今天区块链技术圈被美链(BEC)智能合约的漏洞导致代币价值几乎归零的事件刷遍朋友圈。这篇文章就带大家了解一些智能合约编写的注意事项。

Overflow 与 Underflow

Solidity 可以处理 256 位数字, 最高为 2256 – 1, 所以对 (2 256 – 1) 加 1 会导致归 0。同理, 对 unsigned 类型 0 做减 1 运算会得到 (2**256 – 1)

测试代码如下:

pragma solidity 0.4.18;
contract OverflowUnderflow {
    uint public zero = 0;
    uint public max = 2**256 - 1;
    // zero will end up at  2 ** 256 - 1
    function underflow() public {
        zero -= 1;
    }
    function overflow() public {
        max += 1;
    }
}

尽管他们同样危险, 但是在智能合约中, underflow 造成的影响更大.

比如, 账号 A 持有 X tokens, 如果他发起一笔 X + 1 tokens 的交易, 如果代码不进行校验, 则账号 A 的余额可能发生 underflow 导致余额变多.

可以引入 SafeMath Library 解决:

pragma solidity 0.4.18;
library SafeMath {
    function mul(uint256 a, uint256 b) internal pure returns (uint256) {
        if (a==0) {
            return 0;
        }
        uint c = a * b;
        assert(c / a == b);
        return c;
    }
    function div(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a / b;
        return c;
    }
    function sub(uint256 a, uint256 b) internal pure returns (uint256) {
        assert(b <= a);
        return a - b;
    }
    function add(uint256 a, uint256 b) internal pure returns (uint256) {
        uint256 c = a + b;
        assert(c >= a);
        return c;
    }
}
contract OverflowUnderflow {
    using SafeMath for uint;
    uint public zero = 0;
    uint public max = 2 ** 256 - 1;
    function underflow() public {
        zero = zero.sub(1);
    }
    function overflow() public {
        max = max.add(1);
    }
}

Visibility 与 Delegatecall

  • Public functions 可以被任意地址调用
  • External functions 只能从合约外部调用
  • Private functions 只能从合约内部调用
  • Internal functions 允许从合约及其子合约调用

External functions 消耗的 gas 比 public 少, 因为其使用 calldata 而 Public 需要复制所有参数到 memory。

Delegatecall

Delegatecall is identical to a message call apart from the fact that the code at the target address is executed in the context of the calling contract and msg.sender and msg.value do not change their values.
This means that a contract can dynamically load code from a different address at runtime. Storage, current address and balance still refer to the calling contract, only the code is taken from the called address.

这个特性可以用于构建 Library 和模块化代码. 但是与此同时, 这也有可能造成别人对你的代码进行操作。

下例中, 攻击者调用 pwn 方法获得了合约的拥有权。

pragma solidity 0.4.18;
contract Delegate {
    address public owner;
    function Delegate(address _owner) public {
        owner = _owner;
    }
    function pwn() public {
        owner = msg.sender;
    }
}
contract Deletagion {
    address public owner;
    Delegate delegate;
    function Delegation(address _delegateAddreses) public {
        delegate = Delegate(_delegateAddreses);
        owner = msg.sender;
    }
    // an attacker can call Delegate.pwn() in the context of Delegation, this means that pwn() will modify the state of **Delegation** and not Delegate, the result is that the attacker takes unauthorized ownership of the contract.
    function () public {
        if(delegate.delegatecall(msg.data)) {
            this;
        }
    }
}

Reentrancy(TheDAO hack)

Solidity 中 call 函数被调用时, 如果带有 value 参数, 则会转发所有他所收到的 gas。

在一下代码片段中, call函数在sender的余额实际减少前被调用。这里有一个漏洞曾导致TheDAO攻击。

function withdraw(uint _amount) public {
  if(balances[msg.sender] >= _amount) {
    if(msg.sender.call.value(_amount)()) {
      _amount;
    }
    balances[msg.sender] -= amount;
  }
}

引自Reddit的解释:

In simple words, it’s like the bank teller doesn’t change your balance until she has given you all the money you requested. “Can I withdraw $500? Wait, before that , can I withdraw $500?”

And so on. The smart contracts as designed only check you have $500 at beginning once, and allow themselves to be interrupted.


智能合约编写注意事项插图

关注公众号:程序新视界,一个让你软实力、硬技术同步提升的平台

除非注明,否则均为程序新视界原创文章,转载必须以链接形式标明本文链接

本文链接:https://choupangxia.com/2019/07/06/%e6%99%ba%e8%83%bd%e5%90%88%e7%ba%a6%e7%bc%96%e5%86%99%e6%b3%a8%e6%84%8f%e4%ba%8b%e9%a1%b9/