0xAAWTF Solidity 合约安全: S08. 绕过合约检查
我最近在重新学solidity,巩固一下细节,也写一个“WTF Solidity极简入门”,供小白们使用(编程大佬可以另找教程),每周更新1-3讲。 推特:@0xAA_Science|@WTFAcademy_ 社区:Discord|微信群|官网 wtf.academy 所有代码和教程开源在github: github.com/AmazingAng/WTFSolidity这一讲,我们将介绍绕过合约长度检查,并介绍预防的方法。绕过合约检查很多 freemint 的项目为了限制科学家(程序员)会用到 isContract() 方法,希望将调用者 msg.sender 限制为外部账户(EOA),而非合约。这个函数利用 extcodesize 获取该地址所存储的 bytecode 长度(runtime),若大于0,则判断为合约,否则就是EOA(用户)。 // 利用 extcodesize 检查是否为合约 function isContract(address account) public view returns (bool) { // extcodesize > 0 的地址一定是合约...
0xAAWTF Solidity 合约安全: S09. 拒绝服务
我最近在重新学solidity,巩固一下细节,也写一个“WTF Solidity极简入门”,供小白们使用(编程大佬可以另找教程),每周更新1-3讲。 推特:@0xAA_Science|@WTFAcademy_ 社区:Discord|微信群|官网 wtf.academy 所有代码和教程开源在github: github.com/AmazingAng/WTFSolidity这一讲,我们将介绍智能合约的拒绝服务(Denial of Service, DoS)漏洞,并介绍预防的方法。NFT项目 Akutar 曾因为 DoS 漏洞损失 11,539 ETH,当时价值 3400 万美元。DoS在 Web2 中,拒绝服务攻击(DoS)是指通过向服务器发送大量垃圾信息或干扰信息的方式,导致服务器无法向正常用户提供服务的现象。而在 Web3,它指的是利用漏洞使得智能合约无法正常提供服务。 在2022年4月,一个很火的 NFT 项目名为 Akutar,他们使用荷兰拍卖进行公开发行,筹集了 11,539.5 ETH,非常成功。之前持有他们社区Pass的参与者会得到 0.5 ETH的退款,但是他们处理...
0xAAWTF Solidity 合约安全 S06. 签名重放
我最近在重新学solidity,巩固一下细节,也写一个“WTF Solidity极简入门”,供小白们使用(编程大佬可以另找教程),每周更新1-3讲。 推特:@0xAA_Science|@WTFAcademy_ 社区:Discord|微信群|官网 wtf.academy 所有代码和教程开源在github: github.com/AmazingAng/WTFSolidity这一讲,我们将介绍智能合约的签名重放(Signature Replay)攻击和预防方法,它曾间接导致了著名做市商 Wintermute 被盗2000万枚 $OP。签名重放上学的时候,老师经常会让家长签字,有时候家长很忙,我就会很“贴心”照着以前的签字抄一遍。某种意义上来说,这就是签名重放。 在区块链中,数字签名可以用于识别数据签名者和验证数据完整性。发送交易时,用户使用私钥签名交易,使得其他人可以验证交易是由相应账户发出的。智能合约也能利用 ECDSA 算法验证用户将在链下创建的签名,然后执行铸造或转账等逻辑。更多关于数字签名的介绍请见WTF Solidity第37讲:数字签名。 数字签名一般有两种常见的重放攻击...
WTF Academy: wtf.academy
0xAAWTF Solidity 合约安全: S08. 绕过合约检查
我最近在重新学solidity,巩固一下细节,也写一个“WTF Solidity极简入门”,供小白们使用(编程大佬可以另找教程),每周更新1-3讲。 推特:@0xAA_Science|@WTFAcademy_ 社区:Discord|微信群|官网 wtf.academy 所有代码和教程开源在github: github.com/AmazingAng/WTFSolidity这一讲,我们将介绍绕过合约长度检查,并介绍预防的方法。绕过合约检查很多 freemint 的项目为了限制科学家(程序员)会用到 isContract() 方法,希望将调用者 msg.sender 限制为外部账户(EOA),而非合约。这个函数利用 extcodesize 获取该地址所存储的 bytecode 长度(runtime),若大于0,则判断为合约,否则就是EOA(用户)。 // 利用 extcodesize 检查是否为合约 function isContract(address account) public view returns (bool) { // extcodesize > 0 的地址一定是合约...
