一、BEC介绍
BEC币全称Beauty Chain,BEC币中文名美币,上线OKEx等交易平台。BEC是世界上第一个专注于美容生态系统的区块链平台。这是一个基于Beauty Chain的创新开放平台,吸引并汇集了美容行业的上游和下游应用。美容生态系统硬币(BEC币)是生态系统中使用的令牌,可作为用户,工作人员,应用程序开发人员以及上游和下游公司的激励。
2018年2月,美链(BEC)上线OKEX,发行70亿代币,市值一度突破280亿美金。该项目宣称打造“全球第一个基于区块链技术打造的美丽生态链平台”。然而在4月22日,由于BEC爆出严重漏洞,OKEx发布最新公告称,暂停BEC交易和提现。
之后BEC的市值受到了严重影响。
在这里,我们不对其漏洞之后的经济影响进行分析,而将重点关注在漏洞本身上。而在本文中,我们要通过以下三方面对BEC进行详细的介绍:BEC事件、BEC源代码解析、BEC漏洞解析以及测试部署。
经过本文的分析后,读者能够做到在本地部署真实的代币合约并进行漏洞利用进行攻击部署。希望本文能够帮助读者更好的理解漏洞原理,并且为以后的安全的区块链开发提供帮助。
作为一款占据市场市值并且有一定汇率的网络代币,相关合约开发人员在编写以太坊合约的时候需要更加注重细节的安全性。由于以太坊的机制问题,上传到区块链的代码是无法被二次修改的,所以有时一次疏忽就意味着项目的被迫中止。然而由于区块链的匿名特性,所以倘若合约被黑客攻陷,那么存在于合约中的代币就会相应的受到影响,从而导致市值的蒸发等问题。而我们下面就来分析BEC代币是如何进行操作的,并且其漏洞是如何产生的,我们如何对其进行复现攻击。
二、代码详解
1 代码部分
要清楚漏洞的原因,我们首先需要了解代币的运行机制。在这里,我们通过分析代码的形式对合约进行分析。下面是合约代码:(以太坊合约地址:https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d)
pragma solidity ^0.4.16;
/**
* @title SafeMath
* @dev Math operations with safety checks that throw on error
*/
library SafeMath {
function mul(uint256 a, uint256 b) internal constant returns (uint256) {
uint256 c = a * b;
assert(a == 0 || c / a == b);
return c;
}
function div(uint256 a, uint256 b) internal constant returns (uint256) {
// assert(b > 0); // Solidity automatically throws when dividing by 0
uint256 c = a / b;
// assert(a == b * c + a % b); // There is no case in which this doesn't hold
return c;
}
function sub(uint256 a, uint256 b) internal constant returns (uint256) {
assert(b <= a);
return a - b;
}
function add(uint256 a, uint256 b) internal constant returns (uint256) {
uint256 c = a + b;
assert(c >= a);
return c;
}
}
/**
* @title ERC20Basic
* @dev Simpler version of ERC20 interface
* @dev see https://github.com/ethereum/EIPs/issues/179
*/
contract ERC20Basic {
uint256 public totalSupply;
function balanceOf(address who) public constant returns (uint256);
function transfer(address to, uint256 value) public returns (bool);
event Transfer(address indexed from, address indexed to, uint256 value);
}
/**
* @title Basic token
* @dev Basic version of StandardToken, with no allowances.
*/
contract BasicToken is ERC20Basic {
using SafeMath for uint256;
mapping(address => uint256) balances;
/**
* @dev transfer token for a specified address
* @param _to The address to transfer to.
* @param _value The amount to be transferred.
*/
function transfer(address _to, uint256 _value) public returns (bool) {
require(_to != address(0));
require(_value > 0 && _value <= balances[msg.sender]);
// SafeMath.sub will throw if there is not enough balance.
balances[msg.sender] = balances[msg.sender].sub(_value);
balances[_to] = balances[_to].add(_value);
Transfer(msg.sender, _to, _value);
return true;
}
/**
* @dev Gets the balance of the specified address.
* @param _owner The address to query the the balance of.
* @return An uint256 representing the amount owned by the passed address.
*/
function balanceOf(address _owner) public constant returns (uint256 balance) {
return balances[_owner];
}
}
/**
* @title ERC20 interface
* @dev see https://github.com/ethereum/EIPs/issues/20
*/
contract ERC20 is ERC20Basic {
function allowance(address owner, address spender) public constant returns (uint256);
function transferFrom(address from, address to, uint256 value) public returns (bool);
function approve(address spender, uint256 value) public returns (bool);
event Approval(address indexed owner, address indexed spender, uint256 value);
}
/**
* @title Standard ERC20 token
*
* @dev Implementation of the basic standard token.
