原文连接

Overflow 与 Underflow

Solidity 可以处理 256 位数字, 最高为 2**256 - 1, 所以对 (2 ** 256 - 1) 加 1 会导致归 0.

同理, 对 unsigned 类型 0 做减 1 运算会得到 (2**256 - 1)

测试代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
pragma solidity 0.4.18;

contract OverflowUnderflow {
    uint public zero = 0;
    uint public max = 2**256 - 1;

    // zero will end up at  2 ** 256 - 1
    function underflow() public {
        zero -= 1;
    }

    function overflow() public {
        max += 1;
    }
}

尽管他们同样危险, 但是在智能合约中, underflow 造成的影响更大.

比如, 账号 A 持有 X tokens, 如果他发起一笔 X + 1 tokens 的交易, 如果代码不进行校验, 则账号 A 的余额可能发生 underflow 导致余额变多.

可以引入 SafeMath Library 解决

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
pragma solidity 0.4.18;

library SafeMath {
    function mul(uint256 a, uint256 b) internal pure returns (uint256) {
        if (a==0) {
            return 0;
        }
        uint c = a * b;
        assert(c / a == b);
        return c;
    }

    function div(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a / b;
        return c;
    }

    function sub(uint256 a, uint256 b) internal pure returns (uint256) {
        assert(b <= a);
        return a - b;
    }

    function add(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a + b;
        assert(c >= a);
        return c;
    }
}

contract OverflowUnderflow {
    using SafeMath for uint;
    uint public zero = 0;
    uint public max = 2 ** 256 - 1;

    function underflow() public {
        zero = zero.sub(1);
    }

    function overflow() public {
        max = max.add(1);
    }
}

Visibility 与 Delegatecall

  • Public functions 可以被任意地址调用

  • External functions 只能从合约外部调用

  • Private functions 只能从合约内部调用

  • Internal functions 允许从合约及其子合约调用

External functions 消耗的 gas 比 public 少, 因为其使用 calldataPublic 需要复制所有参数到 memory.

Delegatecall

引自 Solidity Docs

Delegatecall is identical to a message call apart from the fact that the code at the target address is executed in the context of the calling contract and msg.sender and msg.value do not change their values.

This means that a contract can dynamically load code from a different address at runtime. Storage, current address and balance still refer to the calling contract, only the code is taken from the called address.

这个特性可以用于构建 Library 和模块化代码. 但是与此同时, 这也有可能造成别人对你的代码进行操作.

下例中, 攻击者调用 pwn 方法获得了合约的拥有权.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
pragma solidity 0.4.18;

contract Delegate {
    address public owner;

    function Delegate(address _owner) public {
        owner = _owner;
    }

    function pwn() public {
        owner = msg.sender;
    }
}

contract Deletagion {
    address public owner;
    Delegate delegate;

    function Delegation(address _delegateAddreses) public {
        delegate = Delegate(_delegateAddreses);
        owner = msg.sender;
    }

    // an attacker can call Delegate.pwn() in the context of Delegation, this means that pwn() will modify the state of **Delegation** and not Delegate, the result is that the attacker takes unauthorized ownership of the contract.
    function () public {
        if(delegate.delegatecall(msg.data)) {
            this;
        }
    }
}

Reentrancy(TheDAO hack)

Solidity 中 call 函数被调用时, 如果带有 value 参数, 则会转发所有他所收到的 gas.

在一下代码片段中, call 函数在 sender 的余额实际减少前被调用. 这里有一个漏洞曾导致 TheDAO 攻击.

1
2
3
4
5
6
7
8
function withdraw(uint _amount) public {
  if(balances[msg.sender] >= _amount) {
    if(msg.sender.call.value(_amount)()) {
      _amount;
    }
    balances[msg.sender] -= amount;
  }
}

引自 Reddit 的解释

In simple words, it’s like the bank teller doesn’t change your balance until she has given you all the money you requested. “Can I withdraw $500? Wait, before that , can I withdraw $500?”

And so on. The smart contracts as designed only check you have $500 at beginning once, and allow themselves to be interrupted.