Convert Figma logo to code with AI

trailofbits logomanticore

Symbolic execution tool

3,671
471
3,671
276
View on GitHub

Top Related Projects

crytic's avatar

echidna

2,698

Ethereum smart contract fuzzer

Consensys's avatar

mythril

3,826

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.

crytic's avatar

slither

5,235

Static Analyzer for Solidity and Vyper

Quick Overview

Manticore is a symbolic execution tool for analyzing binaries and smart contracts. It provides a powerful platform for dynamic analysis of low-level code, supporting architectures like x86, x86_64, ARM, and EVM. Manticore can be used for vulnerability discovery, test generation, and program analysis.

Pros

  • Versatile: Supports multiple architectures and can analyze both binaries and smart contracts
  • Powerful analysis capabilities: Combines symbolic execution with SMT solving for deep program analysis
  • Extensible: Provides a Python API for custom analysis and scripting
  • Active development: Regularly updated and maintained by Trail of Bits

Cons

  • Steep learning curve: Requires understanding of symbolic execution and low-level programming concepts
  • Resource-intensive: Can be slow and memory-hungry for complex analyses
  • Limited scalability: May struggle with very large codebases or long execution paths
  • Documentation could be more comprehensive for advanced use cases

Code Examples

  1. Basic symbolic execution of a binary:
from manticore import Manticore

m = Manticore('./path/to/binary')
m.run()

for state in m.all_states:
    print(state.solve_one(state.cpu.RAX))
  1. Analyzing a smart contract:
from manticore.ethereum import ManticoreEVM

m = ManticoreEVM()
contract = m.solidity_create_contract('./MyContract.sol')

symbolic_value = m.make_symbolic_value()
contract.function_name(symbolic_value)

for state in m.ready_states:
    print(state.platform.transactions)
  1. Custom analysis using hooks:
from manticore import Manticore

def hook(state):
    cpu = state.cpu
    if cpu.RAX == 0x1337:
        print("Reached target condition!")
        state.abandon()

m = Manticore('./path/to/binary')
m.add_hook(0x400000, hook)
m.run()

Getting Started

To get started with Manticore:

  1. Install Manticore:

    pip install manticore

  2. Create a simple Python script:

    from manticore import Manticore

m = Manticore('./path/to/binary')
m.run()
print(m.context['success'])

  3. Run the script:

    python your_script.py

For more detailed instructions and advanced usage, refer to the official documentation at https://github.com/trailofbits/manticore.

Competitor Comparisons

crytic logo

echidna

2,698

Ethereum smart contract fuzzer

Pros of Echidna

  • Faster execution due to its property-based testing approach
  • Easier to set up and use, with a simpler configuration process
  • Better suited for quick, iterative testing during development

Cons of Echidna

  • Less comprehensive coverage compared to symbolic execution
  • May miss some edge cases that Manticore could potentially find
  • Limited to Solidity smart contracts, while Manticore supports multiple platforms

Code Comparison

Echidna test example:

function echidna_test_balance() public view returns (bool) {
    return balanceOf[msg.sender] <= totalSupply;
}

Manticore test example:

def test_balance(state, contract):
    balance = contract.balanceOf(state.creator_account)
    total_supply = contract.totalSupply()
    state.constrain(balance > total_supply)
    state.check()

Both tools aim to find vulnerabilities in smart contracts, but they approach the task differently. Echidna uses property-based testing with fuzzing techniques, while Manticore employs symbolic execution. Echidna is generally faster and easier to use, making it suitable for regular testing during development. However, Manticore's symbolic execution can provide more thorough analysis, potentially uncovering subtle bugs that Echidna might miss.

Consensys logo

mythril

3,826

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.

Pros of Mythril

  • More active development and frequent updates
  • Broader range of vulnerability detection capabilities
  • Easier to use for beginners with a simpler CLI interface

Cons of Mythril

  • Less precise in some complex analysis scenarios
  • May produce more false positives in certain cases
  • Limited support for non-Ethereum blockchains

Code Comparison

Mythril example:

from mythril.mythril import MythrilDisassembler
from mythril.ethereum import util

address = util.get_indexed_address(0)
contract = MythrilDisassembler().get_contract_from_bytecode(address)

Manticore example:

from manticore.ethereum import ManticoreEVM

m = ManticoreEVM()
contract = m.create_account(balance=1000)
m.transaction(caller=0, address=contract, data=contract_data)

Both tools offer Python APIs for interacting with smart contracts, but Manticore provides a more low-level approach, allowing for greater control over the analysis process. Mythril's API is more abstracted and easier to use for common vulnerability detection tasks.

