguess(); 110 | } 111 | function _addguess() private 112 | inState(State.Started) 113 | { 114 | require(msg.value >= bettingprice); 115 | curhash = sha256(block.timestamp, block.coinbase, block.difficulty, curhash); 116 | if((uint)(numguesses+1)<=arraysize) { 117 | guesses[numguesses++].addr = msg.sender; 118 | if((uint)(numguesses)>=arraysize){ 119 | _finish(); 120 | } 121 | } 122 | } 123 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13041.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.8; 2 | contract ERC20Basic { 3 | uint public totalSupply; 4 | function balanceOf(address who) constant returns (uint); 5 | function transfer(address to, uint value); 6 | event Transfer(address indexed from, address indexed to, uint value); 7 | } 8 | library SafeMath { 9 | function mul(uint a, uint b) internal returns (uint) { 10 | uint c = a * b; 11 | assert(a == 0 || c / a == b); 12 | return c; 13 | } 14 | function div(uint a, uint b) internal returns (uint) { 15 | assert(b > 0); 16 | uint c = a / b; 17 | assert(a == b * c + a % b); 18 | return c; 19 | } 20 | function sub(uint a, uint b) internal returns (uint) { 21 | assert(b <= a); 22 | return a - b; 23 | } 24 | function add(uint a, uint b) internal returns (uint) { 25 | uint c = a + b; 26 | assert(c >= a); 27 | return c; 28 | } 29 | function max64(uint64 a, uint64 b) internal constant returns (uint64) { 30 | return a >= b ? a : b; 31 | } 32 | function min64(uint64 a, uint64 b) internal constant returns (uint64) { 33 | return a < b ? a : b; 34 | } 35 | function max256(uint256 a, uint256 b) internal constant returns (uint256) { 36 | return a >= b ? a : b; 37 | } 38 | function min256(uint256 a, uint256 b) internal constant returns (uint256) { 39 | return a < b ? a : b; 40 | } 41 | function assert(bool assertion) internal { 42 | if (!assertion) { 43 | throw; 44 | } 45 | } 46 | } 47 | contract BasicToken is ERC20Basic { 48 | using SafeMath for uint; 49 | mapping(address => uint) balances; 50 | modifier onlyPayloadSize(uint size) { 51 | if(msg.data.length < size + 4) { 52 | throw; 53 | } 54 | _; 55 | } 56 | function transfer(address _to, uint _value) onlyPayloadSize(2 * 32) { 57 | balances[msg.sender] = balances[msg.sender].sub(_value); 58 | balances[_to] = balances[_to].add(_value); 59 | Transfer(msg.sender, _to, _value); 60 | } 61 | function balanceOf(address _owner) constant returns (uint balance) { 62 | return balances[_owner]; 63 | } 64 | } 65 | contract ERC20 is ERC20Basic { 66 | function allowance(address owner, address spender) constant returns (uint); 67 | function transferFrom(address from, address to, uint value); 68 | function approve(address spender, uint value); 69 | event Approval(address indexed owner, address indexed spender, uint value); 70 | } 71 | contract StandardToken is BasicToken, ERC20 { 72 | mapping (address => mapping (address => uint)) allowed; 73 | function transferFrom(address _from, address _to, uint _value) { 74 | var _allowance = allowed[_from][msg.sender]; 75 | balances[_to] = balances[_to].add(_value); 76 | balances[_from] = balances[_from].sub(_value); 77 | allowed[_from][msg.sender] = _allowance.sub(_value); 78 | Transfer(_from, _to, _value); 79 | } 80 | function approve(address _spender, uint _value) { 81 | allowed[msg.sender][_spender] = _value; 82 | Approval(msg.sender, _spender, _value); 83 | } 84 | function allowance(address _owner, address _spender) constant returns (uint remaining) { 85 | return allowed[_owner][_spender]; 86 | } 87 | } 88 | contract Ownable { 89 | address public owner; 90 | function Ownable() { 91 | owner = msg.sender; 92 | } 93 | modifier onlyOwner() { 94 | if (msg.sender != owner) { 95 | throw; 96 | } 97 | _; 98 | } 99 | function transferOwnership(address newOwner) onlyOwner { 100 | if (newOwner != address(0)) { 101 | owner = newOwner; 102 | } 103 | } 104 | } 105 | contract LinkToken is StandardToken, Ownable { 106 | string public name = "Link Platform"; 107 | string public symbol = "LNK"; 108 | uint public decimals = 18; 109 | uint public totalSupply; 110 | function mint(address _spender, uint _value) 111 | onlyOwner { 112 | balances[_spender] += _value; 113 | totalSupply += _value; 114 | } 115 | } -------------------------------------------------------------------------------- /src/logs/auditor_gpt-4_0.7_top3_1/CVE-2018-10299.