{"content":{"title":"GDS事件 漏洞分析","body":"# 1.\tGDS漏洞简介\r\nhttps://twitter.com/BlockSecTeam/status/1610167174978760704 \r\n\r\n![1.png](https://img.learnblockchain.cn/attachments/2023/01/KhTZKJXg63b6d3e6c8480.png)\r\n# 2.\t相关地址或交易\r\n攻击交易：\r\nhttps://bscscan.com/tx/0x2bb704e0d158594f7373ec6e53dc9da6c6639f269207da8dab883fc3b5bf6694\r\n攻击合约：0x0b995c08abddc0442bee87d3a7c96b227f8e7268\r\n攻击账号：0xcf2362b46669e04b16d0780cf9b6e61c82de36a7\r\n被攻击合约：GDS  0xC1Bb12560468fb255A8e8431BDF883CC4cB3d278\r\n# 3.\t获利分析\r\n\r\n![2.png](https://img.learnblockchain.cn/attachments/2023/01/Rxi4SwmF63b6d40f591e1.png)\r\n# 4.\t攻击过程&漏洞原因\r\n查看攻击交易过程，发现地址0x0f8d735c0b67f845068bb31684707851f9d2767d 将代币转移至dead地址10000单位代币后，地址0xdd3e3384ae10b295fb353b1bda4fd3776bc4b650 转移196173230396551047379035单位代币至0x0f8地址。\r\n\r\n![3.png](https://img.learnblockchain.cn/attachments/2023/01/3VksNNHj63b6d43ee5295.png)\r\n查看GDS代币代码，发现在代币转移的_transfer函数中，将会依次调用_afterTokenTransfer -> _refreshDestroyMiningAccount  -> _settlementLpMining 函数。在_settlementLpMining 函数中，GDS代币将会根据池子gdsUsdtPair (0x4526) 的流动性代币按比例分发奖励：\r\nuint256 _lpRewardAmount =  _totalRewardAmount*_lpTokenBalance/_lpTokenTotalSupply\r\n\r\n![4.png](https://img.learnblockchain.cn/attachments/2023/01/oh9qNQns63b6d4576d69d.png)\r\n再查看交易过程，可发现地址0x0b995c08abddc0442bee87d3a7c96b227f8e7268 添加流动性后将lptoken 转移给0x0f8d735c0b67f845068bb31684707851f9d2767d，之后又转移给其它地址，循环使用同一份代币，获得多份奖励。\r\n\r\n![5.png](https://img.learnblockchain.cn/attachments/2023/01/kD0ZBwTr63b6d47899190.png)"},"author":{"user":"https://learnblockchain.cn/people/10579","address":null},"history":null,"timestamp":1672926361,"version":1}