What is and why Oyente?
Oyente, a smart contract auto-auditing tool, analyse smart contracts and returns possible bug attacks on it including the famous DAO attack. This was developed by researchers from National University of Singapore in Jan 2016. You can refer the paper presented on 23rd ACM CCS conference here.
In this article, we will demonstrate how to install and use Oyente with and without docker.
Most common error encountered during installing oyente tool is web3 requires Python ‘≥3.5, <4’ but the running python is 2.7.*
You may have tried changing pyhton versions, installing 3.7-dev but still you’ll encounter the above error.
But here we discuss, how to install without any errors. For development purposes, running oyente source code will be better option compared to dockerised oyente. Anyhow we will discuss both the ways.
Installing with docker is easiest method since docker itself creates the environment required for running Oyente.
To open container, install docker and run
sudo apt-get updatesudo apt install docker.iodocker pull luongnguyen/oyentedocker run -i -t luongnguyen/Oyente
To evaluate the greeter contract inside the container, run
cd /oyente/oyentepython oyente.py -s greeter.sol
and you’re done.
But every time you evaluate a new smart contract you’ve to create a file in the container using unix commands and run the last command. You can install vim in the docker container, still it’s a hectic task to create and edit files.
Oyente tool requires the following dependencies:
- Geth and evm
There are two methods for this, both methods need the following commands to be run
If you haven’t installed python in your system, run the following commands
sudo apt install software-properties-commonsudo add-apt-repository ppa:deadsnakes/ppasudo apt updatesudo apt-get install python3
Install z3. For this, download the file from this link here.
Extract files, move into the directory and run the following commands (this gonna take a while more than you expect):
python scripts/mk_make.py -pythoncd buildmakesudo make install
You need to install this library,
sudo apt-get install libz3-dev
Installing the Oyente tool:
For this you need to install pip
sudo apt install python3-pip
Exectute the following commands:
sudo apt-get install solcsudo apt-get install evmpip install web3==3.7.0pip install oyente
The above command fails and returns an error in most of the cases, if it works you can use by running the below commands:
oyente -s <contract name>
If you are getting compilation failed, even though your smart contracts run successfully in other tools that’s because of mismatch in the versions of solc and evm. Follow the steps in next methods to install proper versions of solc and evm.
Running the source code:
In this method, just like previous ones we create the required environment by downloading and installing dependencies. At the time this article has been written, oyente has been officially tested for solc version 0.4.19 and evm 1.7.3 however it’s better to use solc version 0.4.24 because of additional features.
Oyente tool has built based on solc version 0.4.19 and evm version 1.7.3. Using the tool with latest versions of dependencies will result in compilation failed.
Since downgrading to lower versions for these packages is not easy, it’s recommended to download the required version binary files and copy these files to
Download solc binary file. Link here.
If you need other versions, refer this.
Extract files and execute following commands
sudo cp solc /usr/bin/sudo cp lllc /usr/bin/
solc--version this command returns the version of solc.
Download geth tools here.
Extract and execute following commands
sudo cp geth /usr/bin/sudo cp evm /usr/bin/
Download the oyente project source code from here, locate to oyente directory and run the following commands:
python oyente.py -s <contract name>
Using -ce flag after contract name will let you know the error you are facing.
If you’ve encountered an error stating unknown module z3 or something related to z3, then it is due to improper installation of z3 libraries. Go through the previous part where discussed installation of z3 dependency.
Check if output is something like the above. If yes, you’ve successfully installed the dependencies. You’re good to go!!!
Although Oyente helps in discovering possible vulnerabilities, it has been designed for solidity versions upto 0.4.24. Any solidity code greater than or equal to 0.5 will return errors. Oyente gives lesser false alarms compared to other auditing tools. Most of the users suggest to use auto-auditing only after a manual review instead of other way around.