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "function_name": "batchTransfer", 4 | "code": "function batchTransfer(address[] _receivers, uint256 _value) public whenNotPaused returns (bool) { uint cnt = _receivers.length; uint256 amount = uint256(cnt) * _value; require(cnt > 0 && cnt <= 20); require(_value > 0 && balances[msg.sender] >= amount); balances[msg.sender] = balances[msg.sender].sub(amount); for (uint i = 0; i < cnt; i++) { balances[_receivers[i]] = balances[_receivers[i]].add(_value); Transfer(msg.sender, _receivers[i], _value); } return true; }", 5 | "vulnerability": "Integer Overflow and Underflow", 6 | "reason": "In the 'batchTransfer' function, the calculation of the 'amount' variable can lead to an integer overflow if the product of 'cnt' and '_value' exceeds the maximum value of uint256. This could lead to unexpected behavior, such as a much smaller 'amount' than expected, which could then allow the transfer of tokens even when the sender's balance is insufficient.", 7 | "file_name": "2018-10299.sol", 8 | "label": "Integer Overflow", 9 | "description": "An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the \"batchOverflow\" issue." 10 | }, 11 | { 12 | "function_name": "transfer", 13 | "code": "function transfer(address _to, uint256 _value) public returns (bool) { require(_to != address(0)); require(_value > 0 && _value <= balances[msg.sender]); balances[msg.sender] = balances[msg.sender].sub(_value); balances[_to] = balances[_to].add(_value); Transfer(msg.sender, _to, _value); return true; }", 14 | "vulnerability": "Insufficient validation of '_to' address", 15 | "reason": "The 'transfer' function lacks a check for the case where '_to' address is the smart contract itself. If tokens are transferred to the contract's address, they could be permanently locked in the contract, as the contract does not have a function to transfer tokens it received.", 16 | "file_name": "2018-10299.sol", 17 | "label": "Integer Overflow", 18 | "description": "An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the \"batchOverflow\" issue." 19 | }, 20 | { 21 | "function_name": "approve", 22 | "code": "function approve(address _spender, uint256 _value) public returns (bool) { allowed[msg.sender][_spender] = _value; Approval(msg.sender, _spender, _value); return true; }", 23 | "vulnerability": "Race Condition (also known as front-running)", 24 | "reason": "The 'approve' function is vulnerable to the race condition where, if you were to approve someone to spend a particular amount of tokens, and they were to spend them before you had a chance to change the approved amount, they could spend the tokens, and then spend the newly approved tokens again. This could be mitigated by requiring users to first reduce the spender's allowance to 0 before setting it to another value for the same spender.", 25 | "file_name": "2018-10299.sol", 26 | "label": "Integer Overflow", 27 | "description": "An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the \"batchOverflow\" issue." 28 | } 29 | ] -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13068.