{"content":{"title":"BRA代币被攻击事件分析","body":"### 攻击背景\r\n\r\n攻击者地址：0x67a909f2953fb1138bea4b60894b51291d2d0795\r\n\r\n攻击合约地址：0x1FAe46B350C4A5F5C397Dbf25Ad042D3b9a5cb07\r\n\r\n攻击tx：0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047\r\n\r\n通过blocksec的phalcon工具来分析攻击的tx\r\n\r\n[https://phalcon.blocksec.com/tx/bsc/0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047](https://phalcon.blocksec.com/tx/bsc/0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047)\r\n\r\n### 攻击过程分析\r\n\r\n1.从dodo中借出1400 WBNB\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/W8Who9Qt63be1be621d2b.png)\r\n\r\n2.将1000 WBNB换成10865 BRA\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/TPAtpTL563be1bf94fdc2.png)\r\n\r\n攻击合约收到10539 BRA，325 BRA发送回LP合约\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/3lu19slo63be1c0f545e0.png)\r\n\r\n查看下BRA的transfer方法，满足一定条件会有个tax\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/kIobqrT563be1c24dfc55.png)\r\n\r\n分别为转帐数量的3%\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/guVmwPtS63be1c3d956b7.png)\r\n\r\n在这里是满足了sender==uniswapV2Pair&&!recipientAllow\r\n\r\nrecipientAllow的值为：\r\n\r\n```\r\nbool recipientAllow = ConfigBRA(BRA).isAllow(recipient);\r\n```\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/GtHLKKas63be1c5fd03bb.png)\r\n\r\n3.将10539 BRA转到LP地址\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/fk9moY0w63be1c706ad33.png)\r\n\r\n4.调用skim()方法，to地址设置为LP地址\r\n\r\n将多出来的10539 BRA再次发送到BRA-USDT的LP地址，LP地址共收到了10855 BRA\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/u4Y7QVOR63be1c8251ef6.png)\r\n\r\n这是因为_tansfer函数中两个if都被满足，导致tax收了两次，导致增发\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/RBoxVo6463be1c940b492.png)\r\n\r\n5.重复调用skim()增发BRA\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/EZzsVRQK63be1ca13c649.png)\r\n\r\n6.调用swap方法，将增发的BRA换成USDT\r\n\r\n\r\n![image.png](https://img.learnblockchain.cn/attachments/2023/01/RTXyYVOq63be1cafe2726.png)\r\n\r\n7.将USDT换成WBNB，归还闪电贷\r\n\r\n### 总结\r\n\r\n此次攻击主要是在代币在转帐时没考虑到tax可能被收取两次的情况导致代币增发造成的。"},"author":{"user":"https://learnblockchain.cn/people/11441","address":null},"history":"QmRe7o1mLDPYfyqUjhJQ61TtSSFb1nwmRPxbjiHYgEkGzF","timestamp":1673418905,"version":1}