How to steal from perfect intelligent contract 1 亿美元

原文链接：https://pwning.mirror.xyz/

My block chain adventure！这一次,I revealed Moonbeam One of the key design flaws,保护了DeFi At risk in the project1Over $$,从而保护了Moonbeam 网络.I received their highest reward—— Immunefi bug赏金计划,100万美元,以及 Moonwell 的5万美元奖金(I guess this is also a bonus of tenbug One of the bonuses?)

Delegatecall and Native Contracts

In the report Aurora 引擎中的 bug 之后,I began to consider the delegate invocation of native contracts other potential misuse of.委托调用delegatecallThe original purpose is to provide a mechanism for,通过这种机制,A smart contracts can share and reuse another contract code,To avoid duplicate code storage overhead.Original contract is usually a pre-built contract,It implements as original EVM Extend the special function of.

现在,棘手的部分是: If the delegate invocationdelegatecall Underlying contract,You may be able to perform some unexpected function,Even is a privileged function！但是,Developers may not have realized the function of these contracts of actual users may be others. 在 Aurora The wrong case,Underlying contract just assume that the caller has always been a magic address,So hard coded log launcher would lead to maliciouswithdrawal漏洞.

What assumptions may be wrong？执行委托调用delegatecall时,The invocation context will be once upon a time a context inheritance,包括 msg.sender 和 msg.value.** From the point of view of original contract,调用 delegatecall The contracts are transparent: The caller will be deemed to be the real user.因此,If the call the malicious contract,It can simulate the caller to operate the machine contract！

Shadow in the Moonbeam

“Moonbeam ”和“Moonriver ” （“月光”和“月河”）都是与 EVM 兼容的平台.在moonbeam运行时,Moonbeam 和Moonriver There is some precompiled contracts between.

Balance ERC-20Precompiled provides a ERC-20接口,To deal with the native token(MOVR & GLMR)余额.Erc20BalancesPreedit 的实现位于 moonbeam/precompiles/balances-erc20/src/lib.rs 中.

Designer did not consider EVM 中delegatecall的使用.Malicious contracts can be msg.sender Pass to precompile contracts to simulate its caller.在这个场景中,Precompiled contract there is no way to calculate the actual caller.An attacker can increase the victim's value,Also can transfer immediately available balance.

在 Asset ERC-20Prepared in a similar situation,It provides interoperable token(xcKSM、 xcDOT、 …)的 ERC-20原生实现.Erc20AssetsPrepileSet 的实现位于 moonbeam/prepiles/asset-erc20/src/lib.rs 中.

但是,在这种情况下,Designers did consider EVM 中委托调用delegatecall的使用.测试中的 ERC20Instance Contract has achieved strong effectiveness test case,其中包括 approve_delegate()、 approve_delegate()和 transferFrom_delegate().很不幸(或者,对我们来说,很幸运!),The result is to design logic doesn't work,So they removed the relevant code in their patch.

There is a can be reused in two cases of simpleexploit : Native token assets address is0x0000000000000000000000000000000000000000000000000000000000802,Local token assets address can be0xFFFFFFFF1FcaCBd218EDc0EbA20Fc2308C778080.

Exploit.sol：

Perfect contract,Or the victims of the perfect？

How shall we deal with the design flaws？The basic idea is to let someone to trigger your malicious contract,例如,在 POC 合约中调用 trap().

How can we persuade our users quoted some dubious contracts？空投！UNIH The token behind hackers have demonstrated钓鱼的crypto-native解决方案！任何想要在 uniswap Sale in the token user must call drop malicious token contract to approve DEX The use of their balance.由于 RUNE The token fragile design,The only check tx.source 而不是 msg.sender 是否获得批准,所有的 RUNE Token can be a Trojan contracts to steal.

The idea of fishing is creative,But it strongly limit the potential damage the vulnerability of the.We want to find a better victims

1. willing to call your contract Want to call your contract
2. not as smart as users No user smart
3. rich! 有钱

Who is poor hacker's best friend？Lightning loan provider！They hold a lot of money,And call your callback contract,因为你希望！In the lightning loan back,They were forced to approve your future transfer their assets token,Even if they are the perfect contract！

一些 DEX The callback to support for any contract,例如 MoonRiver 上的 SolarBeamonMoonbeamStellaSwap.Due to lightning loan support,xcKSM 和 stKSM The stability of the exchange between also very fragile.If a token can be pumped from the transaction on the,Then another token can be aswap中被移出,All of the liquidity will be liquidated.

