Examples of security vulnerabilities in smart contracts: The DAO (2016), US Chain (April 2018).
1. What is Beauty Chain
Beauty Chain is a smart contract deployed on Ethereum, with its own token BEC. IPO, Initial Public Offering (Initial Public Offering); ICO, Initial Coin Offering (Initial Coin Offering). These issued tokens do not have their own blockchain, but run on Ethereum's EVM platform in the form of smart contracts. The smart contract that issues tokens corresponds to a node in the Ethereum state tree. This node has its own account balance, which is equivalent to how many ethers the smart contract has in total, that is, how many ethers are the total assets of the smart contract that issues tokens, and how many ethers are in each account in this contract A token is stored in the account of the smart contract as a variable of the storage tree.
The issuance, transfer, and destruction of tokens are all realized by calling functions in the smart contract. Unlike the Ethereum on the Ethereum, it does not need to maintain an underlying basic chain through mining. For example, how many Ethereum per account on the Ethereum is a variable that is directly stored in the state tree. The transfer between two accounts in Ethereum is by publishing a transaction to the blockchain, which will be packaged into the block to be released, and if you want to transfer money in the token, it is actually two accounts in the smart contract The transfer between them can be done by calling the function of the smart contract.
Each token can formulate its own issuance rules. For example, a token can be 1ETH=100 tokens. If 1ETH is sent from an external account to the smart contract, the smart contract can send 100 tokens to the corresponding token account. The information about how many tokens are in each token account is maintained on the storage tree that issued this smart contract.
The emergence of the Ethereum platform provides a lot of convenience for the development of various tokens. ERC 20 (Ethereum Request for Comments) is a standard for issuing tokens on Ethereum, which regulates the functions and interfaces that all contracts that issue tokens should implement. There is a function called batchTransfer in the US chain, its function is to send tokens to multiple recipients, and then deduct these tokens from the account of the caller.
2. Implementation of batchTransfer
function batchTransfer(address[] _receivers,uint256 _value) public whenMotPaused returns (bool) {
uint cnt = _receivers.length;
uint256 amount = uint256(cnt) *_value;
require(cnt > 0 && cnt <= 20);
require(_value > 0 && balances[msg.sender] >= amount);
balances[msg.sender] = balances[msg.sender].sub(amount);
for (uint i = 0; i < cnt; i++) {
balances[_receivers[i]] =balances[_receivers[i]].add(_value);
Transfer(msg.sender,_receivers[i],_value) ;
}
return true;
}
3. The problem of batchTransfer
uint256 amount =uint256(cnt)*_value;If the value of the value is too large, overflow may occur . After the overflow occurs, the amount will become a small value; in this case, a small value is subtracted, and a large value is added to each account, which is equivalent to The system issued a lot of tokens out of thin air.
4. Attack details
The 0th parameter is the position of the _receivers array in the parameter list, that is, starting from the 64th byte, which is the 2nd parameter; the 2nd parameter first indicates that the array length is 2, and then the 3rd parameter and the 4th parameter The parameter indicates the address of the two recipients. The No. 1 parameter is the amount transferred to each recipient. The amount calculated by such a parameter just overflows to 0.
5. The actual situation of the attack
6. Attack results
The attack occurred on April 22, 2018. After the attack, the value of tokens plummeted.
After this incident, the exchange that issued the token immediately suspended the withdrawal function to prevent the hacker from absconding with money. Two days later, they decided to roll back the transaction. Fortunately, this token is not very popular in the first place, mainly because this exchange is trading, so it did not have too serious consequences, far from the impact of The DAO's coin theft.
7. Reflection
When doing math, be sure to take into account the possibility of overflow. Solidity actually has a library for detecting overflow - SafeMath library, the operations and calculations provided in it will automatically detect whether there is overflow. The operation of multiplication in the SafeMath library is roughly as follows:
library SafeNath {
//@dev Multiplies two numbers, throws on overflow.
function mul(uint256 a,uint256 b) internal pure returns (uint256 c) {
if (a == 0) {
return 0;
}
c = a * b;
assert(c / a == b);
return c;
}
If there is an overflow, the assert here will not hold, and an exception will be thrown. Since there are 256-bit integers in Solidity, there will be no errors caused by loss of precision. And observing the code of batchTransfer, it can be found that the subtraction in the code calls the sub library, and the addition calls the add library. In fact, both addition and subtraction have overflow checks, and only the multiplication is careless, which leads to tragedy.