由于一个重入的漏洞导致了里面的BNB被清空了。

通过代码片段：https://github.com/nftgem/nftgem-contracts/blob/master/src/pool/ComplexPoolLib.sol#L565-L578

        INFTGemMultiToken(self.multitoken).mint(msg.sender, claimHash, 1) <@;
        INFTGemMultiToken(self.multitoken).setTokenData(
            claimHash,
            INFTGemMultiToken.TokenType.CLAIM,
            address(this)
        );
        addToken(self, claimHash, INFTGemMultiToken.TokenType.CLAIM);

        // record the claim unlock time and cost paid for this claim
        uint256 claimUnlockTimestamp = block.timestamp + (_timeframe);
        self.claimLockTimestamps[claimHash] = claimUnlockTimestamp;
        self.claimAmountPaid[claimHash] = cost * (_count);
        self.claimQuant[claimHash] = _count;
        self.claimsMade[msg.sender] = self.claimsMade[msg.sender] + (1);

函数的逻辑

这个函数的大概的作用是用户可以stake一定数量的token到期/没到期都能够赎回，只是赎回的数量是根据到期时间来动态计算的。而这个`claimHash` 应该是每次都会是不同的值，claimHash的计算逻辑大体根据id自增，这个值绑定了用户的stake金额。

我们可以看到在这个mint NFT到用户的地址之后还做了一些更新的操作。把唯一值claimHash和stake的金额深度绑定在一起。

如何预防重入漏洞

• 直接引入openZepplin的ReentrancyGuard库

• 在外部的调用之后不再做storage更新

漏洞重现

bug重现

bug重现. GitHub Gist: instantly share code, notes, and snippets.

http://github.com

https://gist.github.com/coffiasd/56df554cbfb29632c8231ce54ae8fc5a

联系我们

有合约开发，合约安全审计方面的需求可以联系我们：

twitter:https://x.com/coffiasse

tg:@coffiasd

mail:coiiasd88@gmail.com

1.what's phaver ? why we need it ?

Summary of Phaver:

Phaver is a Web3 social app designed for the permissionless and non-custodial ecosystem of the next-gen internet. It uniquely enables cross-posting and consolidates reactions from both the Lens protocol and Farcaster, with the native $SOCIAL token integrated into its ecosystem. Users can also connect MocaID, CyberConnect, and various NFTs.

Launched in May 2022 alongside the Lens protocol’s mainnet launch, Phaver allows users to sign up with Web2 logins, facilitating a smooth transition to Web3. Users can share posts on blockchain social networks, maintain full ownership of their social graph, showcase NFT collections, prove authenticity, create gated communities, and send wallet-to-wallet direct messages via XMTP.

With over 350k downloads, Phaver is a major contributor to Lens protocol posts and reactions and is the largest third-party app on Farcaster. As a pioneer in Web3 social, Phaver helps users build their reputations within decentralized social networks, rewarding constructive contributions with off-chain points convertible to tokens post-TGE.

Phaver aims to deliver a personalized and relevant feed for each user through incentivized curation and digital reputation, striving to build a more meritocratic and user-owned social network with its community and partners.

2.what can i get ?

3.what's the process ?

Finish Tasks: After you successfully install the app, you will see some beginner tasks. You can mint a free NFT, set the NFT as your profile picture, create a free Moca ID, prove you are human with Anima, and complete a series of other tasks. After approximately 1-2 days of waiting, when you open the Phaver app again, you will be notified that you have been upgraded to level 2.

Claim Accounts Finally, you can click the Get connected button, followed by the Get Farcaster button, to claim your free Lens and Farcaster accounts. Enjoy your socialfi app experience!

4.conclusion

By following these simple steps, you can mint two premium accounts for free with just a little bit of time. If you have any questions, feel free to contact us

twitter

oneclicktoken

1.Parameters to be prepared

Since different chains may require different parameters, let's use mainnet as an example.

