1,数值溢出
此函数是计算乘法。如果使用的是非常大的数字,变量将溢出,而不是大数字。
程序
pragma solidity ^0.4.10;
contract test {
function calculateSum(uint24 a, uint24 b) returns(uint24) {
return a * b;
}
}
随便输入一个大数字,变量溢出
contract TimeLock {
mapping(address => uint) public balances;
mapping(address => uint) public lockTime;
function deposit() public payable {
balances[msg.sender] += msg.value;
lockTime[msg.sender] = now + 1 weeks;
}
function increaseLockTime(uint _secondsToIncrease) public {
lockTime[msg.sender] += _secondsToIncrease;
}
function withdraw() public {
require(balances[msg.sender] > 0);
require(now > lockTime[msg.sender]);
balances[msg.sender] = 0;
msg.sender.transfer(balances[msg.sender]);
}
}
2的256 次方导致上溢
2,函数表达体不正确
function nonZeroSum(uint256 a, uint256 b) {
return a + b;
}
不为0的变量函数应该为:
function nonZeroSum(uint256 a, uint256 b) {
require(a > 0 && b > 0);
return a + b;
}
• delegatecall :外部调用上下是调用合约上下文
• sender:总是存放着当前函数的外部调用者的地址
pragma solidity ^ 0.4.17;
contract Delegate {
address public owner;
function Delegate(address _owner) {
owner = _owner;
}
function pwn() {
owner = msg.sender;
}
}
contract Delegation {
address public owner;
Delegate delegate;
function Delegation(address _delegateAddress) {
delegate = Delegate(_delegateAddress);
owner = msg.sender;
}
function () {
if (delegate.delegatecall(msg.data)) {
this;
}
}
}
第一步:执行Delegate合约
第二步,执行 delegation合约调用delegate合约地址
第三步:开始调取外部的合约delegation函数,合约拥有者就变了。
msg.data是可控的
此函数是计算乘法。如果使用的是非常大的数字,变量将溢出,而不是大数字。
程序
pragma solidity ^0.4.10;
contract test {
function calculateSum(uint24 a, uint24 b) returns(uint24) {
return a * b;
}
}
随便输入一个大数字,变量溢出
![](https://i-blog.csdnimg.cn/blog_migrate/03f78726f09349ff18377ec798938453.png)
contract TimeLock {
mapping(address => uint) public balances;
mapping(address => uint) public lockTime;
function deposit() public payable {
balances[msg.sender] += msg.value;
lockTime[msg.sender] = now + 1 weeks;
}
function increaseLockTime(uint _secondsToIncrease) public {
lockTime[msg.sender] += _secondsToIncrease;
}
function withdraw() public {
require(balances[msg.sender] > 0);
require(now > lockTime[msg.sender]);
balances[msg.sender] = 0;
msg.sender.transfer(balances[msg.sender]);
}
}
2的256 次方导致上溢
![](https://i-blog.csdnimg.cn/blog_migrate/a2cd2fccf36f4329b12b2ff5827319e1.png)
2,函数表达体不正确
function nonZeroSum(uint256 a, uint256 b) {
return a + b;
}
不为0的变量函数应该为:
function nonZeroSum(uint256 a, uint256 b) {
require(a > 0 && b > 0);
return a + b;
}
3,call函数不明确
• call :外部调用上下文是外部合约• delegatecall :外部调用上下是调用合约上下文
• sender:总是存放着当前函数的外部调用者的地址
pragma solidity ^ 0.4.17;
contract Delegate {
address public owner;
function Delegate(address _owner) {
owner = _owner;
}
function pwn() {
owner = msg.sender;
}
}
contract Delegation {
address public owner;
Delegate delegate;
function Delegation(address _delegateAddress) {
delegate = Delegate(_delegateAddress);
owner = msg.sender;
}
function () {
if (delegate.delegatecall(msg.data)) {
this;
}
}
}
第一步:执行Delegate合约
![](https://i-blog.csdnimg.cn/blog_migrate/c2da85e975cba8ce823d39f552a92d6a.png)
第二步,执行 delegation合约调用delegate合约地址
![](https://i-blog.csdnimg.cn/blog_migrate/0b21510ad2926051d1d27faccc6eb880.png)
第三步:开始调取外部的合约delegation函数,合约拥有者就变了。
![](https://i-blog.csdnimg.cn/blog_migrate/c6ed3e8543a1b243a5aae31eeaca361d.png)
msg.data是可控的