{"content":{"title":"RoeFinance事件 漏洞分析","body":"# 1.\t漏洞简介\r\nhttps://twitter.com/BlockSecTeam/status/1613267000913960976\r\n\r\n![1.png](https://img.learnblockchain.cn/attachments/2023/01/HZVqYi4V63c2afb71fe33.png)\r\n# 2.\t相关地址或交易\r\n攻击交易：\r\n0x927b784148b60d5233e57287671cdf67d38e3e69e5b6d0ecacc7c1aeaa98985b\r\n攻击合约：0x3a5b7db0be9f74324370fbd65b75850a5c82d176\r\n攻击账号：0x67a909f2953fb1138bea4b60894b51291d2d0795\r\n被攻击合约：UNI-V2  0x004375dff511095cc5a197a54140a24efef3a416\r\n# 3.\t获利分析\r\n\r\n![2.png](https://img.learnblockchain.cn/attachments/2023/01/JzkXgccA63c2afd7749e7.png)\r\n# 4.\t攻击过程&漏洞原因\r\n查看攻击交易过程，发现UNI-V2资产的价格发生了变化，由3495450576387056244740变成了4320806762049972060102：\r\n\r\n![3.png](https://img.learnblockchain.cn/attachments/2023/01/lTQ8ALSX63c2aff55c689.png)\r\n\r\n![4.png](https://img.learnblockchain.cn/attachments/2023/01/Iv5nDXvZ63c2affc1ac44.png)\r\n分析二者变化中间步骤，发现攻击者先将26024069170单位的USDC转给了UNI-V2池子，紧接着调用了池子的sync函数更新了WBTC、USDC的值：\r\n\r\n![5.png](https://img.learnblockchain.cn/attachments/2023/01/L8PXRSnF63c2b0136718f.png)\r\n而AaveOracle预言机获取UNI-V2价格会依据WBTC、USDC的数量以及价格计算得出，而UNI-V2的lp代币总数未变，将导致预言机认为UNI-V2代币的价格上升：\r\n\r\n![6.png](https://img.learnblockchain.cn/attachments/2023/01/PHQfvzNk63c2b02c45f18.png)\r\n攻击者要想获得最大利益，应该要尽可能多的抵押UNI-V2代币，最终操纵价格后才可借出最多的USDC：\r\n\r\n![7.png](https://img.learnblockchain.cn/attachments/2023/01/p9BCahgJ63c2b03a32deb.png)"},"author":{"user":"https://learnblockchain.cn/people/10579","address":null},"history":null,"timestamp":1673703528,"version":1}