Shulou(Shulou.com)05/31 Report--

How to look at the intelligent contract constructor case coding error loopholes from the ethernet MorphToken event, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail for you. People with this need can come and learn. I hope you can get something.

I. Overview of loopholes

The meaning of the ethersquare smart contract is a set of code (functions) and data (the status of the contract), which are located at a specific address of the etherfang block chain. Smart contracts are generally written in the solidity language.

Morpheus Network has negotiated with some of the world's largest shipping, customs and banking companies to release MorphToken based on eTaifang by using the intelligent contract technology of blockchain to build a full-service, global, automated and open supply chain platform and an integrated cryptocurrency payment system.

On June 22, 2018, Morpheus Network announced that it would release a new smart contract to update the current vulnerable contract code. The name of the new Token is MRPH, and the new and old Token will be exchanged at 1:1.

Then, knowing that the Chuangyu 404 blockchain security research team began the vulnerability emergency, by analyzing the MorphToken contract code and transaction history, it was determined that the vulnerability was due to the case coding problem, and the first letter of the constructor Owned of the Owned contract was mistakenly lowercase, making it an ordinary function owned, which can be called by any ethersquare account to seize the ownership of the contract, further realizing a series of illegal operations such as currency theft. Then we released the relevant emergency report, and we also noticed that the BCSEC security team released the relevant analysis documents.

In the follow-up study, we found that as early as August 29th, 2017, someone on Github mentioned this kind of contract security vulnerability caused by the lack of constructor. The vulnerability currently affects multiple smart contracts, including MorphToken, B2X, DoubleOrNothingImpl, and so on.

Second, loophole principle

In the contract code of MorphToken: https://etherscan.io/address/0x2ef27bf41236bd859a95209e17a43fbd26851f92#code can clearly see the relevant case writing errors:

The constructor in the ethersquare smart contract is mainly used for initialization, such as determining the owner of the contract, and will only run when the contract is deployed. In solidify compiler syntax requirements smaller than 0.4.22, the name of the constructor should be consistent with the contract name. If the programmer misspelled the constructor name when writing the contract, the original constructor will become a normal function that anyone can call. The sample code of the vulnerability and the recurrence result in Remix-ide are as follows:

0x01 vulnerability contract deployment

In the following figure, the Bank contract is inherited from the Owned contract. In the Owned contract, the name of the constructor is misspelled due to the wrong coding, and the owned function becomes a normal function. As you can see, after the deployment of the Bank contract, due to the lack of a constructor, the owner is 0x0000000000000000000000000000000000000000 at initialization.

0x02 vulnerability on-site restore

Any ethersquare account can call the owned function of the Bank contract inherited from the Owned contract and change the owner variable of the Bank contract, resulting in the transfer of contract ownership.

As shown below, after the 0x14723a09acff6d2a60dcdf7aa4aff308fddc160c account calls the owned function of the Bank contract, you can see that the owner of the Bank contract becomes 0x14723a09acff6d2a60dcdf7aa4aff308fddc160c. By the same token, attackers can also take advantage of this vulnerability to lift their rights and implement a series of malicious actions.

III. Vulnerability impact assessment

We use the internal ethersquare intelligent contract audit system to automatically audit all 30000 + open intelligent contracts on the etherfang main chain, and confirm that a total of 16 contracts are affected by the uppercase and lowercase coding loophole. The following are the statistical results:

(the extent to which the vulnerability is affected depends on the logic of the contract. Specific code audit results can be contacted by Zhi Chuangyu 404 Block chain Security Research team)

In theory, after the contract is deployed, due to the missing constructor caused by coding errors, the default value of owner will become 0x0000000000000000000000000000000000000000, so that all function calls involving owner in the contract will be abnormal, and the contract owner should be able to find the vulnerability in time. However, MorphToken, a token with a market capitalization of millions of dollars, was stolen because of this coding loophole in the contract. By analyzing the Morph Token source code, we got the answer. MorphToken inherits the Owned contract, but implements the constructor itself. That is to say, it is the father's contract that leaves a "back door".

On the other hand, if there are no function calls involving owner permissions in the contract, it is useless even if the attacker steals the ownership of the contract. This is the case in the B2X contract in the table above.

Generally speaking, the number of contracts affected by vulnerabilities is small, which belongs to the loopholes that have been "caught fire" by MorphToken.

In fact, many security vulnerabilities come from the careless coding of programmers, and code auditing should be strengthened if the deployment of smart contracts is immutable.

IV. Protection scheme

Solidity compilers after version 0.4.22 introduced the constructors keyword to replace the earlier version of the syntax of using the contract name as the constructor name, thus avoiding programmer coding errors. The latest version of the compiler is strongly recommended.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.