Capturetheether 题解(Miscellaneous)

date
Dec 3, 2020
slug
capturetheether-miscellaneous
status
Published
tags
Solidity
Code
Ethereum
CTF
summary
type
Post

Assume ownership

目标合约

pragma solidity ^0.4.21;

contract AssumeOwnershipChallenge {
    address owner;
    bool public isComplete;

    function AssumeOwmershipChallenge() public {
        owner = msg.sender;
    }

    function authenticate() public {
        require(msg.sender == owner);

        isComplete = true;
    }
}

通关条件

成为合约 owner

题目分析

构造函数 typo,直接调用 AssumeOwmershipChallenge 函数即可成为 owner。

Token bank

目标合约

pragma solidity ^0.4.21;

interface ITokenReceiver {
    function tokenFallback(address from, uint256 value, bytes data) external;
}

contract SimpleERC223Token {
    // Track how many tokens are owned by each address.
    mapping (address => uint256) public balanceOf;

    string public name = "Simple ERC223 Token";
    string public symbol = "SET";
    uint8 public decimals = 18;

    uint256 public totalSupply = 1000000 * (uint256(10) ** decimals);

    event Transfer(address indexed from, address indexed to, uint256 value);

    function SimpleERC223Token() public {
        balanceOf[msg.sender] = totalSupply;
        emit Transfer(address(0), msg.sender, totalSupply);
    }

    function isContract(address _addr) private view returns (bool is_contract) {
        uint length;
        assembly {
            //retrieve the size of the code on target address, this needs assembly
            length := extcodesize(_addr)
        }
        return length > 0;
    }

    function transfer(address to, uint256 value) public returns (bool success) {
        bytes memory empty;
        return transfer(to, value, empty);
    }

    function transfer(address to, uint256 value, bytes data) public returns (bool) {
        require(balanceOf[msg.sender] >= value);

        balanceOf[msg.sender] -= value;
        balanceOf[to] += value;
        emit Transfer(msg.sender, to, value);

        if (isContract(to)) {
            ITokenReceiver(to).tokenFallback(msg.sender, value, data);
        }
        return true;
    }

    event Approval(address indexed owner, address indexed spender, uint256 value);

    mapping(address => mapping(address => uint256)) public allowance;

    function approve(address spender, uint256 value)
        public
        returns (bool success)
    {
        allowance[msg.sender][spender] = value;
        emit Approval(msg.sender, spender, value);
        return true;
    }

    function transferFrom(address from, address to, uint256 value)
        public
        returns (bool success)
    {
        require(value <= balanceOf[from]);
        require(value <= allowance[from][msg.sender]);

        balanceOf[from] -= value;
        balanceOf[to] += value;
        allowance[from][msg.sender] -= value;
        emit Transfer(from, to, value);
        return true;
    }
}

contract TokenBankChallenge {
    SimpleERC223Token public token;
    mapping(address => uint256) public balanceOf;

    function TokenBankChallenge(address player) public {
        token = new SimpleERC223Token();

        // Divide up the 1,000,000 tokens, which are all initially assigned to
        // the token contract's creator (this contract).
        balanceOf[msg.sender] = 500000 * 10**18;  // half for me
        balanceOf[player] = 500000 * 10**18;      // half for you
    }

    function isComplete() public view returns (bool) {
        return token.balanceOf(this) == 0;
    }

    function tokenFallback(address from, uint256 value, bytes) public {
        require(msg.sender == address(token)); // ??这能通过吗?
        require(balanceOf[from] + value >= balanceOf[from]);

        balanceOf[from] += value;
    }

    function withdraw(uint256 amount) public {
        require(balanceOf[msg.sender] >= amount);

        require(token.transfer(msg.sender, amount));
        balanceOf[msg.sender] -= amount;
    }
}

通关条件

把 TokenBankChallenge 合约中的代币取光

题目分析

阅读合约,应该能发现下面的问题:
  1. TokenBankChallenge 合约的 withdraw 函数存在明显的重入漏洞,token.transfer 在 balance 调整前执行,而 token.transfer 是可能会调用其他合约的 tokenFallback 函数的,在其他合约的 tokenFallback 函数实现中可以发起对 withdraw 的重入。本题的解法应该就是重入 withdraw 了。
  1. 用 isContract 判断地址是不是合约并不可靠。如果在合约的 constructor 中触发这个判断,此时 extcodesize(_addr) 为 0,合约地址会被误判为非合约地址。但是在本题中这没什么问题。我们需要的是 isContract(to) 为真,使得 tokenFallback 可以被调用,以进行重入攻击。
有了👆的观察,可以得到以下攻击流程:
  1. 部署攻击合约。攻击合约需要可以调用 bank 的 withdraw 函数,并实现 tokenFallback 函数;
  1. 从 bank 中 withdraw 到 player 地址;
  1. 从 player 地址给攻击合约转账。此时会调用攻击合约的 tokenFallback 函数,我们需要在攻击合约中对资金来源做判断,如果来源是 player 地址,则直接将资金转入 bank;
  1. 通过攻击合约调用 bank.withdraw。bank.withdraw 会调用 token.transfer 向攻击合约转账,攻击合约的 tokenFallback 会被调用。由于资金并非来自 player 地址,所以我们在 tokenFallback 中重入 bank.withdraw。bank 中一共 100 万个币,取光即可。
攻击合约代码如下:

© lanford33 2021 - 2022