* @dev https://github.com/ethereum/EIPs/issues/20
* @dev Based on code by FirstBlood: https://github.com/Firstbloodio/token/blob/master/smart_contract/FirstBloodToken.sol
*/
contract StandardToken is ERC20, BasicToken {
mapping (address => mapping (address => uint256)) internal allowed;
/**
* @dev Transfer tokens from one address to another
* @param _from address The address which you want to send tokens from
* @param _to address The address which you want to transfer to
* @param _value uint256 the amount of tokens to be transferred
*/
function transferFrom(address _from, address _to, uint256 _value) public returns (bool) {
require(_to != address(0));
require(_value > 0 && _value <= balances[_from]);
require(_value <= allowed[_from][msg.sender]);
balances[_from] = balances[_from].sub(_value);
balances[_to] = balances[_to].add(_value);
allowed[_from][msg.sender] = allowed[_from][msg.sender].sub(_value);
Transfer(_from, _to, _value);
return true;
}
/**
* @dev Approve the passed address to spend the specified amount of tokens on behalf of msg.sender.
*
* Beware that changing an allowance with this method brings the risk that someone may use both the old
* and the new allowance by unfortunate transaction ordering. One possible solution to mitigate this
* race condition is to first reduce the spender's allowance to 0 and set the desired value afterwards:
* https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
* @param _spender The address which will spend the funds.
* @param _value The amount of tokens to be spent.
*/
function approve(address _spender, uint256 _value) public returns (bool) {
allowed[msg.sender][_spender] = _value;
Approval(msg.sender, _spender, _value);
return true;
}
/**
* @dev Function to check the amount of tokens that an owner allowed to a spender.
* @param _owner address The address which owns the funds.
* @param _spender address The address which will spend the funds.
* @return A uint256 specifying the amount of tokens still available for the spender.
*/
function allowance(address _owner, address _spender) public constant returns (uint256 remaining) {
return allowed[_owner][_spender];
}
}
/**
* @title Ownable
* @dev The Ownable contract has an owner address, and provides basic authorization control
* functions, this simplifies the implementation of "user permissions".
*/
contract Ownable {
address public owner;
event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
/**
* @dev The Ownable constructor sets the original `owner` of the contract to the sender
* account.
*/
function Ownable() {
owner = msg.sender;
}
/**
* @dev Throws if called by any account other than the owner.
*/
modifier onlyOwner() {
require(msg.sender == owner);
_;
}
/**
* @dev Allows the current owner to transfer control of the contract to a newOwner.
* @param newOwner The address to transfer ownership to.
*/
function transferOwnership(address newOwner) onlyOwner public {
require(newOwner != address(0));
OwnershipTransferred(owner, newOwner);
owner = newOwner;
}
}
/**
* @title Pausable
* @dev Base contract which allows children to implement an emergency stop mechanism.
*/
contract Pausable is Ownable {
event Pause();
event Unpause();
bool public paused = false;
/**
* @dev Modifier to make a function callable only when the contract is not paused.
*/
modifier whenNotPaused() {
require(!paused);
_;
}
/**
* @dev Modifier to make a function callable only when the contract is paused.
*/
modifier whenPaused() {
require(paused);
_;
}
/**
* @dev called by the owner to pause, triggers stopped state
*/
function pause() onlyOwner whenNotPaused public {
paused = true;
Pause();
}
/**
* @dev called by the owner to unpause, returns to normal state
*/
function unpause() onlyOwner whenPaused public {
paused = false;
Unpause();
}
}
/**
* @title Pausable token
*
* @dev StandardToken modified with pausable transfers.
**/
contract PausableToken is StandardToken, Pausable {
function transfer(address _to, uint256 _value) public whenNotPaused returns (bool) {
return super.transfer(_to, _value);
}
function transferFrom(address _from, address _to, uint256 _value) public whenNotPaused returns (bool) {
return super.transferFrom(_from, _to, _value);
}
function approve(address _spender, uint256 _value) public whenNotPaused returns (bool) {
return super.approve(_spender, _value);
}
function batchTransfer(address[] _receivers, uint256 _value) public whenNotPaused returns (bool) {
uint cnt = _receivers.length;
uint256 amount = uint256(cnt) * _value;
require(cnt > 0 && cnt <= 20);
require(_value > 0 && balances[msg.sender] >= amount);
balances[msg.sender] = balances[msg.sender].sub(amount);
for (uint i = 0; i < cnt; i++) {
balances[_receivers[i]] = balances[_receivers[i]].add(_value);
Transfer(msg.sender, _receivers[i], _value);
}
return true;
}
}
/**
* @title Bec Token
*
* @dev Implementation of Bec Token based on the basic standard token.
