New ownerAnyone Bug Allows For Anyone to ''Own'' Certain ERC20-Based Smart Contracts (CVE-2018-10705

最新推荐文章于 2024-10-12 11:51:54 发布
转载 最新推荐文章于 2024-10-12 11:51:54 发布 · 277 阅读 · 0

This morning, our vulnerability-scanning system at PeckShield identified a new vulnerability namedownerAnyone in certain ERC20-based smart contracts such as AURA, which is deployed by a decentralized banking and finance platform – AURORA. This bug, if successfully exploited, might introduce the danger of serious financial accident. Fortunately, the attackers would not be financially benefited from exploiting the vulnerability. Instead, the ownerAnyone bug can be used to trigger Denial-of-Service (DoS) attack on the affected smart contracts.

Details

Solidity provides function modifiers, which can be used to amend the semantics of functions in a declarative way. For example, privileged functions need to check the identity or the privilege level of the caller.

Figure 1: Ownership-Checking Function Modifier: onlyOwner


We can see from the Figure 1, sensitive functions (e.g., unlockToken / lockBalances) use theonlyOwner modifier to guarantee that only the current contract owner can call them. It seems pretty legitimate, so what’s the problem?


Figure 2: The Vulnerable setOwner() Method

Let’s take a closer look into the AURA contract which inherits SafeMath for safe mathematical calculation and Owned for contract ownership management. Inside the Owned contract, there is a method setOwner() for changing the contract ownership, which is a highly sensitive operation. However, this sensitive method doesn’t have any function modifier, like onlyOwner, to restrict its use. Even worse, the method’s visibility is public by default, which means anyone can call it to modify owner to anyone at their choice.

As a proof-of-concept demonstration, we launch the following transaction and essentially replaceowner to 0xcafebabe.

Figure 3: A Demo Ownership-Replacing Transaction


And we can verify by checking the owner variable of AURA contract.


Figure 4: AURA's New Owner: 0xcafebabe


Consequences

With the ownerAnyone bug to essentially change the smart contract ownership, any sensitive operations restricted by onlyOwner can be easily bypassed. For example, the unlockToken()method can be used to unlock transfer, which might be used during early stage to control token transferring. Also, the lockBalances() method can be called to set the balancesUploaded variable to true (with false as the default value), essentially locking up the uploadBalances() operation and making it no longer accessible.

line 140) bool public balancesUploaded = false;

In other words, once balancesUploaded is set to true, uploadBalances() can never be reached, which lead to a DoS attack:

line 142) require(!balancesUploaded);

During our investigation, we initially think there is a questionable operation in the end:

line 148) balanceOf[owner] = safeSub(balanceOf[owner], sum);

It turns out that it is protected by safeSub(), which will revert the whole transaction if balanceOf[owner] doesn’t have enough tokens. Note that ownerAnyone is a twin vulnerability to the IDXM bug in [1].

Conclusion

Writing a safe smart contract is NOT an easy job. It requires different security considerations from our traditional software development. Any security miss may allow for attackers to take advantage of your contract with valuable assets and cause significant financial damage. It is fortunate thatownerAnyone in this particular case only does limited harm. It can get much worse if AURAcontains other administrative functions, say, controlling token supply by owner.

We cannot over-emphasize the importance of smart contract auditing. Here are some basic security guidelines to follow:

  • Always use libraries like SafeMath for safe mathematical calculations

  • Always declare your functions with right modifiers and visibilities

Being said, if at all possible, audit your smart contracts before deployment by consulting professional auditing services from qualified security companies. After all, precaution is better than cure.