1.1 api url

The API URL for mainnet is https://api.etherscan.io/api. If you are using a different chain, you will need to refer to the official documentation to find the corresponding API URL.

1.2 api key

1.3 chain id

Get your target chain id from chainlist

1.4 contractaddress

After successfully deploying the contract, you can obtain the deployed contract address.

1.5 compilerversion

For my contract, we use Solidity version v0.8.24+commit.e11b9ed9 to compile the code.

1.6 constructorArguments

we should encode the constructor arguments

const args = abi.encode(["address", "string", "string", "uint256", "bytes32"], [sd, name, symbol, premintFormat, merkle]);

And we can use hashex to encode the constructor arguments online.

2.Send http request

After collecting all the required data, we can send it to the API server using axios.

axios.request(config)
.then((response) => {
    console.log(JSON.stringify(response.data));
})
.catch((error) => {
    console.log(error);
});

3.check the result on explorer

4.full code

check the full code from github gist gist

5.origin

https://www.oneclicktoken.xyz/posts/verify-deployed-contract

1.why we launch token on base chain?

According to data from DeFiLlama, Base is currently ranked #7 among all chains in terms of Total Value Locked (TVL)

Base is a secure, low-cost, developer-friendly Ethereum Layer 2 (L2) solution. Users familiar with Ethereum can easily use Base.Recently, a lot of memecoins have been launched on Base, as reported by CoinGecko.

Memecoins on the Base chain are very active, and keeping an eye on the latest memecoins on Base can offer opportunities for significant returns. Data provided by some third-party platforms make it easy to find information about recently launched tokens on Base.

2.how to use oneclick token launch token to base chain

2.1 step1

As an ordinary user on a base chain, rather than a professional Solidity developer, you can easily launch your own token through our platform.

First, log in to our website at oneclicktoken.xyz and navigate to the “Create Token” page. From there, you can customize your token by selecting your preferred name and symbol.

Click the top right corner of the webpage to select your chain. Here, you can choose the base chain.

2.2 step2

By default, the current user is set as the token owner, but you can enter a new address if desired. The Merkle tree root is used for airdrop values; if you don’t need this feature, you can choose to skip it.

Finally, you can select some default attributes for the contract

Then you can simply click Deploy to proceed.

3.feel free to contact us

If you encounter any issues during usage, or if you need a custom token contract, or if you want to claim an airdrop, or if you have any questions related to contracts, feel free to contact us.

• twitter

• tg:@coffiasd

• mail:coiiasd88@gmail.com

如何来定义一个地址变量?

在 ETH 中只需要简单的在变量的前面加上 address 关键词就可以定义一个变量为一个地址。 下面的例子展示了 solidity 中我们获取当前与合约进行交互的地址。

address user = msg.sender

地址字面量(address literal)

地址 VS 可支付地址

地址(address)和可支付地址(payable address)的区别在 solidity0.5 版本中有过介绍。可支付地址可以接受 ETH TOKEN,而普通的地址则不行。但给地址分配了一个 payable 关键字之后,这个地址可以接受和发送 ETH TOKEN。结果就是别的一些方法(transfer, send, call, delegatecall and staticcall),对这个地址也是可行的。

地址和可支付地址之间的类型转换

• 从可支付地址到地址的隐式转换(Implicit conversions)是被允许的

• 从地址到可支付地址的隐式转换(Implicit conversions)是不被允许的

• 从地址或者到地址的显式转换只允许:integers、integers literal、bytes20、contract type

• 显式转换方式 payable(x),x 可以是 integers, integer literal, bytes 或者 contract type

合约地址

在 0.5.0 之前的版本中，合约直接来源于地址类型(因为地址和可支付地址之间没有任何区别)。 从 0.5.0 版本开始，合约不再来源于地址类型。然而如果合约有一个 payable fallback 方法，它们仍然可以转化为地址和可支付地址。

contract NotPayable {

    // No payable function here

}

contract Payable {
    // Payable function
    function() payable {
        // do something with payable function
    }

