24.拒绝服务攻击_2
2023-06-23 20:45:58 # 00.security

拒绝服务攻击_2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
contract DistributeTokens {
    address public owner; // gets set somewhere
    address[] investors; // array of investors
    uint[] investorTokens; // the amount of tokens each investor gets

    // ... extra functionality, including transfertoken()

    function invest() public payable {
        investors.push(msg.sender);
        investorTokens.push(msg.value * 5); // 5 times the wei sent
        }

    function distribute() public {
        require(msg.sender == owner); // only owner
        for(uint i = 0; i < investors.length; i++) {
            // here transferToken(to,amount) transfers "amount" of
            // tokens to the address "to"
            transferToken(investors[i],investorTokens[i]);
        }
    }
}

请注意,此合约中的for循环运行在一个可以人为膨胀的数组上。攻击者可以创建许多用户帐户,使investor数组变大。原则上,这样做可以使执行 for 循环所需的气体超过区块气体限制,从根本上使该distribute功能无法运行。

Prev
2023-06-23 20:45:58 # 00.security
Next