GFA 攻击事件
- 用户_19673
- 更新于 2024-04-17 02:01
- 阅读 856
0415被攻击合约:0x278ce7151bfd1b035e8bc99e15b4d9773969d4ed交易哈希:0xe15d6f7fa891c2626819209edf2d5ded6948310eaada067b400062aa022ce718漏洞原因没有对合约进行权限的检查,任何人都可以
0415
被攻击合约:0x278ce7151bfd1b035e8bc99e15b4d9773969d4ed
交易哈希:0xe15d6f7fa891c2626819209edf2d5ded6948310eaada067b400062aa022ce718
漏洞原因
没有对合约进行权限的检查,任何人都可以更改奖励算法的参数。
设置奖励参数
function setReward(
address rewardSender,
uint256 amount,
uint256 remain,
uint256 price
) public {
if (reward[rewardSender].length == 0) {
rewardKeys.push(rewardSender);
}
reward[rewardSender].push(
RewardData(rewardSender, amount, remain, price, block.timestamp)
);
_totalRemainCnt += remain;
}生成奖励的函数
function generateReward(uint256 coinPrice) public
uint256 pawnPrice = reward[rewardKeys[i]][j].price;
uint256 targetRelease = reward[rewardKeys[i]][j].amount.mul(
_mineDaliyRatio
) / 100;
uint256 fixMineCoin = targetRelease.mul(_fixMineCoinRatio).div(
100
);
uint256 sameCoinValue = (
((targetRelease - fixMineCoin) * pawnPrice).div(coinPrice)
);
uint256 release = sameCoinValue + fixMineCoin;
if (reward[rewardKeys[i]][j].remain < release) {
release = reward[rewardKeys[i]][j].remain;
}
if (waitRelease[rewardKeys[i]] != 0) {
waitRelease[rewardKeys[i]] += release;
}任何用户都可以随意更改waitRelease值,而用户如果使用GFA token向GFA token合约转账时,会检查参数amount是否为10000,如果为10000将把_tokenDistributor 合约的金额转移给sender,sender在该过程中只需要支付10000 GFA。
相关transfer部分如下
} else if (recipient == contractAddress) {
if (amount == releaseAmount) {
uint256 waitRelease = reward.getWaitReleaseCoin(sender);
uint256 poolBalance = _balances[address(_tokenDistributor)];
if (poolBalance < waitRelease) {
waitRelease = poolBalance;
}
reward.releaseCoin(sender);
_basicTransfer(address(_tokenDistributor), sender, waitRelease);
_basicTransfer(sender, recipient, amount);修复
添加setReward 和 generateReward 的权限检查
本文参与登链社区写作激励计划 ,好文好收益,欢迎正在阅读的你也加入。
