algorand-vulnerability-scanner
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAlgorand Vulnerability Scanner
Algorand漏洞扫描器
1. Purpose
1. 用途
Systematically scan Algorand smart contracts (TEAL and PyTeal) for platform-specific security vulnerabilities documented in Trail of Bits' "Not So Smart Contracts" database. This skill encodes 11 critical vulnerability patterns unique to Algorand's transaction model.
系统扫描Algorand智能合约(TEAL和PyTeal)中存在的平台特定安全漏洞,这些漏洞记录在Trail of Bits的「Not So Smart Contracts」数据库中。该技能涵盖了Algorand交易模型特有的11种关键漏洞模式。
2. When to Use This Skill
2. 使用场景
- Auditing Algorand smart contracts (stateful applications or smart signatures)
- Reviewing TEAL assembly or PyTeal code
- Pre-audit security assessment of Algorand projects
- Validating fixes for reported Algorand vulnerabilities
- Training team on Algorand-specific security patterns
- 审计Algorand智能合约(有状态应用或智能签名)
- 审查TEAL汇编代码或PyTeal代码
- Algorand项目审计前的安全评估
- 验证已报告的Algorand漏洞修复方案
- 团队内部培训Algorand特定安全模式
3. Platform Detection
3. 平台识别
File Extensions & Indicators
文件扩展名与识别标志
- TEAL files:
.teal - PyTeal files: with PyTeal imports
.py
- TEAL文件:
.teal - PyTeal文件: 包含PyTeal导入语句的文件
.py
Language/Framework Markers
语言/框架标识
python
undefinedpython
undefinedPyTeal indicators
PyTeal标识
from pyteal import *
from algosdk import *
from pyteal import *
from algosdk import *
Common patterns
常见模式
Txn, Gtxn, Global, InnerTxnBuilder
OnComplete, ApplicationCall, TxnType
@router.method, @Subroutine
undefinedTxn, Gtxn, Global, InnerTxnBuilder
OnComplete, ApplicationCall, TxnType
@router.method, @Subroutine
undefinedProject Structure
项目结构
- /
approval_program.pyclear_program.py - /
contract.tealsignature.teal - References to Algorand SDK or Beaker framework
- /
approval_program.pyclear_program.py - /
contract.tealsignature.teal - 引用Algorand SDK或Beaker框架
Tool Support
工具支持
- Tealer: Trail of Bits static analyzer for Algorand
- Installation:
pip3 install tealer - Usage:
tealer contract.teal --detect all
- Tealer: Trail of Bits推出的Algorand静态分析工具
- 安装:
pip3 install tealer - 使用:
tealer contract.teal --detect all
4. How This Skill Works
4. 工作原理
When invoked, I will:
- Search your codebase for TEAL/PyTeal files
- Analyze each file for the 11 vulnerability patterns
- Report findings with file references and severity
- Provide fixes for each identified issue
- Run Tealer (if installed) for automated detection
调用该技能时,我会:
- 搜索代码库中的TEAL/PyTeal文件
- 分析每个文件是否存在11种漏洞模式
- 报告检测结果,包含文件引用和漏洞严重程度
- 为每个已识别问题提供修复方案
- 运行Tealer(若已安装)进行自动化检测
5. Example Output
5. 示例输出
When vulnerabilities are found, you'll get a report like this:
=== ALGORAND VULNERABILITY SCAN RESULTS ===
Project: my-algorand-dapp
Files Scanned: 3 (.teal, .py)
Vulnerabilities Found: 2
---
[CRITICAL] Rekeying Attack
File: contracts/approval.py:45
Pattern: Missing RekeyTo validation
Code:
If(Txn.type_enum() == TxnType.Payment,
Seq([
# Missing: Assert(Txn.rekey_to() == Global.zero_address())
App.globalPut(Bytes("balance"), balance + Txn.amount()),
Approve()
])
)
Issue: The contract doesn't validate the RekeyTo field, allowing attackers
to change account authorization and bypass restrictions.
---当检测到漏洞时,你将收到如下格式的报告:
=== ALGORAND漏洞扫描结果 ===
项目:my-algorand-dapp
已扫描文件:3个(.teal, .py)
检测到漏洞:2个
---
[CRITICAL] 重密钥攻击
文件:contracts/approval.py:45
模式:缺失RekeyTo字段验证
代码:
If(Txn.type_enum() == TxnType.Payment,
Seq([
# 缺失:Assert(Txn.rekey_to() == Global.zero_address())
App.globalPut(Bytes("balance"), balance + Txn.amount()),
Approve()
])
)
问题:合约未验证RekeyTo字段,攻击者可借此更改账户授权并绕过限制。
---5. Vulnerability Patterns (11 Patterns)
5. 漏洞模式(11种)
I check for 11 critical vulnerability patterns unique to Algorand. For detailed detection patterns, code examples, mitigations, and testing strategies, see VULNERABILITY_PATTERNS.md.
我会检查Algorand特有的11种关键漏洞模式。如需详细的检测模式、代码示例、缓解措施和测试策略,请查看VULNERABILITY_PATTERNS.md。
Pattern Summary:
模式摘要:
- Rekeying Vulnerability ⚠️ CRITICAL - Unchecked RekeyTo field
- Missing Transaction Verification ⚠️ CRITICAL - No GroupSize/GroupIndex checks
- Group Transaction Manipulation ⚠️ HIGH - Unsafe group transaction handling
- Asset Clawback Risk ⚠️ HIGH - Missing clawback address checks
- Application State Manipulation ⚠️ MEDIUM - Unsafe global/local state updates
- Asset Opt-In Missing ⚠️ HIGH - No asset opt-in validation
- Minimum Balance Violation ⚠️ MEDIUM - Account below minimum balance
- Close Remainder To Check ⚠️ HIGH - Unchecked CloseRemainderTo field
- Application Clear State ⚠️ MEDIUM - Unsafe clear state program
- Atomic Transaction Ordering ⚠️ HIGH - Assuming transaction order
- Logic Signature Reuse ⚠️ HIGH - Logic sigs without uniqueness constraints
For complete vulnerability patterns with code examples, see VULNERABILITY_PATTERNS.md.
- 重密钥漏洞 ⚠️ 严重 - 未校验RekeyTo字段
- 缺失交易验证 ⚠️ 严重 - 未检查GroupSize/GroupIndex
- 组交易操纵 ⚠️ 高风险 - 不安全的组交易处理
- 资产追回风险 ⚠️ 高风险 - 缺失追回地址校验
- 应用状态操纵 ⚠️ 中风险 - 不安全的全局/本地状态更新
- 缺失资产准入验证 ⚠️ 高风险 - 未验证资产准入
- 最低余额违规 ⚠️ 中风险 - 账户余额低于最低要求
- CloseRemainderTo字段校验缺失 ⚠️ 高风险 - 未校验CloseRemainderTo字段
- 应用清除状态问题 ⚠️ 中风险 - 不安全的清除状态程序
- 原子交易顺序问题 ⚠️ 高风险 - 假设交易顺序固定
- 逻辑签名复用 ⚠️ 高风险 - 逻辑签名无唯一性约束
如需包含代码示例的完整漏洞模式,请查看VULNERABILITY_PATTERNS.md。
5. Scanning Workflow
5. 扫描流程
Step 1: Platform Identification
步骤1:平台识别
- Confirm file extensions (,
.teal).py - Identify framework (PyTeal, Beaker, pure TEAL)
- Determine contract type (stateful application vs smart signature)
- Locate approval and clear state programs
- 确认文件扩展名(,
.teal).py - 识别所使用的框架(PyTeal、Beaker、纯TEAL)
- 确定合约类型(有状态应用 vs 智能签名)
- 定位approval和clear状态程序
Step 2: Static Analysis with Tealer
步骤2:使用Tealer进行静态分析
bash
undefinedbash
undefinedRun Tealer on contract
对合约运行Tealer
tealer contract.teal --detect all
tealer contract.teal --detect all
Or specific detectors
或使用特定检测器
tealer contract.teal --detect unprotected-rekey,group-size-check,update-application-check
undefinedtealer contract.teal --detect unprotected-rekey,group-size-check,update-application-check
undefinedStep 3: Manual Vulnerability Sweep
步骤3:手动漏洞排查
For each of the 11 vulnerabilities above:
- Search for relevant transaction field usage
- Verify validation logic exists
- Check for bypass conditions
- Validate inner transaction handling
针对上述11种漏洞,逐一执行以下操作:
- 搜索相关交易字段的使用情况
- 验证是否存在校验逻辑
- 检查是否存在绕过条件
- 验证内部交易的处理逻辑
Step 4: Transaction Field Validation Matrix
步骤4:交易字段校验矩阵
Create checklist for all transaction types used:
Payment Transactions:
- RekeyTo validated
- CloseRemainderTo validated
- Fee validated (if smart signature)
Asset Transfers:
- Asset ID validated
- AssetCloseTo validated
- RekeyTo validated
Application Calls:
- OnComplete validated