References


ML:《Data-driven advice for applying machine learning to bioinformatics problems应用机器学习到生物信息学问题的》翻译与解读
头部AI社区如有邀博主AI主题演讲请私信—心比天高,仗剑走天涯,保持热爱,奔赴向梦想!低调,专注,谦虚,自律,反思,成长,还算比较正能量的博主,公益免费传播…内心特别想在AI界做出一些可以推进历史进程影响力的技术(兴趣使然,有点小情怀,也有点使命感呀
07-13 1万+
​ ML:《Data-driven advice for applying machine learning to bioinformatics problems应用机器学习到生物信息学问题的数据驱动建议》翻译与解读 目录 《Data-driven advice for applying machine learning to bioinformatics problems》翻译与解读 Abstract摘要 1.Introduction 2.Methods 3.Results
【GB28181】wvp-GB28181-pro部署安装教程(Ubuntu平台)
废人一枚的博客
02-25 4603
初始环境安装。
New ceoAnyone Bug Identified in Multiple Crypto Game Smart Contracts (CVE-2018-11329)
Fly_鹏程万里
07-09 556
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow[1], proxyOverflow[2], transferFlaw[3], ownerAnyone[4], multiOver...
Python - Python Decorators III: A Decorator-Based Build System
热门推荐
了解➔熟悉➔掌握➔精通
10-17 3万+
分享一个大牛的人工智能教程。零基础!通俗易懂!风趣幽默!希望你也加入到人工智能的队伍中来!请点击http://www.captainbed.net I've usedmakefor many years. I only usedantbecause it produced faster Java builds. But both build systems started out th...
Apache Druid 任意文件读取漏洞CVE-2021-36749
不光要学,知识要能说出口
11-23 4185
CVE-2021-36749 goby exp声明代码poc集合 声明 本程序仅供于学习交流,请使用者遵守《中华人民共和国网络安全法》,勿将此脚本用于非授权的测试,脚本开发者不负任何连带法律责任。 代码 { "Name": "Apache Druid Abritrary File Read CVE-2021-36749", "Level": "3", "Tags": [ "fileread" ], "GobyQuery":
SpringMessaging命令执行漏洞 cve-2018-1270
whatday的专栏
07-07 2597
漏洞概述 https://pivotal.io/security/cve-2018-1270 STOMP(Simple Text Orientated Messaging Protocol)全称为简单文本定向消息协议,它是一种在客户端与中转服务端(消息代理Broker)之间进行异步消息传输的简单通用协议,它定义了服务端与客户端之间的格式化文本传输方式。已经在被许多消息中间件与客户端工具所支持。STOMP协议规范:https://stomp.github.io/stomp-specification-1.
Linux解决CVE-2011-0762漏洞vsftpd升级步骤
lixinfu1980的博客
05-23 1万+
Linux解决CVE-2011-0762漏洞vsftpd升级步骤操作系统版本:RHEL 6.8 64位vsftpd 升级到3.0.3关闭服务 service vsftpd stop service iptables stop sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config; 检查旧版vsftpd 版本 vsft...
tomcat 漏洞 CVE-2016-1240 分析报告
Defonds 的专栏
10-11 7679
这次漏洞是 Debian 自身提供的 tomcat 包的漏洞,也就是 tomcat deb 包的漏洞,并非 tomcat 官方的漏洞。Debian 下使用 apt-get 安装 tomcat 的用户必须提高注意。该包提供做成服务的 tomcat.ini 脚本,该初始化脚本对 catalina.out 做了 chown 操作:touch "$CATALINA_PID" "$CATALINA_BASE
CVE』简析CVE-2023-48795:SSH协议前缀截断攻击(Terrapin攻击)
Ho1aAs‘s Blog
12-25 1万+
简析CVE-2023-48795:SSH协议前缀截断攻击(Terrapin攻击)
Coursera课程Python for everyone:Quiz: Many-to-Many Relationships and Python
GarfieldEr007的专栏
02-17 6593
Many-to-Many Relationships and Python 9 试题 1.  How do we model a many-to-many relationship between two database tables? We add a table with two
【论文翻译】nuPlan: A closed-loop ML-based planning benchmark for autonomous vehicles
积流成河
05-07 3680
论文链接:https://arxiv.org/pdf/2106.11810.pdf 标题 nuPlan: A closed-loop ML-based planning benchmark for autonomous vehicles nuPlan:基于机器学习的闭环规划benchmark,用于自动驾驶车辆 1 摘要/Abstract In this work, we propose the world’s first closed-loop ML-based planning benchmark for
Ivanti Connect Secure SSRF to RCE漏洞复现(CVE-2024-21893)
iSee857的博客
10-12 1564
CVE-2024-21893 是存在 Ivanti Connect Secure SAML 组件中的 SSRF 漏洞,该漏洞主要是由于使用存在漏洞第三方库,并且第三方库没有及时的更新导致的,可以绕过 CVE-2024-21887 命令注入漏洞的补丁,达到未授权 RCE 的目的。是一款企业级远程访问解决方案,提供安全远程访问(VPN)、多因素认证等功能。,包括验证用户、验证设备、控制访问和保护数据。它适用于混合IT时代,支持多种应用场景,如员工远程接入、浏览器访问内网应用、dnslog检测poc。
yubaolee_OpenAuthNet_25456_1764964690631.zip
12-07
yubaolee_OpenAuthNet_25456_1764964690631.zip
基于PID控制器和电流控制器的电池充电比较研究(Matlab代码实现)
12-07
基于PID控制器和电流控制器的电池充电比较研究(Matlab代码实现)内容概要:本文主要围绕《基于PID控制器和电流控制器的电池充电比较研究(Matlab代码实现)》展开,介绍了利用Matlab进行电池充电控制策略的仿真与比较研究。重点对比了PID控制器与电流控制器在电池充电过程中的性能表现,涵盖系统建模、控制算法设计、仿真分析及结果评估等内容,旨在为电池管理系统中的充电控制提供优化方案和技术参考。; 适合人群:具备一定自动控制理论基础和Matlab编程能力的电气工程、自动化、能源系统等相关专业的研究生、科研人员及工程技术人员。; 使用场景及目标:①用于电池管理系统中充电控制策略的设计与优化;②开展PID控制与电流控制在动态响应、稳定性、充电效率等方面的性能对比研究;③支持教学实验、科研仿真及实际工程项目中的控制器选型与验证。; 阅读建议:建议读者结合Matlab代码进行仿真实践,重点关注控制器参数设置、系统响应曲线分析及不同工况下的性能差异,同时可扩展至其他先进控制算法(如模糊控制、自适应控制)的对比研究,以深化对电池充电控制技术的理解与应用。
