{"content":{"title":"QTN事件 漏洞分析","body":"# 1.\t漏洞简介\r\nhttps://twitter.com/blocksecteam/status/1615625897671004161\r\n\r\n![1.png](https://img.learnblockchain.cn/attachments/2023/01/CfoWNSq963d4d4dbe43e7.png)\r\n# 2.\t相关地址或交易\r\n攻击交易：\r\n0xfde10ad92566f369b23ed5135289630b7a6453887c77088794552c2a3d1ce8b7 transfer & skim\r\n0xa806617cdd8ed760ed25cec61abf642f4889749c3cede45c46f27d60f0941bd1 transfer back\r\n0xd78380d1caaf494338d2c5d9093ebee7dcea2a2b804ceb7714dad899bae65be1 sell\r\n攻击合约：0xa33c965ca6d3bdc42bdb23a79081757090eb7700\r\n攻击账号：0x88a2386e7ec97ad1e7a72176a66b6d0711ae3527\r\n被攻击合约：https://etherscan.io/address/0xc9fa8f4cfd11559b50c5c7f6672b9eea2757e1bd#code    QUATERNION\r\n# 3.\t获利分析\r\n\r\n![2.png](https://img.learnblockchain.cn/attachments/2023/01/JHYS9Wwz63d4d50ee5805.png)\r\n# 4.\t攻击过程&漏洞原因\r\n整个攻击分为3个步骤：\r\n1)\t第1步：攻击者先将QTN代币转给UNI-V2，再调用池子的skim函数将QTN代币转给事先生成的合约；\r\n\r\n![3.png](https://img.learnblockchain.cn/attachments/2023/01/JZpApvLU63d4d533f0365.png)\r\n\r\n攻击者执行此步骤的目的在于调用函数rebasePlus。在该函数中，_totalSupply的数量不断增大，_gonsPerFragment的值不断减小。攻击者之所以经过UNI-V2转移QTN代币，是因为当from == uniswapV2Pair 时，将调用rebasePlus函数，最终达到缩小_gonsPerFragment 的值的目的。\r\n\r\n![4.png](https://img.learnblockchain.cn/attachments/2023/01/GkFInsdh63d4d557a1e9e.png)\r\n\r\n![5.png](https://img.learnblockchain.cn/attachments/2023/01/JM8EHO0i63d4d55f9d6ac.png)\r\n代币合约的balanceOf函数中通过_gonBalances[account].div(_gonsPerFragment) 确认账号所拥有的代币数量，_gonsPerFragment变小，每个账号的代币数量均增加。\r\n\r\n\r\n![6.png](https://img.learnblockchain.cn/attachments/2023/01/vC8YnElI63d4d592505bc.png)\r\n2)\t第2步，攻击者调用各攻击者的transferBack函数将代币转给合约0xa33c965ca6d3bdc42bdb23a79081757090eb7700，如合约0x89425431c2971be618658ef8c155e250b1b8b125的QTN代币数量在第1步攻击开始时只有5109705265130400336142756，而在第2步中已经有5788251514335493385465012，代币数量已增加。\r\n\r\n![7.png](https://img.learnblockchain.cn/attachments/2023/01/9INDI8fj63d4d5af0735f.png)\r\n\r\n![8.png](https://img.learnblockchain.cn/attachments/2023/01/awkuDMFz63d4d5b66d91e.png)\r\n3)\t第3步，攻击者兑换代币，套现离场。"},"author":{"user":"https://learnblockchain.cn/people/10579","address":null},"history":null,"timestamp":1674892800,"version":1}