}

contract HelloWorld {
    address x = address(NotPayable);
    address y = address(Payable);

    function hello_world() public pure returns (string memory) {
        return "hello world";
    }
}

让我们看下上面这个 HelloWorld 合约：

• NotPayable 是一个合约不包含 payable fallback 方法。变量 X 分配了 address(NotPayable)将会是一个地址类型。

• Payable 是一个合约包含了 payable fallback 方法。变量 Y 分配了一个 address(Payable)将会是一个可支付地址。

• 外部函数签名地址用于地址类型和可支付地址类型。

地址类型比较

- 小于等于 `<=`
- 小于 `<`
- 等于`==`
- 不等于 `≠`
- 大于等于 `≥`
- 大于`>`

检查一个地址是否存在?

modifier addressExist(address _address) {
    require(_address != address(0));
    _;
}

可以用于地址的交易方法

你可以想象到，地址可以像别的地址发送资金(ethers)。这块内容主要介绍不同的可用的方法。

1 Ether = 1¹⁸ Wei = 1,000,000,000,000,000,000 wei

1.address.transfer() (not recommend)

• 转账一定量的 ether(以 wei 为单位)到指定的账户.

• 失败后还原并且抛出一个错误异常.

• 花费 2300gas，并且不可调节

2.address.send() (not recommend)

• 和 address.transfer()类似

• 失败之后返回 false

• 花费 2300gas，并且不可调节

3.address.balance

• 返回账号对应的金额以 Wei 为单位

有两种方法可以查看 eth 地址/合约地址的余额

address public _account = msg.sender;

// look-up balance from sender (Method 1)
uint public sender_balance = _account.balance;

// look-up balance from _account (Method 2)
uint public sender_balance = address(_account).balance;

// look-up balance from the current contract (Method 2)
uint public contract_balance = address(this).balance;

4.address.call(bytes memory) returns (bool, bytes memory)

• 创建一个任意的消息调用，通过传递一个 memory 类型的参数

• 返回一个 tuple 类型包括:

  • 一个调用结果的 bool 值(成功的时候是 true，失败的时候是 false)

  • data 以 bytes 格式

• 转发所有可用 gas，可调节

5.address.delegatecall(bytes memory) returns (bool, bytes memory)

• 底层的 DELEGATECALL,通过传递一个 memory 类型的参数

• 返回一个 tuple 类型包括:

  • 一个调用结果的 bool 值(成功的时候是 true，失败的时候是 false)

  • data 以 bytes 格式

• 转发所有可用 gas，可调节

6.address.staticcall(bytes memory) returns (bool, bytes memory)

7.address.callcode(payload) (deprecated)

相关的返回一个地址的方法

• msg.sender()

• tx.origin

• block.coinbase()

• block.coinbase(_address payable)

• ecrecover()

零地址

一旦一个只能合约被编译之后，它就会使用一个特殊的合约创建交易来部署到 eth 平台上。然后，一笔交易可以会得到一个具体的地址。所以创建合约的时候应该拿到哪个具体的地址呢？

当在接受者的字段上填上了一个特殊的地址的时候，EVM 就会明白这笔交易打算创建一个新的合约。这个特殊的地址就被称作为零地址(zero-address)。

一个零地址在 ETH 中也是 20bytes 的长度，但是只包含了空的 bytes。这就解释了为什么叫做零地址,因为它只包含 0x0。

参考

• <address>.balance(uint256)

• <address payable>.transfer(uint256 _amount)

• <address payable>.send(uint256 _amount) returns (bool)

• <address payable>.call(bytes memory) returns (bool, bytes memory)

• <address payable>.delegatecall(bytes memory) returns (bool, bytes memory)

• <address payable>.staticcall(bytes memory) returns (bool, bytes memory)