一个基于SpringBoot和MyBatis框架开发的用于高校或公共图书馆自习室资源智能化管理的Web应用程序系统_包含用户注册登录座位预约状态查询取消预约留言反馈及管理员对自习室.zip
12-07
一个基于SpringBoot和MyBatis框架开发的用于高校或公共图书馆自习室资源智能化管理的Web应用程序系统_包含用户注册登录座位预约状态查询取消预约留言反馈及管理员对自习室.zip
nats.swift-Swift资源
最新发布
12-08
Swift client for NATS, the cloud native messaging system.
ACM算法竞赛题解与优化技巧 练习题
12-07
ACM算法竞赛题解与优化技巧
优化调度基于改进遗传算法的公交车调度排班优化的研究与实现(Matlab代码实现)
12-07
【优化调度】基于改进遗传算法的公交车调度排班优化的研究与实现(Matlab代码实现)内容概要:本文研究基于改进遗传算法的公交车调度排班优化问题,旨在通过Matlab代码实现改进的遗传算法,解决公交系统中发车频率、车辆分配和司机排班等复杂调度难题。通过对传统遗传算法引入变异、精英保留等优化机制,提升算法收敛速度与全局搜索能力,从而获得更优的调度方案,有效降低运营成本并提高服务质量。研究涵盖了模型构建、算法设计、约束处理及仿真验证全过程,展示了智能优化算法在公共交通管理中的实际应用价值。; 适合人群:具备一定Matlab编程基础,从事智能优化、交通运输规划或运筹学相关领域的研究人员及工程技术人员。; 使用场景及目标:①解决城市公交系统的发车调度与司机排班优化问题;②学习改进遗传算法的设计思路及其在复杂组合优化问题中的实现方法;③为智能交通系统(ITS)中的调度决策提供技术支持与仿真工具。; 阅读建议:建议读者结合文中Matlab代码进行实践操作,重点关注算法改进策略与约束条件的建模方式,并可通过调整参数或引入新的优化机制进一步提升性能。
Set up usage billing for premium models Please contact an administrator in your organization to enable usage-based pricing
07-24
Setting up usage-based billing for premium models typically involves configuring your cloud service provider's billing settings to track and charge based on actual resource consumption. Usage-based pricing allows users to pay only for what they use, which can be particularly beneficial for applications with variable workloads. To configure usage-based billing, navigate to the billing section of your cloud provider’s console or API. Select the premium model or service for which you want to enable this billing method. There should be an option to switch from flat-rate billing to usage-based billing. Ensure that detailed billing is enabled so that all usage metrics are captured accurately[^1]. When usage-based pricing is enabled, the system will monitor various metrics such as compute time, storage, and network usage. These metrics are then used to calculate charges according to the defined rate card. It is important to understand the specific metrics that will be tracked and how they are priced to avoid unexpected costs. If usage-based pricing is not available through the standard configuration options, it may be necessary to contact an administrator or the cloud provider's support team. They can assist with enabling this feature, especially if it requires changes to account settings or special permissions[^1]. When contacting an administrator, provide clear details about the services and resources for which usage-based billing should be enabled. Include any specific requirements, such as custom metrics or reporting intervals. Administrators may also need to set up alerts or budget thresholds to help manage costs effectively[^1]. After enabling usage-based billing, regularly review the usage reports and cost breakdowns provided by the cloud platform. This helps in optimizing resource usage and identifying potential cost-saving opportunities. Some platforms also allow setting up automated alerts when usage exceeds predefined thresholds, which can help prevent unexpected charges[^1]. For programmatic access to billing data, many cloud providers offer APIs that can be integrated into custom dashboards or financial management tools. The following is an example of how to retrieve billing data using a hypothetical API: ```python import requests # Replace with your actual API endpoint and authentication token url = "https://api.cloudprovider.com/v1/billing/usage" headers = { "Authorization": "Bearer YOUR_ACCESS_TOKEN" } response = requests.get(url, headers=headers) if response.status_code == 200: usage_data = response.json() print("Current usage data:", usage_data) else: print("Failed to retrieve usage data. Status code:", response.status_code) ``` This script demonstrates how to fetch usage data programmatically, which can be useful for organizations that want to automate cost tracking and analysis[^1].
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值