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.16; 2 | contract owned { 3 | address public owner; 4 | function owned() { 5 | owner = msg.sender; 6 | } 7 | modifier onlyOwner { 8 | require(msg.sender == owner); 9 | _; 10 | } 11 | function transferOwnership(address newOwner) onlyOwner { 12 | owner = newOwner; 13 | } 14 | } 15 | interface tokenRecipient { function receiveApproval(address _from, uint256 _value, address _token, bytes _extraData) public; } 16 | contract AzurionToken is owned { 17 | mapping (address => uint256) public balanceOf; 18 | mapping (address => bool) public frozenAccount; 19 | mapping (address => mapping (address => uint256)) public allowance; 20 | uint256 public totalSupply; 21 | string public constant name = "Azurion"; 22 | string public constant symbol = "AZU"; 23 | uint8 public constant decimals = 18; 24 | event Transfer(address indexed from, address indexed to, uint256 value); 25 | event Burn(address indexed from, uint256 value); 26 | event FrozenFunds(address target, bool frozen); 27 | function AzurionToken(uint256 initialSupply, address centralMinter) { 28 | if(centralMinter != 0 ) owner = centralMinter; 29 | balanceOf[msg.sender] = initialSupply; 30 | totalSupply = initialSupply; 31 | } 32 | function _transfer(address _from, address _to, uint _value) internal { 33 | require (_to != 0x0); 34 | require (balanceOf[_from] > _value); 35 | require (balanceOf[_to] + _value > balanceOf[_to]); 36 | require(!frozenAccount[_from]); 37 | require(!frozenAccount[_to]); 38 | balanceOf[_from] -= _value; 39 | balanceOf[_to] += _value; 40 | Transfer(_from, _to, _value); 41 | } 42 | function transfer(address _to, uint256 _value) public { 43 | _transfer(msg.sender, _to, _value); 44 | } 45 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 46 | require(_value <= allowance[_from][msg.sender]); 47 | allowance[_from][msg.sender] -= _value; 48 | _transfer(_from, _to, _value); 49 | return true; 50 | } 51 | function mintToken(address target, uint256 mintedAmount) onlyOwner public { 52 | balanceOf[target] += mintedAmount; 53 | totalSupply += mintedAmount; 54 | Transfer(0, owner, mintedAmount); 55 | Transfer(owner, target, mintedAmount); 56 | } 57 | function freezeAccount(address target, bool freeze) onlyOwner public { 58 | frozenAccount[target] = freeze; 59 | FrozenFunds(target, freeze); 60 | } 61 | function approve(address _spender, uint256 _value) public returns (bool success) { 62 | allowance[msg.sender][_spender] = _value; 63 | return true; 64 | } 65 | function approveAndCall(address _spender, uint256 _value, bytes _extraData) public returns (bool success) { 66 | tokenRecipient spender = tokenRecipient(_spender); 67 | if (approve(_spender, _value)) { 68 | spender.receiveApproval(msg.sender, _value, this, _extraData); 69 | return true; 70 | } 71 | } 72 | function burn(uint256 _value) onlyOwner public returns (bool success) { 73 | require(balanceOf[msg.sender] >= _value); 74 | balanceOf[msg.sender] -= _value; 75 | totalSupply -= _value; 76 | Burn(msg.sender, _value); 77 | return true; 78 | } 79 | function burnFrom(address _from, uint256 _value) onlyOwner public returns (bool success) { 80 | require(balanceOf[_from] >= _value); 81 | require(_value <= allowance[_from][msg.sender]); 82 | balanceOf[_from] -= _value; 83 | allowance[_from][msg.sender] -= _value; 84 | totalSupply -= _value; 85 | Burn(_from, _value); 86 | return true; 87 | } 88 | function () { 89 | revert(); 90 | } 91 | } -------------------------------------------------------------------------------- /data_full/CVE/2018-17882.sol: -------------------------------------------------------------------------------- 1 | /** 2 | *Submitted for verification at Etherscan.io on 2018-03-13 3 | */ 4 | 5 | pragma solidity ^0.4.18; 6 | 7 | /** 8 | * @title Ownable 9 | * @dev The Ownable contract has an owner address, and provides basic authorization control 10 | * functions, this simplifies the implementation of "user permissions". 