*/
contract BecToken is PausableToken {
/**
* Public variables of the token
* The following variables are OPTIONAL vanities. One does not have to include them.
* They allow one to customise the token contract & in no way influences the core functionality.
* Some wallets/interfaces might not even bother to look at this information.
*/
string public name = "BeautyChain";
string public symbol = "BEC";
string public version = '1.0.0';
uint8 public decimals = 18;
/**
* @dev Function to check the amount of tokens that an owner allowed to a spender.
*/
function BecToken() {
totalSupply = 7000000000 * (10**(uint256(decimals)));
balances[msg.sender] = totalSupply; // Give the creator all initial tokens
}
function () {
//if ether is sent to this address, send it back.
revert();
}
}
整体了看这个合约代码,我们发现BEC同样使用了ERC20代币。并在此基础上进行BEC的接口扩展。基础合约包括ERC20Basic、BasicToken、ERC20、StandardToken。而这些合约实现了代币系统的基础操作,包括发行代币、转账、授权。由于前面我们对类似的标准代币合约介绍已经十分详细,所以这里不对其进行介绍。
而下面,我们对子合约进行分析。
在Ownable合约,我们分析代码发现BEC与其他合约不同的地方。此合约编写了transferOwnership()函数,并用于改变合约的owner,这也就意味着合约的owner不是一成不变的,旧合约主人可以将身份更新于另外的用户。
function transferOwnership(address newOwner) onlyOwner public {
require(newOwner != address(0));
OwnershipTransferred(owner, newOwner);
owner = newOwner;
}
下面是Pausable合约,根据合约的名字我们能够知道,该合约的作用是用于提供暂停接口给代币系统。倘若合约的管理者想要将整个代币系统暂停操作,令用户无法进行转账、购买等。下面我们来看具体的代码:
contract Pausable is Ownable {
event Pause();
event Unpause();
bool public paused = false;
/**
* @dev Modifier to make a function callable only when the contract is not paused.
*/
modifier whenNotPaused() {
require(!paused);
_;
}
/**
* @dev Modifier to make a function callable only when the contract is paused.
*/
modifier whenPaused() {
require(paused);
_;
}
/**
* @dev called by the owner to pause, triggers stopped state
*/
function pause() onlyOwner whenNotPaused public {
paused = true;
Pause();
}
/**
* @dev called by the owner to unpause, returns to normal state
*/
function unpause() onlyOwner whenPaused public {
paused = false;
Unpause();
}
}
在代码中,我们能够看到。初始设置paused为假,即默认是不暂停的。之后设计了一对开关修饰器whenNotPaused 、whenNotPaused。并且设置了函数pause ()、unpause ()。
而下面,合约将pause进行扩展,编写了PausableToken合约。
/**
* @title Pausable token
*
* @dev StandardToken modified with pausable transfers.
**/
contract PausableToken is StandardToken, Pausable {
function transfer(address _to, uint256 _value) public whenNotPaused returns (bool) {
return super.transfer(_to, _value);
}
function transferFrom(address _from, address _to, uint256 _value) public whenNotPaused returns (bool) {
return super.transferFrom(_from, _to, _value);
}
function approve(address _spender, uint256 _value) public whenNotPaused returns (bool) {
return super.approve(_spender, _value);
}
function batchTransfer(address[] _receivers, uint256 _value) public whenNotPaused returns (bool) {
uint cnt = _receivers.length;
uint256 amount = uint256(cnt) * _value;
require(cnt > 0 && cnt <= 20);
require(_value > 0 && balances[msg.sender] >= amount);
balances[msg.sender] = balances[msg.sender].sub(amount);
for (uint i = 0; i < cnt; i++) {
balances[_receivers[i]] = balances[_receivers[i]].add(_value);
Transfer(msg.sender, _receivers[i], _value);
}
return true;
}
在合约中,其继承了上面的ERC20代币的转账、授权函数,并在其基础上添加了批处理函数-batchTransfer。此函数需要传入_receivers、_value,分别代表传入接收代币的地址数组、转账的数值。这些函数在运行前均会经过whenNotPaused修饰器的判断。首先定义cnt并赋值为传入数组的长度_receivers.length。之后计算出需要转账的具体总金额amount。之后进行判断:require(cnt > 0 && cnt <= 20);批操作最多20个用户,因为如果一次性操作过多容易引起gas不足等安全问题。require(_value > 0 && balances[msg.sender] >= amount);使用此语句来判断用户的余额是否足够。不足则跳出函数。balances[msg.sender] = balances[msg.sender].sub(amount);之后将余额减去转账金额。并令收款方的余额增加。
最后为BEC的最终合约。BecToken。
contract BecToken is PausableToken {
/**
* Public variables of the token
* The following variables are OPTIONAL vanities. One does not have to include them.