0xAAWTF Solidity 合约安全: S09. 拒绝服务
我最近在重新学solidity,巩固一下细节,也写一个“WTF Solidity极简入门”,供小白们使用(编程大佬可以另找教程),每周更新1-3讲。 推特:@0xAA_Science|@WTFAcademy_ 社区:Discord|微信群|官网 wtf.academy 所有代码和教程开源在github: github.com/AmazingAng/WTFSolidity这一讲,我们将介绍智能合约的拒绝服务(Denial of Service, DoS)漏洞,并介绍预防的方法。NFT项目 Akutar 曾因为 DoS 漏洞损失 11,539 ETH,当时价值 3400 万美元。DoS在 Web2 中,拒绝服务攻击(DoS)是指通过向服务器发送大量垃圾信息或干扰信息的方式,导致服务器无法向正常用户提供服务的现象。而在 Web3,它指的是利用漏洞使得智能合约无法正常提供服务。 在2022年4月,一个很火的 NFT 项目名为 Akutar,他们使用荷兰拍卖进行公开发行,筹集了 11,539.5 ETH,非常成功。之前持有他们社区Pass的参与者会得到 0.5 ETH的退款,但是他们处理...
0xAAWTF Solidity 合约安全 S06. 签名重放
我最近在重新学solidity,巩固一下细节,也写一个“WTF Solidity极简入门”,供小白们使用(编程大佬可以另找教程),每周更新1-3讲。 推特:@0xAA_Science|@WTFAcademy_ 社区:Discord|微信群|官网 wtf.academy 所有代码和教程开源在github: github.com/AmazingAng/WTFSolidity这一讲,我们将介绍智能合约的签名重放(Signature Replay)攻击和预防方法,它曾间接导致了著名做市商 Wintermute 被盗2000万枚 $OP。签名重放上学的时候,老师经常会让家长签字,有时候家长很忙,我就会很“贴心”照着以前的签字抄一遍。某种意义上来说,这就是签名重放。 在区块链中,数字签名可以用于识别数据签名者和验证数据完整性。发送交易时,用户使用私钥签名交易,使得其他人可以验证交易是由相应账户发出的。智能合约也能利用 ECDSA 算法验证用户将在链下创建的签名,然后执行铸造或转账等逻辑。更多关于数字签名的介绍请见WTF Solidity第37讲:数字签名。 数字签名一般有两种常见的重放攻击...
Share Dialog
Share Dialog
WTF Academy: wtf.academy
Subscribe to 0xAA
Subscribe to 0xAA
Author: 0xAA
Development / Design / Coordination: @cosmoburn, @0xAA_Science, @deepe_eth, @steve0xp, TylerS, @beastadon, @OrHalldor, @Thisisnottap
The code is opensourced at:
Contribute to AmazingAng/cryptogs-reborn development by creating an account on GitHub.
For the introduction of the v0.1 version, see :
https://mirror.xyz/ninjak.eth/j34z4oKK2bqYml7jJR-ErK-Gv530R-RR9-pvZSgR6CA
Player0 transfers 5 Togs to the game contract and create a new Cryptogs game by calling initGame().
function initGame(uint256[] calldata _creatorTogs, uint256[] calldata _amounts):
player0 need to input Tog ids and amounts to transfer.
It will emit gameInit event, telling the frontend a game is created.
Player 1 join an eligible game and flip all the tokens randomly via chainlink VRF by calling joinPlay()
function joinPlay(uint256 _gameId, uint256[] calldata _joinTogs, uint256[] calldata _amounts)
player1 need to input the gameId he wants to join, and the tog ids and amounts he want to transfer.
It will emit gameJoin event and flipTog event.
