怎么样才会把代币合约内创建的合约里的代币转走

我使用这个方法在合约内部创建了个分发合约，里面放了一些币，今天发现被别人使用其他合约调用转走了，请问怎么样才会把这个给转走

0 条评论
分类：智能合约

最佳答案 2024-04-16 19:08

0xbCbCb0e7E28414e084c4a40C1cCC30B75629a7DE 这个合约提供一下，我看到他调用setReward 和 generateReward了

1 条评论

Alvan - 开发工程师

采纳率 43% | 回答于 2024-04-15 17:55

默认排序时间排序

其它 4 个回答

Meta - 风是自由的，你也是 2024-04-15 21:31

# 问题出自 Reward 合约的 setReward函数的可见性
具体调用流程可看https://app.blocksec.com/explorer/tx/bsc/0xe15d6f7fa891c2626819209edf2d5ded6948310eaada067b400062aa022ce718?line=0
## 1. setReward 是 public，任何人都能改，操纵了reward[rewardSender]。
```
    function setReward(address rewardSender, uint256 amount, uint256 remain, uint256 price) public {
        if(reward[rewardSender].length == 0) {
            rewardKeys.push(rewardSender);
        }

reward[rewardSender].push(RewardData(rewardSender, amount, remain, price, block.timestamp));
        _totalRemainCnt += remain;
    }
```
## 2. generateReward函数的计算依赖于 reward[rewardSender]，并更改了waitRelease[rewardKeys[i]]。
```
    function generateReward(uint256 coinPrice) public{
        coinPrice = coinPrice == 0 ? 1 * 10 ** _decimals : coinPrice;
        for (uint i = 0; i < rewardKeys.length; i++) 
        {
            for (uint j = 0; j < reward[rewardKeys[i]].length; j++) 
            {
                if (reward[rewardKeys[i]][j].remain == 0) {
                    continue;
                }

uint256 pawnPrice = reward[rewardKeys[i]][j].price;
                uint256 targetRelease = reward[rewardKeys[i]][j].amount.mul(_mineDaliyRatio) / 100;
                uint256 fixMineCoin = targetRelease.mul(_fixMineCoinRatio).div(100);
                uint256 sameCoinValue = (((targetRelease - fixMineCoin) * pawnPrice).div(coinPrice));

uint256 release = sameCoinValue + fixMineCoin;
                if (reward[rewardKeys[i]][j].remain < release) {
                    release = reward[rewardKeys[i]][j].remain;
                }

if(waitRelease[rewardKeys[i]] != 0) {
                  waitRelease[rewardKeys[i]] += release;
                } else {
                  waitRelease[rewardKeys[i]] = release;
                }

if (historyTotal[rewardKeys[i]] != 0) {
                    historyTotal[rewardKeys[i]] += release;
                } else {
                    historyTotal[rewardKeys[i]] = release;
                }
                reward[rewardKeys[i]][j].remain = reward[rewardKeys[i]][j].remain - release;
                history[rewardKeys[i]].push(RewardHistory(release, sameCoinValue, fixMineCoin, coinPrice, block.timestamp));
                _totalMineCnt += release;
                emit CoinReward(rewardKeys[i], release, coinPrice, sameCoinValue, fixMineCoin);
            }
        }
    }
```
## 3. getWaitReleaseCoin
```
    function getWaitReleaseCoin(address sender) public view returns(uint256) {
        return waitRelease[sender];
    }
```

## 4. transfer(GFA, 10000)依赖 reward.getWaitReleaseCoin(sender)。
```
 else if (recipient == contractAddress) {
      if (amount == releaseAmount) {
        uint256 waitRelease = reward.getWaitReleaseCoin(sender);
        uint256 poolBalance =  _balances[address(_tokenDistributor)];
        if (poolBalance < waitRelease) {
            waitRelease = poolBalance;
        }

reward.releaseCoin(sender);
        _basicTransfer(address(_tokenDistributor), sender, waitRelease);
        _basicTransfer(sender, recipient, amount);
      }
```

Jeack 2024-04-15 13:27

SharkTeam 2024-04-15 17:41

SharkTeam 2024-04-15 17:53