Detailed explanation of Ethereum smart contract vulnerabilities：On-chain recurring vulnerabilities

Detailed explanation of Ethereum smart contract vulnerabilities, Welcome to follow us and discuss

Author: hzqd@lunaray security team

0x01 On-chain test preparation

If you are doing on-chain testing related content for the first time, some preparation is required.

Open MetaMask Wallet

For on-chain testing, you must have a wallet first. We can go to: https://metamask.io to download the wallet. It is recommended to use a browser plug-in because it is more convenient for us to communicate with remix. Follow the registration prompts to complete the creation of the default account.

Receive the test coins

You can go to https://faucet.paradigm.xyz to receive test coins:

Connect to test network

After receiving the money, you will find that the account balance has not changed. This is because we are not connected to the test network.

Wallet => Settings => Advanced => Show Test Network, turn on the switch; then select the test network in the network selection list.

0x02 On-chain vulnerability recurrence

Vulnerable contract preparation:

First, copy-paste the BEC contract with the vulnerability:

https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d#code

into the remix editor. After compiling, deploy the contract with the first account:

Create a new account and claim test coins (hacker account)

After the deployment is successful, we create three new accounts (as shown in the figure below), then use the method mentioned above to receive test coins for one of the accounts, and then establish communication with remix.

To establish communication between the new account and remix, you only need to switch accounts in the wallet (click Account 2 in the picture above).

On-chain attack

Since the vulnerability is sending money to multiple addresses, we will just prepare two new empty accounts as addresses to receive funds:

Paste them into two double quotation marks in the following format of batchTransfer of the deployment contract, you can：

Because the 256th power of 2 overflows, we calculate 2 to the 255th power: (The following figure shows the calculation code of the Kotlin programming language)

You can execute this code on the https://play.kotlinlang.org website to see the results.printout:

57896044618658097711785492504343953926634992332820282019728792003956564819968

This value multiplied by 2 (the number of accounts) just overflowed, and the value was 0, which passed the verification of the transfer amount — I have so much money, I can transfer!

After we switch to Account 2, we can launch an attack:

View on-chain transaction information

After completing the attack, we check whether the transfer is successful, the URL is:

https://kovan.etherscan.io/address/ write to your attack account address here

Then click the link of Txn Hash, you can see the details of the transaction:

If Status: Success appears, the transfer is successful!

Inquiry to account

Although the transaction information shows that it is successful, why is our balance still unchanged?

This is because the contract issues BEC tokens, and we need to add the address of the contract to the wallet:

Then copy the address of the contract to:

You can see the money! Well, it’s the money on the test chain:

0x03 Summary

When the vulnerability is reproduced on the chain, it is necessary to clarify the type of the chain and the associated wallet. After that, by collecting test coins, deploying contracts, and initiating transactions, the test of smart contracts on the chain is realized.