Solidity

將 wbnb 從合約轉移到 metamask

  • August 16, 2022

我使用 python 將 wbnb 從我部署的契約轉移到 metamask。交易未執行。但是後來查看我合約的wbnb餘額為0時,我的wbnb被盜了。我有一個自定義功能來轉移我的 wbnb,但它們仍然被盜。可能發生了什麼?我沒有批准的權限,也沒有連接的網站。

錯誤交易:https ://bscscan.com/tx/0xce1232d3b446667fff78dede3adcc2453c34ef577bb98e668bf25b2d10d42e3b

偷走了我的 wbnb 的交易: https ://bscscan.com/tx/0xbbbe070414c875052a80d6e7cb382d6357ee5fe978f0fddb2427acf37fdbbdfb

我的程式碼:

   // SPDX-License-Identifier: MIT
   pragma solidity >=0.6.6 <0.8.0;
   
   
   interface IUniswapV2Pair {
       event Approval(address indexed owner, address indexed spender, uint value);
       event Transfer(address indexed from, address indexed to, uint value);
       function transfer(address to, uint value) external returns (bool);
       function transferFrom(address from, address to, uint value) external returns (bool);
   }
   interface IERC20 {
       /**
        * @dev Returns the amount of tokens in existence.
        */
       function transfer(address recipient, uint256 amount) external returns (bool);
       /**
        * @dev Returns the remaining number of tokens that `spender` will be
        * allowed to spend on behalf of `owner` through {transferFrom}. This is
        * zero by default.
        *
        * This value changes when {approve} or {transferFrom} are called.
        */
       event Transfer(address indexed from, address indexed to, uint256 value);
       event Approval(address indexed owner, address indexed spender, uint256 value);
   }
   
   
    contract Flashswap {
       address public owner;
       address private wbnb;
     
       constructor() {
           owner = msg.sender;  
           wbnb = 0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c;
           }
   
       function transfer_bnb_to_wallet(uint256 _amount, address _dest) external{
           IERC20(wbnb).transfer(_dest,_amount);
       }
}

該功能transfer_bnb_to_wallet沒有任何保護。任何人都可以呼叫它並使用自己的地址作為收件人

function transfer_bnb_to_wallet(uint256 _amount, address _dest) external{
   IERC20(wbnb).transfer(_dest,_amount);
}

該函式可能已被創建onlyOwner,因此只有所有者才能呼叫它。

契約沒有經過驗證也沒關係。有些機器人會檢查待處理的池中是否有可以利用的交易。

攻擊者使用了更高的 gas 價格,因此礦工在交易之前選擇了它。

引用自:https://ethereum.stackexchange.com/questions/133663