crytic logo

slither

5,235

Static Analyzer for Solidity and Vyper

Pros of Slither

  • Faster analysis due to static analysis approach
  • Easier to use and integrate into CI/CD pipelines
  • Provides a wider range of detectors for common vulnerabilities

Cons of Slither

  • Less precise than dynamic analysis tools
  • May produce false positives due to its static nature
  • Limited ability to detect complex, runtime-dependent vulnerabilities

Code Comparison

Slither (static analysis):

from slither.slither import Slither

slither = Slither('contract.sol')
print(slither.slither_analyzer.analyze_contracts())

Manticore (dynamic analysis):

from manticore.ethereum import ManticoreEVM

m = ManticoreEVM()
contract = m.solidity_create_contract('contract.sol')
m.run(timeout=30)
print(m.global_findings)

Slither performs static code analysis without executing the contract, while Manticore uses symbolic execution to explore different execution paths. Slither is generally faster and easier to use, but Manticore can provide more in-depth analysis at the cost of increased complexity and runtime.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

:warning: Project is in Maintenance Mode :warning:

This project is no longer internally developed and maintained. However, we are happy to review and accept small, well-written pull requests by the community. We will only consider bug fixes and minor enhancements.

Any new or currently open issues and discussions shall be answered and supported by the community.

Manticore


Build Status Coverage Status PyPI Version Slack Status Documentation Status Example Status LGTM Total Alerts

Manticore is a symbolic execution tool for the analysis of smart contracts and binaries.

Features

  • Program Exploration: Manticore can execute a program with symbolic inputs and explore all the possible states it can reach
  • Input Generation: Manticore can automatically produce concrete inputs that result in a given program state
  • Error Discovery: Manticore can detect crashes and other failure cases in binaries and smart contracts
  • Instrumentation: Manticore provides fine-grained control of state exploration via event callbacks and instruction hooks
  • Programmatic Interface: Manticore exposes programmatic access to its analysis engine via a Python API

Manticore can analyze the following types of programs:

  • Ethereum smart contracts (EVM bytecode)
  • Linux ELF binaries (x86, x86_64, aarch64, and ARMv7)
  • WASM Modules

Installation

Note: We recommend installing Manticore in a virtual environment to prevent conflicts with other projects or packages

Option 1: Installing from PyPI:

pip install manticore

Option 2: Installing from PyPI, with extra dependencies needed to execute native binaries:

pip install "manticore[native]"

Option 3: Installing a nightly development build:

pip install --pre "manticore[native]"

Option 4: Installing from the master branch:

git clone https://github.com/trailofbits/manticore.git
cd manticore
pip install -e ".[native]"

Option 5: Install via Docker:

docker pull trailofbits/manticore

Once installed, the manticore CLI tool and Python API will be available.

For a development installation, see our wiki.

Usage

CLI

Manticore has a command line interface which can perform a basic symbolic analysis of a binary or smart contract. Analysis results will be placed into a workspace directory beginning with mcore_. For information about the workspace, see the wiki.

EVM

Manticore CLI automatically detects you are trying to test a contract if (for ex.) the contract has a .sol or a .vy extension. See a demo.

Click to expand: 
$ manticore examples/evm/umd_example.sol 
 [9921] m.main:INFO: Registered plugins: DetectUninitializedMemory, DetectReentrancySimple, DetectExternalCallAndLeak, ...
 [9921] m.e.manticore:INFO: Starting symbolic create contract
 [9921] m.e.manticore:INFO: Starting symbolic transaction: 0
 [9921] m.e.manticore:INFO: 4 alive states, 6 terminated states
 [9921] m.e.manticore:INFO: Starting symbolic transaction: 1
 [9921] m.e.manticore:INFO: 16 alive states, 22 terminated states
[13761] m.c.manticore:INFO: Generated testcase No. 0 - STOP(3 txs)
[13754] m.c.manticore:INFO: Generated testcase No. 1 - STOP(3 txs)
...
[13743] m.c.manticore:INFO: Generated testcase No. 36 - THROW(3 txs)
[13740] m.c.manticore:INFO: Generated testcase No. 37 - THROW(3 txs)
[9921] m.c.manticore:INFO: Results in ~/manticore/mcore_gsncmlgx
Manticore-verifier

An alternative CLI tool is provided that simplifies contract testing and allows writing properties methods in the same high-level language the contract uses. Checkout manticore-verifier documentation. See a demo

Native

Click to expand: 
$ manticore examples/linux/basic
[9507] m.n.manticore:INFO: Loading program examples/linux/basic
[9507] m.c.manticore:INFO: Generated testcase No. 0 - Program finished with exit status: 0
[9507] m.c.manticore:INFO: Generated testcase No. 1 - Program finished with exit status: 0
[9507] m.c.manticore:INFO: Results in ~/manticore/mcore_7u7hgfay
[9507] m.n.manticore:INFO: Total time: 2.8029580116271973

API

Manticore provides a Python programming interface which can be used to implement powerful custom analyses.

