Wake, a Python-based Solidity development and testing framework with built-in vulnerability detectors
Features:
- testing framework based on pytest
- property-based fuzzer
- deployments & mainnet interactions
- vulnerability and code quality detectors
- printers for extracting useful information from Solidity code
- static analysis framework for implementing custom detectors and printers
- Github actions for setting up Wake and running detectors
- language server (LSP)
- VS Code extension (Tools for Solidity)
- solc version manager
- Python (version 3.8 or higher)
- Rosetta must be enabled on Apple Silicon Macs
⚠️ Python 3.12 is experimentally supported.
via pip
pip3 install eth-wake
Wake documentation can be found here.
There you can also find a section on contributing.
Vulnerability | Severity | Project | Method | Discovered by | Resources |
---|---|---|---|---|---|
Profit & loss accounted twice | Critical | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Console permanent denial of service | High | Brahma | Fuzz test | Ackee Blockchain | Report |
Swap unwinding formula error | High | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Swap unwinding fee accounted twice | High | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Incorrect event data | High | Solady | Integration test | Ackee Blockchain | Report, Wake tests |
INTEREST_FROM_STRATEGY_BELOW_ZERO reverts DoS |
Medium | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Inaccurate hypothetical interest formula | Medium | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Swap unwinding fee normalization error | Medium | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Liquidation deposits accounted into LP balance | Medium | IPOR | Fuzz test | Ackee Blockchain | Report, Wake tests |
Missing receive function | Medium | Axelar | Fuzz test | Ackee Blockchain | Wake tests |
SafeERC20 not used for approve |
Medium | Lido | Fuzz test | Ackee Blockchain | Wake tests |
Non-optimistic vetting & unbonded keys bad accounting | Medium | Lido | Fuzz test | Ackee Blockchain | Report, Wake tests |
See examples and documentation for more information.
Writing tests is as simple as:
from wake.testing import *
from pytypes.contracts.Counter import Counter
@chain.connect()
def test_counter():
counter = Counter.deploy()
assert counter.count() == 0
counter.increment()
assert counter.count() == 1
Fuzzer builds on top of the testing framework and allows efficient fuzz testing of Solidity smart contracts.
from wake.testing import *
from wake.testing.fuzzing import *
from pytypes.contracts.Counter import Counter
class CounterTest(FuzzTest):
def pre_sequence(self) -> None:
self.counter = Counter.deploy()
self.count = 0
@flow()
def increment(self) -> None:
self.counter.increment()
self.count += 1
@flow()
def decrement(self) -> None:
with may_revert(PanicCodeEnum.UNDERFLOW_OVERFLOW) as e:
self.counter.decrement()
if e.value is not None:
assert self.count == 0
else:
self.count -= 1
@invariant(period=10)
def count(self) -> None:
assert self.counter.count() == self.count
@chain.connect()
def test_counter():
CounterTest().run(sequences_count=30, flows_count=100)
All vulnerability & code quality detectors can be run using:
wake detect all
A specific detector can be run using:
wake detect <detector-name>
See the documentation for a list of all detectors.
A specific printer can be run using:
wake print <printer-name>
See the documentation for a list of all printers.
Refer to the getting started guide for more information. Also check out wake_detectors and wake_printers for the implementation of built-in detectors and printers.
Wake implements an LSP server for Solidity. The only currently supported communication channel is TCP.
Wake LSP server can be run using:
wake lsp
Or with an optional --port argument (default 65432):
wake lsp --port 1234
All LSP server features can be found in the documentation.
This project is licensed under the ISC license.
RockawayX | Coinbase |
---|---|