ATN漏洞学习

合约代码地址：https://etherscan.io/address/0x461733c17b0755ca5649b6db08b3e213fcf22546#codehttps://etherscan.io/address/0x461733c17b0755ca5649b6db08b3e213fcf22546#code
合约中判断auth的方法：

function isAuthorized(address src, bytes4 sig) internal view returns (bool) {
        if (src == address(this)) {
            return true;
        } else if (src == owner) {
            return true;
        } else if (authority == DSAuthority(0)) {
            return false;
        } else {
            return authority.canCall(src, this, sig);
        }
    }

如果请求包含合约地址自身而再合约内自身的多个transferFrom函数中function transferFrom(address _from, address _to, uint256 _amount, bytes _data, string _custom_fallback)函数

 function transferFrom(address _from, address _to, uint256 _amount, bytes _data, string _custom_fallback)
        public
        returns (bool success)
    {
        // Alerts the token controller of the transfer
        if (isContract(controller)) {
            if (!TokenController(controller).onTransfer(_from, _to, _amount))
               throw;
        }

        require(super.transferFrom(_from, _to, _amount));

        if (isContract(_to)) {
            ERC223ReceivingContract receiver = ERC223ReceivingContract(_to);
            receiver.call.value(0)(bytes4(keccak256(_custom_fallback)), _from, _amount, _data);
        }

        ERC223Transfer(_from, _to, _amount, _data);

        return true;
    }

判断如果to地址为合约则调用（ERC223ReceivingContract）to 的任意函数，即任意地址的任意函数.所以如果调用自身合约的setOwner(address)函数即可将_from地址设置为owner；再通过mint函数即可生成代币；