- Access controls enforced
- Group size validated
Inner Transactions:
- Fee explicitly set to 0
- RekeyTo not user-controlled (Teal v6+)
- All fields validated
为所有使用的交易类型创建检查清单:
支付交易:
- RekeyTo字段已校验
- CloseRemainderTo字段已校验
- 手续费已校验(若为智能签名)
资产转移:
- 资产ID已校验
- AssetCloseTo字段已校验
- RekeyTo字段已校验
应用调用:
- OnComplete字段已校验
- 已实施访问控制
- 组大小已校验
内部交易:
- 手续费显式设置为0
- RekeyTo字段不受用户控制(Teal v6+)
- 所有字段均已校验
Step 5: Group Transaction Analysis
步骤5:组交易分析
For atomic transaction groups:
- Validate checks
Global.group_size() - Review absolute vs relative indexing
- Check for replay protection (Lease field)
- Verify OnComplete fields for ApplicationCalls in group
针对原子交易组:
- 校验检查逻辑
Global.group_size() - 审查绝对索引与相对索引的使用
- 检查是否使用Lease字段防止重放攻击
- 验证组内ApplicationCall交易的OnComplete字段
Step 6: Access Control Review
步骤6:访问控制审查
- Creator/admin privileges properly enforced
- Update/delete operations protected
- Sensitive functions have authorization checks
- 创建者/管理员权限已正确实施
- 更新/删除操作已受保护
- 敏感函数已添加授权校验
6. Reporting Format
6. 报告格式
Finding Template
检测结果模板
markdown
undefinedmarkdown
undefined[SEVERITY] Vulnerability Name (e.g., Missing RekeyTo Validation)
[严重程度] 漏洞名称(例如:缺失RekeyTo字段校验)
Location: or
contract.teal:45-50approval_program.py:withdraw()Description:
The contract approves payment transactions without validating the RekeyTo field, allowing an attacker to rekey the account and bypass future authorization checks.
Vulnerable Code:
python
undefined位置: 或
contract.teal:45-50approval_program.py:withdraw()描述:
合约在未校验RekeyTo字段的情况下批准支付交易,攻击者可借此重设账户密钥并绕过后续授权校验。
漏洞代码:
python
undefinedapproval_program.py, line 45
approval_program.py,第45行
If(Txn.type_enum() == TxnType.Payment,
Approve() # Missing RekeyTo check
)
**Attack Scenario**:
1. Attacker submits payment transaction with RekeyTo set to attacker's address
2. Contract approves transaction without checking RekeyTo
3. Account authorization is rekeyed to attacker
4. Attacker gains full control of account
**Recommendation**:
Add explicit validation of the RekeyTo field:
```python
If(And(
Txn.type_enum() == TxnType.Payment,
Txn.rekey_to() == Global.zero_address()
), Approve(), Reject())References:
- building-secure-contracts/not-so-smart-contracts/algorand/rekeying
- Tealer detector:
unprotected-rekey
---If(Txn.type_enum() == TxnType.Payment,
Approve() # 缺失RekeyTo字段检查
)
**攻击场景**:
1. 攻击者提交支付交易,将RekeyTo设置为攻击者地址
2. 合约未检查RekeyTo字段即批准交易
3. 账户授权被重设为攻击者
4. 攻击者获得账户完全控制权
**修复建议**:
添加RekeyTo字段的显式校验:
```python
If(And(
Txn.type_enum() == TxnType.Payment,
Txn.rekey_to() == Global.zero_address()
), Approve(), Reject())参考资料:
- building-secure-contracts/not-so-smart-contracts/algorand/rekeying
- Tealer检测器:
unprotected-rekey
---7. Priority Guidelines
7. 优先级指南
Critical (Immediate Fix Required)
严重(需立即修复)
- Rekeying attacks
- CloseRemainderTo / AssetCloseTo issues
- Access control bypasses
- 重密钥攻击
- CloseRemainderTo / AssetCloseTo相关问题
- 访问控制绕过
High (Fix Before Deployment)
高风险(部署前修复)
- Unchecked transaction fees
- Asset ID validation issues
- Group size validation
- Clear state transaction checks
- 未校验交易手续费
- 资产ID校验问题
- 组大小校验缺失
- 清除状态交易检查缺失
Medium (Address in Audit)
中风险(审计时处理)
- Inner transaction fee issues
- Time-based replay attacks
- DoS via asset opt-in
- 内部交易手续费问题
- 基于时间的重放攻击
- 通过资产准入发起的DoS攻击
8. Testing Recommendations
8. 测试建议
Unit Tests Required
单元测试要求
- Test each vulnerability scenario with PoC exploit
- Verify fixes prevent exploitation
- Test edge cases (group size = 0, empty addresses, etc.)
