Yarn is installed in ~/.yarn, however, even if the path is declared at .bashrc, there is another line that I don't know yet why, it is overriding it. The line is line 125 in .basrhc after a clean installation:

- export PATH=":/home/whitehat/.nvm/versions/node/v18.17.1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/whitehat/.local/bin"
+ export PATH="$PATH:/home/whitehat/.nvm/versions/node/v18.17.1/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/whitehat/.local/bin"

As can be notice, it is not appending $PATH variable, what actually fixes it into a regular installation. Need to further investigate. Meanwhile, the hotfix is just to append yarn after that line:

# Dockerfile#L166
# Append the specified PATH to .bashrc 
RUN echo 'export PATH="$PATH:$HOME/.yarn/bin:$HOME/.config/yarn/global/node_modules/.bin"' >> ~/.bashrc

https://www.npmjs.com/package/nodemon

• Add video / images and explanation of different use cases of different tools in order to improve user adoption of different tools
• The point for new users is to have everything easy to try, but sometimes they don't know for what is a good use case:
  • I.e.: Pyrometer to follow the range of values that should be allowed in certain codes where a lot of operations are performed

I think makes sense to have the template file of the different bug bounty / contest platforms in a folder so you don't need to look into previous issues or go into the webpage in order to get the template. This may be useful if you are offline or don't want to log into the page.

Notice some platforms need to log in and maybe you don't have in that moment the HWW you use / you are in a new computer or don't want to connect to the page for any reason.

However, maybe just opening a repo, and adding a script with the path to clone, like:
Name: audits / contests repos
Content:

• 4rena template
• CodeHawks template
• Sherlock template
• ????
• Some audit firm template?

Would be enough for people that know sometimes will go offline (to say any reason)

Add

• spearbit report generator ✅
• pessimistic https://github.com/pessimistic-io/slitherin ✅
• include templates of different platforms for the reports

Try

• to decrease size of the image ✅

Remove:

• chown -R command ✅

So I wanted to install some stuff through apt-get and it crashed. It was a dependency issue. Thus, I executed

sudo apt-get update

And it crashed. Seemingly, the internal clock was out of sync.

Attemtped to use the fix propted in the readme (but for the docker image):

sudo date -s "$(curl -s --head http://google.com | grep ^Date: | sed 's/Date: //g')"

Permission denied...
After doing some research, my fix was

1. Stopping the docker container

docker stop devops199

2. Stashing a copy somewhere else

docker commit devops199 my_temporary_image

3. Making sure my local machine's clock was set properly

Because the docker image inherits the time from the machine

4. Deleting the old image

docker rm devops199

5. Re-running the image

docker run -it -d --name devops199 -e TZ=MyTimeZone my_temporary_image

Replace MyTimeZone by the appropriate one (i.e. America/New_York, Europe/Madrid ...).

The bad thing about this fix is that now I have some space occupied by my_temporary_image:

docker image list

yields

REPOSITORY                         TAG       IMAGE ID       CREATED         SIZE
my_temporary_image                 latest    3a9438defdaf   2 hours ago     5.7GB
whitehat-machine                   latest    82d98c925275   2 months ago    2.65GB

Some commands / scripts are not working if not at root. Solution: uso ~/ if they need to be run at home

• This would affect the use of Spearbit report generator.

Found by @luksgrin

Issues with npm installation or user permissions

Fails on npm i -g typescript && npm i

probably is a bug related to installatino of node, maybe its installed with sudo permission so the workaround is to always use sudo, what is not recommended

Info: spends more than 4 minutes building that layer, just do chown where is needed lmao

• check what is not owned by whitehat and run the command just on it

Their installation of their packages should be clean on manticore, echidna, etc, maybe doing that copy pasting logic using multiple docker machines. Need more research

Tool: Wonderland Natspec Smells

• Type: static analyzer
• Link: https://github.com/defi-wonderland/natspec-smells

Tool: Ityfuzz

• Type: fuzzer
• Link: https://github.com/fuzzland/ityfuzz

Tool: Napalm

• Type: Static analyzer Framework + Reports
• Link: https://github.com/ConsenSysDiligence/napalm

add fish, zsh...

