Table of contents
Assume ownership
目标合约
pragma solidity ^0.4.21;
contract AssumeOwnershipChallenge {
address owner;
bool public isComplete;
function AssumeOwmershipChallenge() public {
owner = msg.sender;
}
function authenticate() public {
require(msg.sender == owner);
isComplete = true;
}
}
通关条件
成为合约 owner
题目分析
构造函数 typo,直接调用 AssumeOwmershipChallenge 函数即可成为 owner。
Token bank
目标合约
pragma solidity ^0.4.21;
interface ITokenReceiver {
function tokenFallback(address from, uint256 value, bytes data) external;
}
contract SimpleERC223Token {
// Track how many tokens are owned by each address.
mapping (address => uint256) public balanceOf;
string public name = "Simple ERC223 Token";
string public symbol = "SET";
uint8 public decimals = 18;
uint256 public totalSupply = 1000000 * (uint256(10) ** decimals);
event Transfer(address indexed from, address indexed to, uint256 value);
function SimpleERC223Token() public {
balanceOf[msg.sender] = totalSupply;
emit Transfer(address(0), msg.sender, totalSupply);
}
function isContract(address _addr) private view returns (bool is_contract) {
uint length;
assembly {
//retrieve the size of the code on target address, this needs assembly
length := extcodesize(_addr)
}
return length > 0;
}
function transfer(address to, uint256 value) public returns (bool success) {
bytes memory empty;
return transfer(to, value, empty);
}
function transfer(address to, uint256 value, bytes data) public returns (bool) {
require(balanceOf[msg.sender] >= value);
balanceOf[msg.sender] -= value;
balanceOf[to] += value;
emit Transfer(msg.sender, to, value);
if (isContract(to)) {
ITokenReceiver(to).tokenFallback(msg.sender, value, data);
}
return true;
}
event Approval(address indexed owner, address indexed spender, uint256 value);
mapping(address => mapping(address => uint256)) public allowance;
function approve(address spender, uint256 value)
public
returns (bool success)
{
allowance[msg.sender][spender] = value;
emit Approval(msg.sender, spender, value);
return true;
}
function transferFrom(address from, address to, uint256 value)
public
returns (bool success)
{
require(value <= balanceOf[from]);
require(value <= allowance[from][msg.sender]);
balanceOf[from] -= value;
balanceOf[to] += value;
allowance[from][msg.sender] -= value;
emit Transfer(from, to, value);
return true;
}
}
contract TokenBankChallenge {
SimpleERC223Token public token;
mapping(address => uint256) public balanceOf;
function TokenBankChallenge(address player) public {
token = new SimpleERC223Token();
// Divide up the 1,000,000 tokens, which are all initially assigned to
// the token contract's creator (this contract).
balanceOf[msg.sender] = 500000 * 10**18; // half for me
balanceOf[player] = 500000 * 10**18; // half for you
}
function isComplete() public view returns (bool) {
return token.balanceOf(this) == 0;
}
function tokenFallback(address from, uint256 value, bytes) public {
require(msg.sender == address(token)); // ??这能通过吗?
require(balanceOf[from] + value >= balanceOf[from]);
balanceOf[from] += value;
}
function withdraw(uint256 amount) public {
require(balanceOf[msg.sender] >= amount);
require(token.transfer(msg.sender, amount));
balanceOf[msg.sender] -= amount;
}
}
通关条件
把 TokenBankChallenge 合约中的代币取光
题目分析
阅读合约,应该能发现下面的问题:
TokenBankChallenge 合约的 withdraw 函数存在明显的重入漏洞,token.transfer 在 balance 调整前执行,而 token.transfer 是可能会调用其他合约的 tokenFallback 函数的,在其他合约的 tokenFallback 函数实现中可以发起对 withdraw 的重入。本题的解法应该就是重入 withdraw 了。
用 isContract 判断地址是不是合约并不可靠。如果在合约的 constructor 中触发这个判断,此时 extcodesize(_addr) 为 0,合约地址会被误判为非合约地址。但是在本题中这没什么问题。我们需要的是 isContract(to) 为真,使得 tokenFallback 可以被调用,以进行重入攻击。
有了👆的观察,可以得到以下攻击流程:
部署攻击合约。攻击合约需要可以调用 bank 的 withdraw 函数,并实现 tokenFallback 函数;
从 bank 中 withdraw 到 player 地址;
从 player 地址给攻击合约转账。此时会调用攻击合约的 tokenFallback 函数,我们需要在攻击合约中对资金来源做判断,如果来源是 player 地址,则直接将资金转入 bank;
通过攻击合约调用 bank.withdraw。bank.withdraw 会调用 token.transfer 向攻击合约转账,攻击合约的 tokenFallback 会被调用。由于资金并非来自 player 地址,所以我们在 tokenFallback 中重入 bank.withdraw。bank 中一共 100 万个币,取光即可。
攻击合约代码如下: