智能合约安全-parity多重签名钱包安全漏洞
2024-10-21 06:32:41
漏洞原因:
因为initWallet函数是公开函数( public function) , 攻击者调用initWallet,重新初始化钱包会把之前合约钱包所有者覆盖, 即可改变钱包所有者。
漏洞代码:
// constructor - just pass on the owner array to the multiowned and
// the limit to daylimit
function initWallet(address[] _owners, uint _required, uint _daylimit) {
initDaylimit(_daylimit);
initMultiowned(_owners, _required);
} // constructor - stores initial daily limit and records the present day's index.
function initDaylimit(uint _limit) {
m_dailyLimit = _limit;
m_lastDay = today();
} // constructor is given number of sigs required to do protected "onlymanyowners" transactions
// as well as the selection of addresses capable of confirming them.
function initMultiowned(address[] _owners, uint _required) {
m_numOwners = _owners.length + ;
m_owners[] = uint(msg.sender);
m_ownerIndex[uint(msg.sender)] = ;
for (uint i = ; i < _owners.length; ++i)
{
m_owners[ + i] = uint(_owners[i]);
m_ownerIndex[uint(_owners[i])] = + i;
}
m_required = _required;
}
修复方法:
设置 initMultiowned 和 initDaylimit 禁止外部调用,给initWallet添加only_uninitialized函数修改器,确保initWallt只被调用一次。
安全修复代码:
// throw unless the contract is not yet initialized.
modifier only_uninitialized { if (m_numOwners > ) throw; _; } // constructor - just pass on the owner array to the multiowned and
// the limit to daylimit
function initWallet(address[] _owners, uint _required, uint _daylimit) only_uninitialized {
initDaylimit(_daylimit);
initMultiowned(_owners, _required);
} // constructor - stores initial daily limit and records the present day's index.
function initDaylimit(uint _limit) internal {
m_dailyLimit = _limit;
m_lastDay = today();
} // constructor is given number of sigs required to do protected "onlymanyowners" transactions
// as well as the selection of addresses capable of confirming them.
function initMultiowned(address[] _owners, uint _required) internal {
m_numOwners = _owners.length + ;
m_owners[] = uint(msg.sender);
m_ownerIndex[uint(msg.sender)] = ;
for (uint i = ; i < _owners.length; ++i)
{
m_owners[ + i] = uint(_owners[i]);
m_ownerIndex[uint(_owners[i])] = + i;
}
m_required = _required;
}
POC
web3.eth.contract(MultiSigParityAbit).at(Vulnerable_Address).initWallet.getData([YOUR_ADDRESS], ,)
POC未测试,待测。
REF:http://shellcode.se/programming/simple-mistake-leads-to-30m-usd-theft/
最新文章
- CentOS使用yum源中自带的rpm包安装LAMP环境
- ABAP 弹出对话框
- No suitable driver found for jdbc:mysql://localhost:3306/dmc
- JS中delete删除对象属性
- ligerui_实际项目_003:form中添加数据,表格(grid)里面显示,最后将表格(grid)里的数据提交到servlet
- mui开发
- 数据库:mongodb与关系型数据库相比的优缺点
- 【Qt】Qt Assistant介绍【转】
- C# winform关于DataGridView的一些操作
- LeetCode (13): 3Sum Closest
- 庖丁解牛FPPopover
- 《CSS网站布局实录》学习笔记(三)
- Swift缩水版MJExtension - Reflect的基本使用
- POJ 3831 &;amp; HDU 3264 Open-air shopping malls(几何)
- LeetCode 110. Balanced Binary Tree (平衡二叉树)
- Win7如何分享局域网并设置共享文件夹账户和密码
- npm 模块的总结
- Java WebService接口生成和调用 图文详解>;【转】【待调整】
- cc.Mask. 纯代码拉伸遮罩
- (.NET高级课程笔记)泛型总结