Fix goes by removing alias itself and create a bash function, this may go to a .sh file

alias myth='source /home/whitehat/mythril_env/bin/activate && echo $@ && command myth $@ && deactivate'

function myth() {
source /home/whitehat/mythril_env/bin/activate
echo "$@"
command myth "$@"
deactivate
}

To do:

Check if using venv can make it work

Example:

$ manticore
Traceback (most recent call last):
File "/home/whitehat/.manticore_env/bin/manticore", line 5, in
from manticore.main import main
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/manticore/init.py", line 10, in
from .ethereum.manticore import ManticoreEVM
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/manticore/ethereum/init.py", line 3, in
from .manticore import ManticoreEVM, config
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/manticore/ethereum/manticore.py", line 15, in
from ..core.manticore import ManticoreBase, ManticoreError
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/manticore/core/manticore.py", line 29, in
from .worker import (
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/manticore/core/worker.py", line 4, in
from .state_pb2 import StateList, MessageList, State, LogMessage
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/manticore/core/state_pb2.py", line 32, in
_descriptor.EnumValueDescriptor(
File "/home/whitehat/.manticore_env/lib/python3.9/site-packages/google/protobuf/descriptor.py", line 796, in new
_message.Message._CheckCalledFromGeneratedFile()
TypeError: Descriptors cannot not be created directly.
If this call came from a _pb2.py file, your generated code is out of date and must be regenerated with protoc >= 3.19.0.
If you cannot immediately regenerate your protos, some other possible workarounds are:

1. Downgrade the protobuf package to 3.20.x or lower.
2. Set PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python (but this will use pure-Python parsing and will be much slower).

More information: https://developers.google.com/protocol-buffers/docs/news/2022-05-06#python-update

https://github.com/Jon-Becker/heimdall-rs/

nvm, default npm installed is 12 not even 16 wow. Install newer version and/or nvm

Decide if it's better to use npm installation or repository installation for yarn in terms of gas, ehm, memory costs

https://phoenixnap.com/kb/how-to-install-yarn-ubuntu

The pip3 alias is defined within .bashrc as follows:

alias pip3="pip3.9"

This does not work. I imagine the intention is to use python3.9's corresponding pip. The fix is:

- alias pip3="pip3.9"
+ alias pip3="python3 -m pip"

This only works because earlier python3 has been defined as an alias for python3.9. Cool feature is that if python3 points towards a different python version in the future, this alias will adapt appropriately.

Also, I would remove alias python3.9-pip='python3.9 -m pip' because it's obsolete given the fix above.

Branches options that may make sense

• General version (default)
• Formal verification version
• Static analyzers
• Trail of bits version? Makes sense since the https://github.com/trailofbits/eth-security-toolbox/tree/master doesnt have foundry, cargo, and all other tools
• ...?

It's good to be able to specify -code (now that always works) and -d to avoid opening it when called

pyrometer even if it's in beta, it's getting more common as tool.

Pyrometer is a mix of symbolic execution, abstract interpretation, and static analysis - we take ideas from each and apply them with an engineering first mindset to create an effective tool (and avoid nerdsnipes by academic papers) aiming to help both auditors and developers.

Pyrometer may eventually be language agnostic, but for now it is targeting Solidity. The code isn't currently entirely structured for multi-language support, but it has some of the bones to be able to support other EVM-targeting languages.

https://github.com/nascentxyz/pyrometer

Where: [v0.0.1 - v0.0.2]

Code command sometimes is failing due to not having in the path the version in .vscode/[...]/ACTUAL_HASH_VERSION/[...]/code

The solution is to stop adding the path or to add an alias with an exact version, but adding to .bashrc a code that gets latest version by commit into a custom folder latest, and add tot he PATH latest folder, in that way, even if the hash changes, the latest version changes too.

So I wanted to try ToB's medusa. I downloaded and unzipped the latest release, and had a nice binary. So, for the sake of order, I did:

mkdir /home/whitehat/.bin
mv medusa /home/whitehat/.bin/.
echo 'export PATH="$PATH:/home/whitehat/.bin"' >> /home/whitehat/.bashrc
source .bashrc

TLDR;

Is it worth it to add a .bin directory and adding it to $PATH for these scenarios?

Reproducing steps:

whitehat@4cfb79db3f7b:~/test/echidna$  solc-select install 0.8.20
Installing solc '0.8.20'...
solVersion '0.8.20' installed.
whitehat@4cfb79db3f7b:~/test/echidna$ solc-select use 0.8.20
Switched global version to 0.8.20
whitehat@4cfb79db3f7b:~/test/echidna$ solc --version
qemu-x86_64: Could not open '/lib64/ld-linux-x86-64.so.2': No such file or directory
whitehat@4cfb79db3f7b:~/test/echidna$ 

• Create some flows
• Update code fix
• Update table of tools
• Update references

something like
docker-setup: installs extensions, installs cargo forge etc,...

maybe with questions, like when you create a new project and ask you things like.

Example:
Name: nanai
Author: Deivitto
Choose wagmi package:
-> rainbow
-> wallet coneeeeeeect
-> etc