* They allow one to customise the token contract & in no way influences the core functionality.
* Some wallets/interfaces might not even bother to look at this information.
*/
string public name = "BeautyChain";
string public symbol = "BEC";
string public version = '1.0.0';
uint8 public decimals = 18;
/**
* @dev Function to check the amount of tokens that an owner allowed to a spender.
*/
function BecToken() {
totalSupply = 7000000000 * (10**(uint256(decimals)));
balances[msg.sender] = totalSupply; // Give the creator all initial tokens
}
function () {
//if ether is sent to this address, send it back.
revert();
}
}
该合约继承了上面的PausableToken合约。并将基础参数更新。
string public name = "BeautyChain";
string public symbol = "BEC";
string public version = '1.0.0';
uint8 public decimals = 18;
之后为构造参数:
totalSupply = 7000000000 * (10**(uint256(decimals)));
balances[msg.sender] = totalSupply; // Give the creator all initial tokens
规定发行代币总金额为7000000000 * 10 * 18。
并将所有的金额赋值给msg.sender的余额。然而此合约不支持value代币的转账,倘若有用户转账,那么合约将会revert。
function () {
//if ether is sent to this address, send it back.
revert();
}
2 漏洞详述
细心的同学可以看到,本合约在起始时使用了安全函数—SafeMath()。所以会下意识的以为这个函数不会存在溢出漏洞。然而在审计了所有的代码后,我们能够看到PausableToken合约中的batchTransfer()函数中存在不合理的算术问题。
由于_receivers与_value均是我们传入的可变参数,所以cnt也是可控的。于是amount是我们可控的。又由于amount等于uint256(cnt) * _value;,所以此处的*并没有使用安全函数。于是我们可以探寻此处是否存在溢出漏洞。由于下文中有条件限制,所以我们需要具体的查看相关限制。_value > 0 && balances[msg.sender] >= amount。此处第一个条件很容易达到,而第二个条件需要用户余额足够支付金额。但是如果我们通过传入的内容而使amount溢出为极小值,是不是就可以达到了溢出效果?
由于uint256的类型问题,其能存储最大取值是0到2^256减1,即115792089237316195423570985008687907853269984665640564039457584007913129639935。
所以我们可以传入_value=57896044618658097711785492504343953926634992332820282019728792003956564819968并且
cnt=2。此时参数会溢出为0 。
三、漏洞测试
下面我们对漏洞进行测试工作。首先我们对合约进行版本设置并部署。
我们首先对msg.sender进行余额查看,看是否部署成功:
接下来,我们切换地址:0x14723a09acff6d2a60dcdf7aa4aff308fddc160c。
余额为0 。之后我们传入参数:["0x14723a09acff6d2a60dcdf7aa4aff308fddc160c","0x4b0897b0513fdc7c541b6d9d7e929c4e5364d2db"],57896044618658097711785492504343953926634992332820282019728792003956564819968,进行调用batchTransfer()函数,并成功执行。
此时我们查看钱包地址的余额:
即合约由于溢出导致了amount变为了0 。虽然我们的余额为0,但是balances[msg.sender] >= amount也满足。所以进行了绕过,也就是说我们的用户没有花费一分钱就套现了合约的57896044618658097711785492504343953926634992332820282019728792003956564819968以太币。
如此以来,黑客的恶意行为就干扰了BEC的正常运作。又由于部署在以太坊上的solidity无法更改,所以就官方就不得不重新部署合约来进行修补操作。
四、参考资料
https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d
代码:https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d#code
https://paper.seebug.org/615/
https://blog.csdn.net/lianshijie/article/details/80093341
本稿为原创稿件,转载请标明出处。谢谢。