现在,Perfect written contracts became the victim of a perfect.When I report,The richest contracts are fragile:

1. 0xea3d1e9e69addfa1ee5bbb89778decd862f1f7c5 on Moonriver, SolarBeam LP Token, $7.5M 在 Moonriver,SolarBeamLP Token,750万美元
2. 0xa927e1e1e044ca1d9fe1854585003477331fe2af on Moonbeam, Stella LP Token, $2.7M 月光,Stella LP Token,270万美元
3. 0x77d4b212770a7ca26ee70b1e0f27fc36da191c53 on Moonriver, xcKSM & stKSM pair, $2.4M 在 Moonriver,xcKSM & stKSM 对,240万美元

These tokens, worth about1260万美元,即使是10% The potential loss of also have more than100万美元,这是 Moonbeam To provide the highest bounty rewards.但是,Real hackers will not stop because of some trivial achievements,Will there be any more victims of crazy？

the Glimmer

原生MOVR 令牌(Moonriver上)和 GLMR (在Moonbeam)Equivalent to the etheric lane on the ETH.要在 DeFi 协议中使用,They must be packed in with ERC-20Compatible with the token contract,就像 WETH 一样.

Balance ERC-20Precompiled provides a native wrapper native token.No any deployed agreement to use it,Because the official encapsulation token WMOVR 和 WGLMR 被更广泛地采用.通过利用 Balance ERC-20Precompiled holes,We are able to any user to steal from the native token balance,If it calls the malicious contract.与资产 ERC-20Precompiled token is different,例如 xcKSM 和 xcDOT 是由 DEXes 直接使用的,MOVR 和 GLMR Balance seldom used by intelligent contract.

Most of the non-zero balance contracts are what size purse,And the external account has no much difference.唯一的例外,We have a glimmer of hope,是Moonwell项目的 MGlimmer 合约.

Moonwell 项目是 Moonriver 上最主要的 DeFi 协议.它有近2The supply of dollars and1Billion dollars available for borrowing(In my report).MGlimmer 或 Moonwell: mMOVR Token is processing for MOVR Lending and borrowing specific contract,Its balance in the local MOVR.

最酷的是,When it transfer balance to the user,It will be the destination as a contract to call！Here's a simple hole,Spend all of the balance of approved MGlimmer.

GlimmerExploit.sol：

The balance of fragile contract stored in not too much(Now is a few thousand MOVR).不过,Any amount you deposit in the contract will be deemed to be collateral in this loan agreement.By repeating the deposit-> 借款-> Transfer all back-> Leave bad program,Use can be further weaponization.All of the assets can borrow can be drained！

If any one hacker took all1Can borrow assets and $1200万美元的 DEX The vulnerability token,So it can definitely among the DeFi In the history of the former10Big robbery！About these holes another surprising is the fact that,The actual attack can be a super secret,Keep only the privilege of unauthorized,Rather than immediately to steal.As the contract itself is perfect,这些 DeFi Project developers are almost impossible to find what went wrong！

Responsible Disclosure Responsible disclosure

Everyone is in a bear market struggle.我不想伤害任何人,I want to help them,Especially when they are so hard working team.因此,I tried my best to help the project team to understand the root cause,And speed up the repair process.

At first the situation here is very complicated.Defects in the deep core of block chain system,But the victims are based on it DeFi 协议.Some agreements may have an emergency exit to pause and upgrade their contract,While others are immutable.

The final patch must beMoonbeam 团队完成,But the biggest victimMoonwellWell can beMoonbeamTeam action before easing the hole.我注意到Moonbeam 和Moonwell 都在ImmunefiLaunched their bounty on project,所以我和ImmunefiThe special case of team discussed the potential(Gave no specific project name).In consciousness to other projects,比如 uniswap 风格的 DEXes,Can't really do anything useful after,I decided not to report to them,As far as possible to reduce the risk of leaking key information.Because only assets ERC-20问题可能是 Moonwell Team a question,我必须将 Moonbeam The report is divided into two parts,Only the necessary information and exclusive Glimmer 利用 POC Submitted to them.

In particular, I care forMoonbeam Team even though they may not know.I spent extra time to learn their code base,And write the two complete test case(600 + LOC) ,In case they need more fundamental reasons.我询问了 PureStake 团队discord ,In order to ensure that once the first engineer to work,I will submit the report.幸运的是,它工作了: They began to deal with this problem and complete patch on Friday before the weekend no inquiry！

This is hidden in the intelligent core design contract based on the block chain last unexpected defect？当然不是！For each representative,Hidden in the dark, another more crazy question.There are other more singular problems waiting for me！.Together with me in my journey,因为我发现这些bug,Took them to the light,Everyone makes block chain safer！