There are 3 events related to game play, and 1 event related to withdraw Togs.
event gameInit(uint256 indexed GameId, address indexed Creator, uint256 indexed ExpirationBlock): This event is emitted when player 0 create a new game. It carries the information of the gameId (unique game identifier), address of player0, and how long the game will expire.
event gameJoin(uint256 indexed GameId, address indexed Creator, address indexed Opponent, bytes32 RequestId): This event is emitted when player 1 join a existing game. It carries the information of the GameId, address of player0 and player 1, and the chainlink VRF RequestId.
event FlipTogs(uint256 indexed GameId, address indexed Creator, address indexed Opponent, uint256[] FlippedTogs, uint256[] AmountPlayer0, uint256[] AmountPlayer1): This event is emited when chainlink VRF is executed in callback function and Togs are sent randomly back to player0 and player1. It carries the information of the gameId, addresses of player0 and player1, list of TogId in this game, list of amount of Togs sent to Player0 and Player1.
event WithdrawTogs (uint256 indexed GameId, address indexed Creator): this event is emitted when a game created by player0 is not joined by any player within expirationBlock, and player0 choose to withdraw his Togs. It carries the information of GameId, address of player0
Create button: a button for players to create a new Cryptogs game.
Cryptog list: a list of Togs owned by the player to select for the game.
Confirm button: confirm and start the tx.
Game table: a game table should be created once the tx is executed.
Join button: a button that let another player join an existing game.
Cryptog list: a list of Togs owned by the player to select for the game.
Expiration game tab: a tab for players to view expired games.
Withdraw button: a button that let players withdraw their Togs from expired games.
Author: 0xAA
Development / Design / Coordination: @cosmoburn, @0xAA_Science, @deepe_eth, @steve0xp, TylerS, @beastadon, @OrHalldor, @Thisisnottap
The code is opensourced at:
Contribute to AmazingAng/cryptogs-reborn development by creating an account on GitHub.
For the introduction of the v0.1 version, see :
https://mirror.xyz/ninjak.eth/j34z4oKK2bqYml7jJR-ErK-Gv530R-RR9-pvZSgR6CA
Player0 transfers 5 Togs to the game contract and create a new Cryptogs game by calling initGame().
function initGame(uint256[] calldata _creatorTogs, uint256[] calldata _amounts):
player0 need to input Tog ids and amounts to transfer.
It will emit gameInit event, telling the frontend a game is created.
Player 1 join an eligible game and flip all the tokens randomly via chainlink VRF by calling joinPlay()
function joinPlay(uint256 _gameId, uint256[] calldata _joinTogs, uint256[] calldata _amounts)
player1 need to input the gameId he wants to join, and the tog ids and amounts he want to transfer.
It will emit gameJoin event and flipTog event.
There are 3 events related to game play, and 1 event related to withdraw Togs.
event gameInit(uint256 indexed GameId, address indexed Creator, uint256 indexed ExpirationBlock): This event is emitted when player 0 create a new game. It carries the information of the gameId (unique game identifier), address of player0, and how long the game will expire.
event gameJoin(uint256 indexed GameId, address indexed Creator, address indexed Opponent, bytes32 RequestId): This event is emitted when player 1 join a existing game. It carries the information of the GameId, address of player0 and player 1, and the chainlink VRF RequestId.
event FlipTogs(uint256 indexed GameId, address indexed Creator, address indexed Opponent, uint256[] FlippedTogs, uint256[] AmountPlayer0, uint256[] AmountPlayer1): This event is emited when chainlink VRF is executed in callback function and Togs are sent randomly back to player0 and player1. It carries the information of the gameId, addresses of player0 and player1, list of TogId in this game, list of amount of Togs sent to Player0 and Player1.
event WithdrawTogs (uint256 indexed GameId, address indexed Creator): this event is emitted when a game created by player0 is not joined by any player within expirationBlock, and player0 choose to withdraw his Togs. It carries the information of GameId, address of player0
Create button: a button for players to create a new Cryptogs game.
Cryptog list: a list of Togs owned by the player to select for the game.
Confirm button: confirm and start the tx.
Game table: a game table should be created once the tx is executed.
Join button: a button that let another player join an existing game.
Cryptog list: a list of Togs owned by the player to select for the game.
Expiration game tab: a tab for players to view expired games.
Withdraw button: a button that let players withdraw their Togs from expired games.
>100 subscribers
>100 subscribers
No activity yet