何方圜的博客

攻击介绍Palmswap由于其蹩脚的业务逻辑，导致了价格被黑客操控，导致被黑客盗取了大约$900K 攻击分析我们通过phalcon来分析。 通过调用栈发现，攻击者先贷了3,000,000的USDT，然后质押1,000,000的USDT来获得大约996,324的PLP，然后用剩下的2,000,000的USDT，去购买了USDP，然后攻击者销毁了持有的所有的PLP，但得到了大约1,947,570的USTD。最后卖出USDP,大约得到1,947,570的USDT。 显然，攻击者在通过购买USDP操纵了PLP的价格。 function getPrice(bool _maximise) external view returns (uint256) { uint256 aum = getAum(_maximise); uint256 supply = IERC20Upgradeable(plp).totalSupply(); return (aum * PLP_PRECISION) / supply; } funct ...

题目源代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;contract Factorial { bool public solved = false; function run(uint256 number) internal view returns (uint256) { uint256 res = 1; for (uint256 index = 0; index < number; index++) { (, bytes memory data) = msg.sender.staticcall(abi.encodeWithSignature("factorial(uint256)", number)); res = res * abi.decode(data, (uint256)); } return res; &# ...

CTF-BabyOtter题目源代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;contract BabyOtter { bool public solved = false; function solve(uint x) public { unchecked { assert(x * 0x1337 == 1); } solved = true; }} 这个题，有个unchecked 它是一个不对溢出进行的一个检查unchecked 是一个特殊的关键字，表示在代码块中进行运算时不进行溢出检查。这意味着即使在某些情况下会发生溢出，也不会触发 Solidity 默认的溢出检查错误。 那么就很容易想到溢出来解决这个题了攻击代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;interfa ...

CTF-AdultOtter题目源代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;contract AdultOtter { bool public solved = false; function pwn(uint[16] memory code) public { uint[16] memory a; uint[16] memory b; for (uint i = 0; i < 16; i++) { assert(1337 * i < code[i] && code[i] < 1337 * (i + 1)); } for (uint i = 0; i < 16; i++) { a[i] = i**i * code[i]; } for (uint i = 1; i < 16; i++) ...

一SummaryIf the admin records the investment using the investment token instead of the stablecoin, it will lead to an error. Root CauseVulnerable code: 2024-11-vvv-exchange-update-HeYuan-33/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol Lines 268 to 277 in c1e47db for (uint256 i = 0; i < _kycAddresses.length; i++) { address kycAddress = _kycAddresses[i]; uint256 investmentRound = _investmentRounds[i]; uint256 amountToInvest = _amountsTo ...

攻击介绍2023年7月11日，Arbitrum链上的Rodeo Finance: Pool由于价格预言机操纵，而被黑客盗取了472 ETH。 攻击分析攻击者利用了预言机的缺陷控制了unshETH与ETH之间的兑换比率,预言机使用 ETH 与 unshETH 的准备金比率来检查价格。同时攻击者能够通过具有未配置策略地址的 earn 函数强制平台将 USDC 兑换为 unshETH。由于价格预言机存在缺陷，滑点控制无法生效。(具体可见Meth为0x7b37c42b的交易)。 function earn(address usr, address pol, uint256 str, uint256 amt, uint256 bor, bytes calldata dat) external loop returns (uint256){ if (status < S_LIVE) revert WrongStatus(); if (!pools[pol]) revert InvalidPool(); if (strategies[str] == addres ...

CTF-Numen-LenderPool题目有点长的，主要是接口使用多了源代码点击 要求很明显： function isSolved() public view returns (bool) { if (token0.balanceOf(address(lenderPool)) == 0) { return true; } 耗尽池中所有的token0 关键就是在flashLoan函数中一个外部调用出现了问题： token0.transfer(borrower, borrowAmount); borrower.functionCall(abi.encodeWithSignature("receiveEther(uint256)", borrowAmount)); 当发送给borrower ``token0时，会调用borrower的内部函数去接受，虽然flashLoan函数有防止重入的攻击的修饰，但是swap()函数没有防止重入攻击的修饰符，所以就可一进行一个=跨函数的重入攻击。 所以这就 ...

题目源码： // SPDX-License-Identifier: MITpragma solidity ^0.8.4;contract PrivilegeFinance { string public name = "Privilege Finance"; string public symbol = "PF"; uint256 public decimals = 18; uint256 public totalSupply = 200000000000; mapping(address => uint) public balances; mapping(address => address) public referrers; string msgsender = '0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E0'; uint public rewmax = 65000000000000000000000; uint publi ...

CTF-OnlyPwner-FREEBIE题目地址 点击 要求是将合约的余额变为零 源代码很少 pragma solidity 0.8.19;import {IVault} from "./interfaces/IVault.sol";contract Vault is IVault { uint256 public totalDeposited; function deposit() external payable { totalDeposited += msg.value; emit Deposit(msg.sender, msg.value); } function withdraw(uint256 amount) external { totalDeposited -= amount; payable(msg.sender).transfer(amount); emit Withdraw(msg.send ...

一SummaryThe attacker can register their own address as the charitable organization and then perform a self-transfer by donating to the organization, effectively receiving a specific minted NFT for free. Vulnerability DetailsVulnerability code source:https://github.com/Cyfrin/2024-11-giving-thanks/blob/304812abfc16df934249ecd4cd8dea38568a625d/src/GivingThanks.sol#L21-L23 There is no check to verify whether the charitable organization’s address is the same as the donor’s address, which allows atta ...