合约代码:
https://github.com/LienFinance/idol/blob/master/contracts/BondMaker.sol
合约中函数reverseBondToETH
可以提取任意数量eth到msg.sender(如果绕过for循环,即bondIDs.length为0),
通过在函数registerNewBondGroup
传入空bondIDs
,以及传入大于 _getBlockTimestampSec()的maturity
,即可绕过_assertBondGroup()
中所有的for循环验证,最后将函数registerNewBondGroup
返回的bondGroupID
以及想要的eth数量传入reverseBondToETH
函数即可实现任意提取合约BondMaker
中的eth。
function reverseBondToETH(uint256 bondGroupID, uint256 amountE8)
public
override
returns (bool)
{
BondGroup storage bondGroup = _bondGroupList[bondGroupID];
bytes32[] storage bondIDs = bondGroup.bondIDs;
require(
_getBlockTimestampSec() < bondGroup.maturity,
"the maturity has already expired"
);
bytes32 bondID;
for (
uint256 bondFnMapIndex = 0;
bondFnMapIndex < bondIDs.length;
bondFnMapIndex++
) {
bondID = bondIDs[bondFnMapIndex];
_burnBond(bondID, msg.sender, amountE8);
}
_transferETH(
msg.sender,
amountE8.mul(10**10),
"system error: insufficient Ether balance"
);
emit LogReverseBondToETH(bondGroupID, msg.sender, amountE8.mul(10**10));
return true;
}