BlockSec DeFi攻擊分析系列之二傾囊相送：Sushiswap手續費被盜-ODAILY_SWAP

去中心化金融(DeFi)作為區塊鏈生態當紅項目形態，其安全尤為重要。從去年至今，發生了幾十起安全事件

BlockSec作為長期關注DeFi安全的研究團隊(https://blocksecteam

_toWETH函數：

function_toWETH(addresstoken)internalreturns(uint256){//對于SUSHI，直接Sushimaker全部SUSHI轉給Barif(token==sushi){uintamount=IERC20(token)

//對于WETH，直接將全部WETH轉給WETH/SUSHI交易對，swap出相應的SUSHIif(token==weth){uintamount=IERC20(token)

//獲取token/WETH的交易對地址IUniswapV2Pairpair=IUniswapV2Pair(factory

//計算可以換出的WETH數量：amount0out，amount1Out//獲得交易對中兩種資產的數量(uintreserve0,uintreserve1,)=pair

看出什么亮點了嗎？

SushiMaker里的轉賬邏輯都是：transfer(balanceOf(this))

我們可以分兩個階段來看convert的調用過程：第一個階段：在convert函數中SushiMaker擁有的是SLP，它通過burnbalanceOf(this)實現將全部SLP換成兩個底層代幣第二個階段：SushiMaker獲得了burn來的底層代幣，再拿burn得到的token去不同的交易池換wETH

你發現哪里有問題了嗎？我們來看第二階段的代碼_toWETH：注意兌換的邏輯為：

uintamount=IERC20(token)

,"profit":"0

,{"USDT/WETH":{"0x123ec6c44fa3baa70c66f583f8ee6bc6b6d2b4d39a1119ab8490d2c1120d4647":"Convert","0x08bbbeaf7cbd2649738812cf720042eb7ebe1411be2f7cf3ede41411dcbf8bc0":"SwapExactETHForTokens","0x42973ea279d0bda4222e4689709f86bdb12117dce14420f84f3e9cc6fd42ede2":"RemoteLiquidityETH","0x30eab0a184f9a1ed6cee309754bb6536bd443fea567776a72b72f3ab911e0113":"SwapExactTokensForETH"},"profit":"0

,{"MKR/WETH":{"0xa8c4edd85727d3d25401f0cbca1136982edb833f77ff0a93178b222063eb57a4":"SwapExactETHforTokens","0xf1fdd4cf4d8aa073ff01876333cfeadeab2b87423664d1daa4cf36ad5e415587":"Approve","0x7340edca1a17fc9e5a6587d6a89c0ed01c5d1f1d20cb19738ab993f6ef7b8b4d":"AddLiquidityETH","0x41a33f0c91b7cd17edf888356dfb110d7744f593e432b54ec2f21aae19076aa0":"Approve","0x896f412f15a7abb959c3c43b8cd9206720fc37f4eabeae336ba101670003e9db":"AddLiquidityETH","0x0e8a76bf7295d9316704fde7f953eced612daa9ca7a70322248eeb8a7f508656":"Transfer","0x4947b4f075f8e9f89f6364158b3d05a92cd72b7920c44c2150a0d12ba009a7a0":"Convert","0x5f37bb3b9734175b605f6e02700c4b710e5e01622f30d822bcca227d91363d77":"SwapExactETHForTokens","0xdff10159275e064dad2c7c79585d1f3c4fd60b73d843715e0cff1a2292730e99":"RemoteLiquidityETH","0xb8889bbdeb478809c3781ccb1c8a16f9fa90b6844d180818b6e73a16963a5ddc":"SwapExactTokensForETH"},"profit":"1

BlockTower Credit和MakerDAO將推出2.2億美元現實世界資產基金:12月15日消息，加密資產管理公司BlockTower Credit和MakerDAO將聯合推出2.2億美元基金，以為現實世界資產（RWA）提供資金，高管投票已于12月11日通過。其中Maker將部署四個金庫，并提供1.5億美元的高級資本，而BlockTower提供7000萬美元的初級資本，共同創建一個2.2億美元的資金礦池Centrifuge，以通過代幣化將現實世界的資產連接到DeFi。[2022/12/15 21:45:55]

,{"KP3R/WETH":{"0xe5a025658cd28a688442a57a9b441980feeed8f5e7892064efc68966eb4253eb":"SwapExactETHForTokens","0xe77e7e9d636c2b733d226693d95d06005ae2b5aa8532957240310225aa73e051":"Approve","0x5ce8451f9f39f2d32ffbd943d38723a8da6fff59ece8f62caa84c4c2a311ede3":"AddLiquidityETH","0x171b741bb7cdcafebdbed1c503eb33babc70c2e2e45b2b55330df3bc6d5c9eda":"Approve","0x0ad658ebab282a26d67da0a97083a41c83d0eb1ab6d19a4adb3676b57fc3851c":"AddLiquidityETH","0x676dd29fade2b93e5ca4b0da9d2b5e4ede86f69d26a6201440e359892360b096":"Transfer","0x3b37a792edbb785b223a2b4f0971834083acd52503e54d00989a365bbc533627":"Convert","0x4df5506fdc7616ff65b4ae3b93360e180c7b6f5e976914c4af04648ad6559817":"SwapExactETHForTokens","0x07e56eaa7935fb341654ac20223b0d32fab006b3f34e372aecf6bce05c3f903f":"RemoveLiquidityETH","0x8f4d9d676e9a12d07dcd0c8225e207df48f8cb575cdaa6d81c4b7124c3500510":"Approve","0xac3c837c249fb68ceebd896a72e1e4e8cf355caf3f5fcd0bdc7df7c101ea0596":"SwapExactTokensForETH"},"profit":"1

