1
Against the background
In the asset management system, there is often the situation of entrusted management, the client gives the asset to the trustee to manage, and the client pays a certain fee to the trustee. This business scenario is also common in smart contracts.
Contract design
function transferProxy(address _from, address _to, uint256 _value, uint256 _fee, uint8 _v, bytes32 _r, bytes32 _s)
Roles involved in the transferProxy method:
-
Role 1: a person who needs to transfer Token but does not have ETH in his wallet address, that is, _from in the contract
-
Role 2: Help role 1 to transfer Token and pay the GAS fee for ETH, the msg.sender in the contract, which is also the person calling this contract
-
Role 3: Token receiver, _to in the contract
Purpose of the transferProxy method:
Role 1 wants to transfer the Token to role 3, but does not have ETH to pay the fee, so role 1 finds role 2 who has ETH and says: I give you some Token as the fee, you can transfer my Token to role 3 by calling transferProxy, because you have ETH.
Contract implementation
function transferProxy(address _from, address _to, uint256 _value, uint256 _fee,
uint8 _v, bytes32 _r, bytes32 _s) public returns (bool){
if(balances[_from] < _fee + _value
|| _fee > _fee + _value) revert();
uint256 nonce = nonces[_from];
bytes32 h = keccak256(_from,_to,_value,_fee,nonce,address(this));
if(_from ! = ecrecover(h,_v,_r,_s)) revert();if(balances[_to] + _value < balances[_to]
|| balances[msg.sender] + _fee < balances[msg.sender]) revert();
balances[_to] += _value;
emit Transfer(_from, _to, _value);
balances[msg.sender] += _fee;
emit Transfer(_from, msg.sender, _fee);
balances[_from] -= _value + _fee;
nonces[_from] = nonce + 1;
return true;
}
Copy the codeThe key points in the function are KECCAK256 and ECRECOVER, namely the elliptic curve Encrypted digital signature (ECDSA) function and check function. Keccak256 is equivalent to SHA3.
The process of signature and inspection is as follows:
-
Role 1(_FROM) uses sha3 to process _FROM, _TO,_value,_fee,nonce,address(token) to obtain the MSG value, and then uses web3.eth. Sign (address, MSG) to obtain the signature.
-
Set signature to the first 0 to 66 bytes as r, the first 66 to 130 bytes as S, and the first 130 to 132 bytes as V. Then convert V to an integer. Role 1 informs role 2 of the information, and Role 2 invokes the transferProxy of the contract for transfer.
-
In the contract, ECRECOVER receives the hash value of signature data and r/ S/V parameters as input, and returns the address of the account that implements the signature.
let msg = web3.sha3(_from,_to,_value,_fee,nonce,address(token))
let signature = web3.eth.sign(_from, msg)
let r = signature.slice(0, 66)
let s = '0x' + signature.slice(66, 130)
let v = '0x' + signature.slice(130, 132)
v = web3.toDecimal(v)
console.log('r', r)
console.log('s', s)
console.log('v', v)
console.log(msg)
Copy the codenote
Role 1 and role 2 must communicate with nonce and _fee in advance. Nonce is defined in the contract and increases from 0. You can query the nonce (address _addr) function of the contract.
2
Attack process
Because all of the contract’s call data (function parameters) is publicly available on the chain, all signature information can be extracted from the Transaction.
The flow chart
In smart contract replay attack, based on the logic of elliptic curve encrypted digital signature (ECDSA) and signature check, the same transferProxy implementation in different contracts can be used to extract signature information from A contract Transaction and replay it in B contract. Since all parameters involved in the signature are the same, the B contract can be called directly and broadcast onto the chain.
3
Holes affect
Your May Have Paid More than You Imagine: As of April 27, about 52 Contracts were affected by Replay Attacks, including 10 at high risk, 37 medium risk and 5 low risk, according to data disclosed in Replay Attacks on Ethereum Smart Contracts.
From the perspective of attack targets, 5 contracts can carry out replay attacks in their own contracts because there is no nONCE design. Another 45 contracts are available for cross-contract replay attacks.
4
Prevention advice
Nonce generation algorithm does not use the design of increasing from 0 to avoid the same practice as the scene.
Remove the transferProxy function and change it to other ways to realize the requirements of the proxy;
Add address(this) as an argument to keccak256;
The audit item of the slow Fog security team contract has been added to the audit of this type of problem.
5
The resources
Speaker PDF: media.defcon.org/DEF CON 26/…
Speaker open documentation: github.com/nkbai/defco…
Speaker open tools: github.com/nkbai/defco…
Speaker open tools: github.com/nkbai/defco…
Source: Slow Fog Technology
Author: Slow Fog Security Team
Zhenzuan Bai of 360 UnicornTeam, “Your May Have Paid More than You Imagine: Replay Attacks on Ethereum Smart Contracts” by Yuwei Zheng et al
Geek race, 48 hours Blockathon | block chain marathon waiting for you to challenge (chengdu)
Time: September 14-16, 2018
Venue: China-Korea Internet + New Technology Incubator, 12th Floor, Building A, No.2 Jingrong International Plaza, No.200 Tianfu 5th Street, High-tech Zone, Chengdu
-
Recruit 50 developers (to register by identifying the QR code below or clicking “Read the original article”)
-
The registration fee of 100 yuan is the deposit for the competition. There is no refund for participants who cannot attend the event due to personal reasons. Participants will participate in the whole activity and be refunded at the end of the activity. The first check-in will start at 18:00 on 14th September. Please check in every morning on 15th and 16th September.
-
The organizer provided free food and drinks for 2 days, and prepared a T-shirt for each participant