EVM

For Ethereum smart contracts, the API can be used for detailed verification of arbitrary contract properties. Users can set the starting conditions, execute symbolic transactions, and then review discovered states to ensure invariants for a contract hold.

Click to expand: 
from manticore.ethereum import ManticoreEVM
contract_src="""
contract Adder {
    function incremented(uint value) public returns (uint){
        if (value == 1)
            revert();
        return value + 1;
    }
}
"""
m = ManticoreEVM()

user_account = m.create_account(balance=10000000)
contract_account = m.solidity_create_contract(contract_src,
                                              owner=user_account,
                                              balance=0)
value = m.make_symbolic_value()

contract_account.incremented(value)

for state in m.ready_states:
    print("can value be 1? {}".format(state.can_be_true(value == 1)))
    print("can value be 200? {}".format(state.can_be_true(value == 200)))

Native

It is also possible to use the API to create custom analysis tools for Linux binaries. Tailoring the initial state helps avoid state explosion problems that commonly occur when using the CLI.

Click to expand: 
# example Manticore script
from manticore.native import Manticore

m = Manticore.linux('./example')

@m.hook(0x400ca0)
def hook(state):
  cpu = state.cpu
  print('eax', cpu.EAX)
  print(cpu.read_int(cpu.ESP))

  m.kill()  # tell Manticore to stop

m.run()

WASM

Manticore can also evaluate WebAssembly functions over symbolic inputs for property validation or general analysis.

Click to expand: 
from manticore.wasm import ManticoreWASM

m = ManticoreWASM("collatz.wasm")

def arg_gen(state):
    # Generate a symbolic argument to pass to the collatz function.
    # Possible values: 4, 6, 8
    arg = state.new_symbolic_value(32, "collatz_arg")
    state.constrain(arg > 3)
    state.constrain(arg < 9)
    state.constrain(arg % 2 == 0)
    return [arg]


# Run the collatz function with the given argument generator.
m.collatz(arg_gen)

# Manually collect return values
# Prints 2, 3, 8
for idx, val_list in enumerate(m.collect_returns()):
    print("State", idx, "::", val_list[0])

Requirements

  • Manticore requires Python 3.7 or greater
  • Manticore officially supports the latest LTS version of Ubuntu provided by Github Actions
    • Manticore has experimental support for EVM and WASM (but not native Linux binaries) on MacOS
  • We recommend running with increased stack size. This can be done by running ulimit -s 100000 or by passing --ulimit stack=100000000:100000000 to docker run

Compiling Smart Contracts

  • Ethereum smart contract analysis requires the solc program in your $PATH.
  • Manticore uses crytic-compile to build smart contracts. If you're having compilation issues, consider running crytic-compile on your code directly to make it easier to identify any issues.
  • We're still in the process of implementing full support for the EVM Istanbul instruction semantics, so certain opcodes may not be supported. In a pinch, you can try compiling with Solidity 0.4.x to avoid generating those instructions.

Using a different solver (Yices, Z3, CVC4)

Manticore relies on an external solver supporting smtlib2. Currently Z3, Yices and CVC4 are supported and can be selected via command-line or configuration settings. If Yices is available, Manticore will use it by default. If not, it will fall back to Z3 or CVC4. If you want to manually choose which solver to use, you can do so like this: manticore --smt.solver Z3

Installing CVC4

For more details go to https://cvc4.github.io/. Otherwise, just get the binary and use it.

    sudo wget -O /usr/bin/cvc4 https://github.com/CVC4/CVC4/releases/download/1.7/cvc4-1.7-x86_64-linux-opt
    sudo chmod +x /usr/bin/cvc4

Installing Yices

Yices is incredibly fast. More details here https://yices.csl.sri.com/

    sudo add-apt-repository ppa:sri-csl/formal-methods
    sudo apt-get update
    sudo apt-get install yices2

Getting Help

Feel free to stop by our #manticore slack channel in Empire Hacking for help using or extending Manticore.

Documentation is available in several places:

  • The wiki contains information about getting started with Manticore and contributing

  • The API reference has more thorough and in-depth documentation on our API

  • The examples directory has some small examples that showcase API features

  • The manticore-examples repository has some more involved examples, including some real CTF problems

If you'd like to file a bug report or feature request, please use our issues page.

For questions and clarifications, please visit the discussion page.

License

Manticore is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Publications

If you are using Manticore in academic work, consider applying to the Crytic $10k Research Prize.

Demo Video from ASE 2019

Brief Manticore demo video

Tool Integrations