漏洞原因:

因为initWallet函数是公开函数( public function) , 攻击者调用initWallet,重新初始化钱包会把之前合约钱包所有者覆盖, 即可改变钱包所有者。

漏洞代码:

  // constructor - just pass on the owner array to the multiowned and

  // the limit to daylimit

  function initWallet(address[] _owners, uint _required, uint _daylimit) {

    initDaylimit(_daylimit);

    initMultiowned(_owners, _required);

  }

  // constructor - stores initial daily limit and records the present day's index.

  function initDaylimit(uint _limit) {

    m_dailyLimit = _limit;

    m_lastDay = today();

  }

  // constructor is given number of sigs required to do protected "onlymanyowners" transactions

  // as well as the selection of addresses capable of confirming them.

  function initMultiowned(address[] _owners, uint _required) {

    m_numOwners = _owners.length + ;

    m_owners[] = uint(msg.sender);

    m_ownerIndex[uint(msg.sender)] = ;

    for (uint i = ; i < _owners.length; ++i)

    {

      m_owners[ + i] = uint(_owners[i]);

      m_ownerIndex[uint(_owners[i])] =  + i;

    }

    m_required = _required;

  }

修复方法:

设置 initMultiowned 和 initDaylimit 禁止外部调用,给initWallet添加only_uninitialized函数修改器,确保initWallt只被调用一次。

安全修复代码:

  // throw unless the contract is not yet initialized.

  modifier only_uninitialized { if (m_numOwners > ) throw; _; }

  // constructor - just pass on the owner array to the multiowned and

  // the limit to daylimit

  function initWallet(address[] _owners, uint _required, uint _daylimit) only_uninitialized {

    initDaylimit(_daylimit);

    initMultiowned(_owners, _required);

  }

  // constructor - stores initial daily limit and records the present day's index.

  function initDaylimit(uint _limit) internal {

    m_dailyLimit = _limit;

    m_lastDay = today();

  }

  // constructor is given number of sigs required to do protected "onlymanyowners" transactions

  // as well as the selection of addresses capable of confirming them.

  function initMultiowned(address[] _owners, uint _required) internal {

    m_numOwners = _owners.length + ;

    m_owners[] = uint(msg.sender);

    m_ownerIndex[uint(msg.sender)] = ;

    for (uint i = ; i < _owners.length; ++i)

    {

      m_owners[ + i] = uint(_owners[i]);

      m_ownerIndex[uint(_owners[i])] =  + i;

    }

    m_required = _required;

  }

POC

web3.eth.contract(MultiSigParityAbit).at(Vulnerable_Address).initWallet.getData([YOUR_ADDRESS], ,)

POC未测试,待测。

REF:http://shellcode.se/programming/simple-mistake-leads-to-30m-usd-theft/

最新文章

  1. CentOS使用yum源中自带的rpm包安装LAMP环境
  2. ABAP 弹出对话框
  3. No suitable driver found for jdbc:mysql://localhost:3306/dmc
  4. JS中delete删除对象属性
  5. ligerui_实际项目_003:form中添加数据,表格(grid)里面显示,最后将表格(grid)里的数据提交到servlet
  6. mui开发
  7. 数据库:mongodb与关系型数据库相比的优缺点
  8. 【Qt】Qt Assistant介绍【转】
  9. C# winform关于DataGridView的一些操作
  10. LeetCode (13): 3Sum Closest
  11. 庖丁解牛FPPopover
  12. 《CSS网站布局实录》学习笔记(三)
  13. Swift缩水版MJExtension - Reflect的基本使用
  14. POJ 3831 &amp;amp; HDU 3264 Open-air shopping malls(几何)
  15. LeetCode 110. Balanced Binary Tree (平衡二叉树)
  16. Win7如何分享局域网并设置共享文件夹账户和密码
  17. npm 模块的总结
  18. Java WebService接口生成和调用 图文详解&gt;【转】【待调整】
  19. cc.Mask. 纯代码拉伸遮罩
  20. (.NET高级课程笔记)泛型总结

热门文章

  1. android get cpu rate
  2. Java检测端口的占用情况
  3. 通过调用API在JavaWeb项目中实现证件识别
  4. selenium自动化登录qq网页
  5. packstack安装ironic
  6. python基础训练营06
  7. ExtJS6.0扩展日期选择控件为也可以选择时间
  8. html5实现web app摇一摇换歌
  9. HDU B-Ignatius and the Princess IV
  10. PAT 甲级 1042 Shuffling Machine