这段时间听到很多黑客攻击事件,不免让人惴惴不安。虽然大多发生在一些新的项目,但金额都挺大,而且一般都是审计过的知名项目。所以,还是安全为上,自己多看多想,自己做判断,一些风险大的项目就不要参与了,特别是跨链桥! 重翻了下以太坊的安全问题,里面着重强调了重入攻击。以前也曾了解些,没有深入,现在刚好趁着空闲,来尝试下重入攻击。 重入攻击最早最知名的是DAO这个项目,事件发生后导致了ETC的分叉,后果还是很严重的。我查了下代码 ,想重现下,其实真是我想多了,**漏洞早就修补好了!** ## 发生场景 重入攻击发生在以太坊转帐的时候,`msg.sender.call.value(_amount)(); `这条代码有重入风险。以太坊有两种帐户类型:一是外部帐户(用户地址),另一个是合约帐户 。如果是外部帐户,代码可以正常执行。但如果是合约的话,这条代码就有问题了。`msg.sender.call.value(_amount)(); `会触发这个合约的fallback函数!如果fallback函数有恶意代码,那乐子就大啰!比如这样: ```js fallback() payable external { ibank.withdraw(); } ``` 这就相当于重复不停地取以太坊了! 复现了一下代码,这些代码早就不能用啰,是我想多了!如下所示: ![call.jpg](https://ipfs.ilark.io/ipfs/QmbBsqvuXRGWLwTNo64JooZZ32arRzF5YdNHMmTyoLHscH) msg.sender.call.value(_amount)(); //重入代码,早已修补! 找了下新的写法,`msg.sender.call{value: 1 ether}(""); 新写法` ,其实也是没有重入风险了。当然现在一般不用这么底层的写法了,推荐使用`transfer`, 是这样的`payable(msg.sender).transfer(1 ether);` 。`transfer`有2300gas的限制,所以不可能有重入风险了。
author | lemooljiang |
---|---|
permlink | ihhmdgbx |
category | hive-105017 |
json_metadata | {"tags":["smartcontract","cn","eth","web3","solidity"],"dapp":"larkBlog","format":"markdown"} |
created | 2022-10-26 07:59:06 |
last_update | 2022-10-26 07:59:06 |
depth | 0 |
children | 0 |
last_payout | 2022-11-02 07:59:06 |
cashout_time | 1969-12-31 23:59:59 |
total_payout_value | 4.332 HBD |
curator_payout_value | 4.323 HBD |
pending_payout_value | 0.000 HBD |
promoted | 0.000 HBD |
body_length | 901 |
author_reputation | 378,459,582,201,132 |
root_title | "研究尝试重入攻击 / 学习智能合约#59" |
beneficiaries | [] |
max_accepted_payout | 1,000,000.000 HBD |
percent_hbd | 10,000 |
post_id | 117,791,192 |
net_rshares | 13,997,765,901,784 |
author_curate_reward | "" |
voter | weight | wgt% | rshares | pct | time |
---|---|---|---|---|---|
abit | 0 | 7,202,014,688,037 | 30% | ||
mangou007 | 0 | 620,100,760 | 20% | ||
deanliu | 0 | 1,975,009,663,797 | 50% | ||
lemooljiang | 0 | 8,959,542,857 | 100% | ||
ace108 | 0 | 1,154,494,979,827 | 25% | ||
laoyao | 0 | 16,418,175,754 | 30% | ||
midnightoil | 0 | 57,913,216,336 | 30% | ||
xiaohui | 0 | 5,128,494,268 | 30% | ||
oflyhigh | 0 | 1,135,010,879,179 | 30% | ||
bert0 | 0 | 1,993,234,150 | 20% | ||
rivalhw | 0 | 1,255,042,569,491 | 100% | ||
helene | 0 | 332,984,876,380 | 30% | ||
dapeng | 0 | 96,914,691,020 | 100% | ||
lucknie | 0 | 142,902,395 | 100% | ||
dumping | 0 | 108,989,610 | 100% | ||
laodr | 0 | 3,659,191,274 | 100% | ||
htliao | 0 | 5,367,448,019 | 35% | ||
exec | 0 | 88,711,581,249 | 30% | ||
alphacore | 0 | 2,156,186,102 | 2.01% | ||
catwomanteresa | 0 | 161,975,266,500 | 50% | ||
liangfengyouren | 0 | 3,438,687,371 | 50% | ||
idx | 0 | 6,401,876,666 | 30% | ||
cn-reader | 0 | 14,092,442,451 | 50% | ||
tvb | 0 | 6,662,373,320 | 50% | ||
karja | 0 | 3,963,585,164 | 10% | ||
kimzwarch | 0 | 14,952,733,740 | 4% | ||
yellowbird | 0 | 2,244,279,216 | 100% | ||
blc | 0 | 4,292,469,543 | 100% | ||
metten | 0 | 135,972,222 | 100% | ||
cn-book | 0 | 403,911,828 | 100% | ||
cn-movie | 0 | 192,833,247 | 100% | ||
vivia | 0 | 729,007,440 | 100% | ||
weisheng167388 | 0 | 4,791,057,295 | 100% | ||
xiaoli | 0 | 459,884,172 | 100% | ||
lika0812 | 0 | 3,937,872,790 | 100% | ||
tresor | 0 | 51,489,837,125 | 20% | ||
archisteem | 0 | 1,263,547,963 | 7.5% | ||
julian2013 | 0 | 47,025,201,094 | 50% | ||
pet.society | 0 | 14,205,882,497 | 6% | ||
memeteca | 0 | 5,424,648,183 | 20% | ||
wherein | 0 | 25,771,992,080 | 30% | ||
cnstm | 0 | 47,735,061,261 | 30% | ||
lnakuma | 0 | 4,281,128,132 | 15% | ||
starnote | 0 | 337,347,825 | 100% | ||
moochain.net | 0 | 339,830,669 | 100% | ||
bnk | 0 | 6,061,231,397 | 20% | ||
philipmak | 0 | 1,292,048,437 | 50% | ||
celeste413 | 0 | 501,820,440 | 30% | ||
ilark | 0 | 220,710,661,211 | 100% |