博客讨论了一个智能合约的安全问题,其中changeExcluded函数允许外部调用者无限制地修改mapAddress_Excluded状态,这可能导致任意账户的token被转移。攻击者只需支付128veth就能改变地址状态,从而触发transferFrom函数转移大量token。此漏洞的存在暴露了合约资产的安全隐患。
合约地址:0x75572098dc462F976127f59F8c97dFa291f81d8b
攻击交易:
https://etherscan.io/tx/0xdd1120a90ed4112b634266d6a244b93ca86785317bc75f0e170ab0cd97c65224
function transferFrom(address from, address to, uint value) public override returns (bool success) {
if(!mapAddress_Excluded[msg.sender]){
require(value <= _allowances[from][msg.sender], 'Must not send more than allowance');
_allowances[from][msg.sender] -= value;
}
_transfer(from, to, value);
return true;
}
function allowance(address owner, address spender) public view virtual override returns (uint256) {
if(mapAddress_Excluded[spender]){
return totalSupply;
} else {
return _allowances[owner][spender];
}
}
从函数中看mapAddress_Excluded拥有导出任意账户token的权利。而changeExcluded函数
function changeExcluded(address excluded) external {
if(!mapAddress_Excluded[excluded]){
_transfer(msg.sender, address(this), mapEra_Emission[1]/16); // Pay fee of 128 Vether
mapAddress_Excluded[excluded] = true; // Add desired address
excludedArray.push(excluded); excludedCount +=1; // Record details
totalFees += mapEra_Emission[1]/16; // Record fees
mapAddress_BlockChange[excluded] = block.number; // Record time of change
} else {
_transfer(msg.sender, address(this), mapEra_Emission[1]/32); // Pay fee of 64 Vether
mapAddress_Excluded[excluded] = false; // Change desired address
totalFees += mapEra_Emission[1]/32; // Record fees
mapAddress_BlockChange[excluded] = block.number; // Record time of change
}
}
为external,可以从外部调用修改任意地址的mapAddress_Excluded状态,只要花费128veth。
通过修改mapAddress_Excluded后进行transferfrom操作即可将大量token转移并出售。
没搞懂如果是changeExcluded忘了权限控制,为什么要花费128veth来设置mapAddress_Excluded
扫一扫
2022
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