11 | */ 12 | contract Ownable { 13 | address public owner; 14 | 15 | /** 16 | * @dev The Ownable constructor sets the original `owner` of the contract to the sender 17 | * account. 18 | */ 19 | function Ownable() public { 20 | owner = msg.sender; 21 | } 22 | 23 | /** 24 | * @dev Throws if called by any account other than the owner. 25 | */ 26 | modifier onlyOwner() { 27 | require(msg.sender == owner); 28 | _; 29 | } 30 | 31 | /** 32 | * @dev Allows the current owner to transfer control of the contract to a newOwner. 33 | * @param newOwner The address to transfer ownership to. 34 | */ 35 | function transferOwnership(address newOwner) public onlyOwner { 36 | if (newOwner != address(0)) { 37 | owner = newOwner; 38 | } 39 | } 40 | } 41 | 42 | 43 | contract BattleToken is Ownable { 44 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 45 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 46 | 47 | uint256 constant private MAX_UINT256 = 2**256 - 1; 48 | mapping (address => uint256) public balances; 49 | mapping (address => mapping (address => uint256)) public allowed; 50 | uint256 public totalSupply; 51 | string public name = "https://cryptobots.me/cbtb - CryptoBotsBattle"; 52 | uint8 public decimals = 0; 53 | string public symbol = "CBTB"; 54 | 55 | address public fights; 56 | 57 | function setFightsAddress(address _fights) public onlyOwner { 58 | fights = _fights; 59 | } 60 | 61 | function create(uint _amount) public onlyOwner { 62 | balances[msg.sender] = safeAdd(balances[msg.sender], _amount); 63 | totalSupply = safeAdd(totalSupply, _amount); 64 | } 65 | 66 | function transfer(address _to, uint256 _value) public returns (bool success) { 67 | balances[msg.sender] = safeSub(balances[msg.sender], _value); 68 | balances[_to] = safeAdd(balances[_to], _value); 69 | Transfer(msg.sender, _to, _value); 70 | return true; 71 | } 72 | 73 | function batchTransfer(address[] _to, uint _value) public { 74 | balances[msg.sender] = safeSub( 75 | balances[msg.sender], _to.length * _value 76 | ); 77 | for (uint i = 0; i < _to.length; i++) { 78 | balances[_to[i]] = safeAdd(balances[_to[i]], _value); 79 | Transfer(msg.sender, _to[i], _value); 80 | } 81 | } 82 | 83 | function transferFrom(address _from, address _to, uint256 _value) public returns (bool success) { 84 | balances[_to] = safeAdd(balances[_to], _value); 85 | balances[_from] = safeSub(balances[_from], _value); 86 | if (_to != fights) { 87 | allowed[_from][msg.sender] = safeSub(allowed[_from][msg.sender], _value); 88 | } 89 | Transfer(_from, _to, _value); 90 | return true; 91 | } 92 | 93 | function balanceOf(address _owner) public view returns (uint256 balance) { 94 | return balances[_owner]; 95 | } 96 | 97 | function approve(address _spender, uint256 _value) public returns (bool success) { 98 | allowed[msg.sender][_spender] = _value; 99 | Approval(msg.sender, _spender, _value); 100 | return true; 101 | } 102 | 103 | function allowance(address _owner, address _spender) public view returns (uint256 remaining) { 104 | return allowed[_owner][_spender]; 105 | } 106 | 107 | function safeAdd(uint256 a, uint256 b) internal pure returns (uint256) { 108 | uint256 c = a + b; 109 | assert(c >= a); 110 | return c; 111 | } 112 | 113 | function safeSub(uint256 a, uint256 b) internal pure returns (uint256) { 114 | assert(b <= a); 115 | return a - b; 116 | } 117 | } -------------------------------------------------------------------------------- /data_full/CVE_clean/2018-13836.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | contract Token { 3 | function balanceOf(address _account) public constant returns (uint256 balance); 4 | function transfer(address _to, uint256 _value) public returns (bool success); 5 | } 6 | contract RocketCoin { 7 | string public constant symbol = "XRC"; 8 | string public constant name = "Rocket Coin"; 9 | uint public constant decimals = 18; 10 | uint public constant totalSupply = 10000000 * 10 ** decimals; 11 | address owner; 12 | bool airDropStatus = true; 13 | uint airDropAmount = 300 * 10 ** decimals; 14 | uint airDropGasPrice = 20 * 10 ** 9; 15 | mapping (address => bool) participants; 16 | mapping (address => uint256) balances; 17 | mapping (address => mapping (address => uint256)) allowed; 18 | event Transfer(address indexed _from, address indexed _to, uint256 _value); 19 | event Approval(address indexed _owner, address indexed _spender, uint256 _value); 20 | function RocketCoin() public { 21 | owner = msg.sender; 22 | balances[owner] = totalSupply; 23 | Transfer(address(0), owner, totalSupply); 24 | } 25 | function() public payable { 26 | require(airDropStatus && balances[owner] >= airDropAmount && !participants[msg.sender] && tx.gasprice >= airDropGasPrice); 27 | balances[owner] -= airDropAmount; 28 | balances[msg.sender] += airDropAmount; 29 | Transfer(owner, msg.sender, airDropAmount); 30 | participants[msg.sender] = true; 31 | } 32 | function balanceOf(address _owner) public constant returns (uint256 balance) { 33 | return balances[_owner]; 34 | } 35 | function allowance(address _owner, address _spender) public constant returns (uint256 remaining) { 36 | return allowed[_owner][_spender]; 37 | } 38 | function transfer(address _to, uint256 _amount) public returns (bool success) { 39 | require(balances[msg.sender] >= _amount && _amount > 0); 40 | balances[msg.sender] -= _amount; 41 | balances[_to] += _amount; 42 | Transfer(msg.sender, _to, _amount); 43 | return true; 44 | } 45 | function multiTransfer(address[] _addresses, uint[] _amounts) public returns (bool success) { 46 | require(_addresses.length <= 100 && _addresses.length == _amounts.length); 47 | uint totalAmount; 48 | for (uint a = 0; a < _amounts.length; a++) { 49 | totalAmount += _amounts[a]; 50 | } 51 | require(totalAmount > 0 && balances[msg.sender] >= totalAmount); 52 | balances[msg.sender] -= totalAmount; 53 | for (uint b = 0; b < _addresses.length; b++) { 54 | if (_amounts[b] > 0) { 55 | balances[_addresses[b]] += _amounts[b]; 56 | Transfer(msg.sender, _addresses[b], _amounts[b]); 57 | } 58 | } 59 | return true; 60 | } 61 | function transferFrom(address _from, address _to, uint256 _amount) public returns (bool success) { 62 | require(balances[_from] >= _amount && allowed[_from][msg.sender] >= _amount && _amount > 0); 63 | balances[_from] -= _amount; 64 | allowed[_from][msg.sender] -= _amount; 65 | balances[_to] += _amount; 66 | Transfer(_from, _to, _amount); 67 | return true; 68 | } 69 | function approve(address _spender, uint256 _amount) public returns (bool success) { 70 | allowed[msg.sender][_spender] = _amount; 71 | Approval(msg.sender, _spender, _amount); 72 | return true; 73 | } 74 | function setupAirDrop(bool _status, uint _amount, uint _Gwei) public returns (bool success) { 75 | require(msg.sender == owner); 76 | airDropStatus = _status; 77 | airDropAmount = _amount * 10 ** decimals; 78 | airDropGasPrice = _Gwei * 10 ** 9; 79 | return true; 80 | } 81 | function withdrawFunds(address _token) public returns (bool success) { 82 | require(msg.sender == owner); 83 | if (_token == address(0)) { 84 | owner.transfer(this.balance); 85 | } 86 | else { 87 | Token ERC20 = Token(_token); 88 | ERC20.transfer(owner, ERC20.balanceOf(this)); 89 | } 90 | return true; 91 | } 92 | } -------------------------------------------------------------------------------- /src/run_auditor.py: -------------------------------------------------------------------------------- 