Smart contract security -- selfdestroy attack

selfdestruct function （ Self destruct function ） Provided by Ethereum smart contract , Used to destroy the contract system on the blockchain . When the contract performs self destruction , The remaining etheric currency in the contract account will be sent to the designated target , Then its storage and code are removed from the State .selfdestruct Function can help developers delete smart contracts and transfer the balance in the contract to the specified address in case of emergency , But this feature is also used by criminals , Make it a means of attack . Let's watch a classic game “ lucky 7” The case of ：

Contract code

Vulnerability analysis

stay “ lucky 7” In the game , Every time a player EtherGame Enter a ETH, The seventh one successfully entered ETH Of players will become winner.winner You can withdraw 7 individual ETH. Players will call every time they play a game EtherGame.deposit Function first enters a ETH, The function then checks the balance in the contract (balance) Less than or equal to 7 , Only the balance in the contract is less than or equal to 7 Can continue, otherwise it will be rolled back . The balance in the contract (balance) It's through address(this).balance Pick up to , This means that as long as we have a way to produce winner Change before EtherGame The balance in the contract makes him equal to 7 It will paralyze the contract . So our attack direction is clear , As long as we force EtherGame A sum of money was entered into the contract ETH Let the balance in the contract be greater than 7 In this way, the players behind will not be able to pass EtherGame.deposit The inspection of , So that EtherGame Contract paralysis , Never produce winner. however EtherGame.deposit There is validation in the function ：require(msg.value == 1 ether, "You can only send 1 Ether"), It is required that we can only play one at a time ETH go in , Therefore, it is impossible to go to EtherGame Drive greater than 1 Of ETH Of , But we need to break into more than 1 Of ETH To EtherGame In contract , therefore selfdestruct The function comes on stage .

Attack contracts

The attacker calls the attack function attack（） Destroy the contract and forcibly transfer the balance in the contract to “ lucky 7” The address of the game contract , Create a game contract to query the balance address(this).balance Greater than 7 The situation of , Cause the function to fall back , Unable to play normally , Paralyze the game contract .

Repair suggestions Let's analyze the attacker's thinking ： utilize selfdestruct Function to force the transfer to the game address , Lead to unit balance = address(this).balance Found out balance The value is greater than 7, induce require(balance <= targetAmount, "Game is over"); Unable to paralyze the game contract through . It is not difficult for us to find that the attacker affects balance So as to achieve the goal , Then let's balance Not affected by this , First define balance, let balance The value of is only affected by the normal way through the rules of the game , So it won't show up balance The value is abnormal .

Fixed code ：

If you want to know more about smart contracts and blockchain , Welcome to blockchain communication community CHAINPIP Community , Exchange and study together ~

Community address ：https://www.chainpip.com/