Ethereum Auto-looter: Scrooge McEtherface


Scrooge McEtherface is a Ethereum Smart Contract auto-looter based on Mythril Classic. It attempts to exploit Unprotected Ether Withdrawal (SWC-105) and Unprotected SELFDESTRUCT Instruction (SWC-106)

Disclaimer: This is not a tool to be taken lightly, it can do some damage, for research purposes only! 

The installation is straightforward and does not depend on much outside of a standard linux install, Python 3, and a node to send transactions; ganache-cli does a great job for this task. 

Once the repo is cloned, you’ve installed the required libraries, and verified scrooge runs, you’ll need to setup your network node. For our testing purposes we’ll be utilizing zeppelinOS as our development platform and ganache-cli as our blockchain provider. 

For testing you’ll need two terminal windows, one to run ganache-cli and the other to push to the chain and run testing tools.  

$ ~ ganache-cli 
Ganache CLI v6.2.3 (ganache-core: 2.3.1)

Available Accounts
(0) 0x84f0d3ff8d68a801104b82bf101a7b3f80f2bd41 (~100 ETH)


Listening on
$ ~ zos push -u local

Compiling contracts
Compiling ./contracts/C.sol…

Validating contract C
Uploading C contract as C
Deploying logic contract for C

Check the output created from zos push for the deployed contract address and use that as your input for scrooge. 

$ ~ head
"contracts": {
"C": {
"address": "0xccdeb362312f6d9d3e6ce2e829b42208ca4c2210",
"constructorCode": "60806040526000805534801561001457600080fd5b50610147806100246000396000f300",

With this setup you’ll be able to push contracts to your testnet and attack them with scrooge.  

From the example above you can see I’m using a docker image. The project repository does not currently offer a Dockerfile nor is there one up on dockerhub. 

Stay tuned for a release of both in the near future!


Editor-In-Chief @crypto_defense & COO @SpyglassSec. #cryptosec #infosec #blockchain #cryptocurrency #firespinner