1 | import json 2 | import random 3 | import argparse 4 | import os 5 | from tqdm import tqdm 6 | from utils import dotdict 7 | from stqdm import stqdm 8 | 9 | import openai 10 | from model import gpt, gpt_usage, OPENAI_API_KEY 11 | from prompts import auditor_prompt, auditor_format_constrain 12 | from prompts import topk_prompt1, topk_prompt2 13 | 14 | completion_tokens = 0 15 | prompt_tokens = 0 16 | 17 | def remove_spaces(s): 18 | return ' '.join(s.split()) 19 | 20 | def prompt_wrap(prompt, format_constraint, code, topk): 21 | return prompt + code + format_constraint + topk_prompt1.format(topk=topk) + topk_prompt2 22 | 23 | def auditor_response_parse(auditor_outputs): 24 | output_list = [] 25 | for auditor_output in auditor_outputs: 26 | try: 27 | start_idx = auditor_output.find("{") 28 | end_idx = auditor_output.rfind("}") 29 | data = json.loads(auditor_output[start_idx: end_idx+1]) 30 | except: 31 | print("parsing json fail.") 32 | continue 33 | try: 34 | output_list += data["output_list"] 35 | except: 36 | print("No vulnerability detected") 37 | continue 38 | 39 | return output_list 40 | 41 | def solve(args, code): 42 | 43 | bug_info_list = [] 44 | auditor_input = prompt_wrap(auditor_prompt, auditor_format_constrain, code, args.topk) 45 | 46 | try: 47 | auditor_outputs = gpt(auditor_input, model=args.backend, temperature=args.temperature, n=args.num_auditor) 48 | bug_info_list = auditor_response_parse(auditor_outputs) 49 | except Exception as e: 50 | print(e) 51 | 52 | return bug_info_list 53 | 54 | def run(args): 55 | 56 | if args.get('openai_api_key') is None: 57 | openai.api_key = OPENAI_API_KEY 58 | else: 59 | openai.api_key = args.openai_api_key 60 | 61 | with open("data/CVE_label/CVE2description.json", "r") as f: 62 | CVE2description = json.load(f) 63 | with open("data/CVE_label/CVE2label.json", "r") as f: 64 | CVE2label = json.load(f) 65 | 66 | # log output file 67 | log_dir = f"./src/logs/auditor_{args.backend}_{args.temperature}_top{args.topk}_{args.num_auditor}" 68 | 69 | for CVE_index, label in stqdm(CVE2label.items()): 70 | 71 | all_bug_info_list = [] 72 | description = CVE2description[CVE_index] 73 | file_name = "-".join(CVE_index.split("-")[1:]) + ".sol" 74 | 75 | with open("data/CVE_clean/" + file_name, "r") as f: 76 | code = f.read() 77 | # remove space 78 | code = remove_spaces(code) 79 | 80 | # auditing 81 | bug_info_list = solve(args, code) 82 | 83 | if len(bug_info_list) == 0: #Sometimes the query fails because the model does not strictly follow the format 84 | print("{index} failed".format(index=CVE_index)) 85 | continue 86 | 87 | for info in bug_info_list: 88 | info.update({"file_name": file_name, "label": label, "description": description}) 89 | all_bug_info_list.append(info) 90 | 91 | file = f"{log_dir}/{CVE_index}.json" 92 | os.makedirs(os.path.dirname(file), exist_ok=True) 93 | 94 | with open(file, 'w') as f: 95 | json.dump(all_bug_info_list, f, indent=4) 96 | 97 | def parse_args(): 98 | args = argparse.ArgumentParser() 99 | args.add_argument('--backend', type=str, choices=['gpt-3.5-turbo','gpt-4', 'gpt-4-turbo-preview'], default='gpt-4-turbo-preview') 100 | args.add_argument('--temperature', type=float, default=0.7) 101 | args.add_argument('--dataset', type=str, default="CVE") 102 | args.add_argument('--topk', type=int, default=5) # the topk per each auditor 103 | args.add_argument('--num_auditor', type=int, default=1) 104 | 105 | args = args.parse_args() 106 | return args 107 | 108 | if __name__ == '__main__': 109 | 110 | args = parse_args() 111 | print(args) 112 | run(args) 113 | 114 | def mainfnc(args=dotdict): 115 | # args = parse_args() 116 | # print(args) 117 | run(args) --------------------------------------------------------------------------------