{"content":{"title":"Dyna事件 漏洞分析","body":"# 1.\t漏洞简介\r\nhttps://twitter.com/BlockSecTeam/status/1628319536117153794\r\nhttps://twitter.com/BeosinAlert/status/1628301635834486784\r\n\r\n![1.png](https://img.learnblockchain.cn/attachments/2023/03/8iSVOv4M6406f897846ca.png)\r\n# 2.\t相关地址或交易\r\n攻击交易1：\r\nhttps://bscscan.com/tx/0x7fa89d869fd1b89ee07c206c3c89d6169317b7de8b020edd42402d9895f0819e\r\n攻击交易2：\r\nhttps://bscscan.com/tx/0xc09678fec49c643a30fc8e4dec36d0507dae7e9123c270e1f073d335deab6cf0\r\n攻击合约：0xd360b416ce273ab2358419b1015acf476a3b30d9\r\n攻击账号：0x0c925a25fdaac4460cab0cc7abc90ff71f410094\r\n被攻击合约：StakingDYNA  0xa7b5eabc3ee82c585f5f4ccc26b81c3bd62ff3a9\r\n# 3.\t获利分析\r\n\r\n![2.png](https://img.learnblockchain.cn/attachments/2023/03/X5FIo6GH6406f8c3d4025.png)\r\n# 4.\t攻击过程&漏洞原因\r\n整个攻击过程分为两部分：\r\n1)\t准备阶段：\r\n0x7fa89d869fd1b89ee07c206c3c89d6169317b7de8b020edd42402d9895f0819e\r\n攻击者准备大量账号，调用StakingDYNA. deposit存入少量 \tDYNA代币。\r\n\r\n![3.png](https://img.learnblockchain.cn/attachments/2023/03/y2De4B0x6406f8fa8a617.png)\r\n在deposit函数中，初次deposit的账号将会记录下当前block.timestamp，存储在stakeDetail.lastProcessAt中：\r\n\r\n![4.png](https://img.learnblockchain.cn/attachments/2023/03/4Mj7kYZr6406f91c1bbdd.png)\r\n2)\t攻击阶段：\r\n0xc09678fec49c643a30fc8e4dec36d0507dae7e9123c270e1f073d335deab6cf0\r\n攻击者通过闪电贷获取大量dyna代币，先通过上一步的合约调用StakingDYNA. deposit将代币存储在StakingDYNA合约中，再直接调用StakingDYNA. redeem取回利息。\r\n在攻击者第二次deposit时，StakingDYNA合约并未更新时间戳，计算利息的时间差错误计算为redeem – deposit1，而实际上应该为 redeem – deposit2。因为攻击时deposit2与redeem在同一tx中，interest应该为0：\r\n\r\n![5.png](https://img.learnblockchain.cn/attachments/2023/03/jsitfkdD6406f955cf5c9.png)\r\n\r\n![6.png](https://img.learnblockchain.cn/attachments/2023/03/JLhnGKtR6406f9624b78b.png)\r\n攻击准备tx时间：\r\n\r\n![7.png](https://img.learnblockchain.cn/attachments/2023/03/FlGImuHZ6406fa0c3d9c3.png)\r\n实际攻击tx时间：\r\n\r\n![8.png](https://img.learnblockchain.cn/attachments/2023/03/QiYsgtuW6406fa1cad963.png)"},"author":{"user":"https://learnblockchain.cn/people/10579","address":null},"history":null,"timestamp":1678178903,"version":1}