- 为每个漏洞场景编写PoC漏洞利用测试用例
- 验证修复方案可防止漏洞利用
- 测试边缘情况(组大小=0、空地址等)
Tealer Integration
Tealer集成
bash
undefinedbash
undefinedAdd to CI/CD pipeline
添加到CI/CD流水线
tealer approval.teal --detect all --json > tealer-report.json
tealer approval.teal --detect all --json > tealer-report.json
Fail build on critical findings
若检测到严重/高风险漏洞则终止构建
tealer approval.teal --detect all --fail-on critical,high
undefinedtealer approval.teal --detect all --fail-on critical,high
undefinedScenario Testing
场景测试
- Submit transactions with all critical fields manipulated
- Test atomic groups with unexpected sizes
- Attempt access control bypasses
- Verify inner transaction fee handling
- 提交所有关键字段被篡改的交易
- 测试具有意外大小的原子组
- 尝试绕过访问控制
- 验证内部交易手续费的处理逻辑
9. Additional Resources
9. 额外资源
- Building Secure Contracts:
building-secure-contracts/not-so-smart-contracts/algorand/ - Tealer Documentation: https://github.com/crytic/tealer
- Algorand Developer Docs: https://developer.algorand.org/docs/
- PyTeal Documentation: https://pyteal.readthedocs.io/
- Building Secure Contracts:
building-secure-contracts/not-so-smart-contracts/algorand/ - Tealer文档: https://github.com/crytic/tealer
- Algorand开发者文档: https://developer.algorand.org/docs/
- PyTeal文档: https://pyteal.readthedocs.io/
10. Quick Reference Checklist
10. 快速参考检查清单
Before completing Algorand audit, verify ALL items checked:
- RekeyTo validated in all transaction types
- CloseRemainderTo validated in payment transactions
- AssetCloseTo validated in asset transfers
- Transaction fees validated (smart signatures)
- Group size validated for atomic transactions
- Lease field used for replay protection (where applicable)
- Access controls on Update/Delete operations
- Asset ID validated in all asset operations
- Asset transfers use pull pattern to avoid DoS
- Inner transaction fees explicitly set to 0
- OnComplete field validated for ApplicationCall transactions
- Tealer scan completed with no critical/high findings
- Unit tests cover all vulnerability scenarios
完成Algorand审计前,请确认所有项目均已勾选:
- 所有交易类型中RekeyTo字段已校验
- 支付交易中CloseRemainderTo字段已校验
- 资产转移中AssetCloseTo字段已校验
- 交易手续费已校验(智能签名)
- 原子交易的组大小已校验
- 已使用Lease字段防止重放攻击(如适用)
- 更新/删除操作已添加访问控制
- 所有资产操作中资产ID已校验
- 资产转移使用拉取模式避免DoS攻击
- 内部交易手续费显式设置为0
- ApplicationCall交易的OnComplete字段已校验
- 已完成Tealer扫描且无严重/高风险漏洞
- 单元测试覆盖所有漏洞场景