,{"YFI/WETH":{"0x1b0eb70bc4d2407745df416acf6e2c312d25ee63c7e8e1291545d66e23fbf704":"PreAttack","0x8f6caabd4ecfad30793db76f60a7e28832a18e2bcf006c0ee3652063c7386778":"Convert","0xe6d28052b55ab520a211daebbc67ee3aece6ae356044e9352fc82910214a038a":"Swap"},"profit":"-0

,{"AXS/WETH":{"0x375f5befeb1af976ebb09cf5539b3a3b9746b87153cfa96ba862deb8828970f1":"PreAttack","0xed8508a18c347c3829024f7acb94056a78cc63152e2246ebd42b59cd86d0c8f9":"Convert","0xd08eb264e39cd5dca8edb3684dfd36afb905aea9c47a43110b6c5c45bdb2f7d1":"Swap"},"profit":"1

Partisia Blockchain和Insights Network合作推出區塊鏈和MPC技術，并完成首次集成:4月22日消息，多方計算（MPC）多年來已有廣泛的發展，為下一代Web3互聯網提供了理想的基礎設施。Partisia Blockchain基金會合伙人、教授兼首席密碼學家Ivan Damgard表示：“MPC可以進行任何類型的私人計算。換句話說，MPC是一個完全分布式的加密計算機。這與零知識證明非常不同，零知識證明只有兩個參與方，結果是二元的，即陳述是真是假不得而知。”

此類解決方案適用于任何類型的企業，包括供應鏈公司、SaaS（軟件即服務）提供商、金融科技應用程序甚至社交媒體。例如，Partisia Blockchain和Insights Network合作推出的區塊鏈和MPC技術，在社交媒體平臺上進行了首次成功集成。

對于需要處理數百萬甚至數十億事務的平臺，可擴展性是通過分片技術解決的。一個新的分片擴大了網絡的容量，使Partisia區塊鏈能夠滿足任意數量的TPS。例如，社交媒體提供商可以每天處理數十億個流程，同時在用戶隱私方面做好保護。

以用戶隱私保護為中心的可擴展解決方案只是全局中的一部分。就Partisia Blockchain而言，先進的互操作性框架，模仿了復式簿記系統，使得任何人都可以輕松檢測到任何欺詐行為。在客觀欺詐的情況下，爭議程序將會補償損失。這種設置讓不同的區塊鏈網絡可以有效地使用相同的術語，并且安全地傳輸數據。（福布斯）[2022/4/23 14:42:53]

,{"CRD/WETH":{"0xc6c86de784359a3813b31b4be5806a23f82fdd8d5cd9bd3a7379d33a413eb920":"PreAttack","0x7d1b36019fb287867419dffb281b5ad73b37d8dc21abca47f7b618875842ef0a":"Convert","0x8c14595b205cd04d1e5062a3efe47d3e4dae946eabe744e2d8350d6ba951495a":"Swap"},"profit":"1

,{"USDC/WETH":"Failed"},{"COVER/WETH":"Failed"},{"YAX/WETH":{"0x063bc5df97c0ec87d6c309b54fbc4e3ed13b22f5a115fb1170015e4e9d23cd3d":"PreAttack","0x9537551d0db7ed6ae372c050c73cae1272f4d7e7847ea908d6e4d440809a871f":"Convert","0x9f6bdf1c9065f5f5e5c71f32058093b7ac06e140c3a33db2f21cc8a5ff8a5d21":"SwapExactETHforTokens","0x9281c35277ea6594924600d70b73077a4307973c540edb5b4ed534c7e25f2423":"Approve","0xe2f682d8b4801061d504025f11b3032648a3b94019396f7b12749b162f8404cf":"RemoteLiquidityETH","0xf6ea6c9eb92ca9aed70e8b4b03a6e5565a3a13df71a0aa527fa556077de553bc":"Approve","0xbf19c9a6a4d879467519299100b4f56c4e86369382ba87d90bebf6c1b1893c14":"SwapExactTokensForETH"},"profit":"1

元宇宙游戲公司Roblox三季度記賬銷售額超預期，股價飆升21%:11月9日消息，元宇宙游戲公司Roblox公布其第三季記賬銷售額（bookings）增長28%至6.378億美元，超出分析師預期的6.242億美元，隨后該股在延長交易中飆升21%。平均每日活躍用戶數同比增31%，至4730萬人。凈虧損從26美分收窄至13美分，弱于分析師預期的4美分。Roblox今年3月以450億美元的市值上市，目前股價上漲近70%。Roblox 10月遭遇了三天的服務中斷，該公司估計這一故障導致其用戶數損失340萬人，銷售額損失2500萬美元。（彭博社）[2021/11/9 6:40:30]

,{"SEEN/WETH":{"0xc6b39015ab0a32762fb23108e9705cb30d171374c7f9d4b9cf30e640f43d4884":"PreAttack","0x3c14c48007147f78ae3c3ac5d56f74413ebc468c6e09f7eb1098c19b9b546185":"Convert","0x8681b43b4814bb54f49650b19d42133c933bcdbc65dfcd36a6cadf7ef916391c":"Swap"},"profit":"1

,{"AAVE/WETH":{"0x97c06394d2b9f34606946b438b4fb26ab41f379f8612831c2ec4ed6daac6b4e3":"PreAttack","0x7eb4eada4f0700e8a2e8b94d4e4a1879e66ccb36285968500e370420210dde6d":"Convert","0x40ae49cdb3e9fa61c3309bf35d08ec99494d4a6aa2815791aed1ca654a04d211":"Swap"},"profit":"0

,{"REVV/WETH":{"0x59b5e394caf35f5bbe603b42044707cbb20712d765c260da4434fde0fd3c0e15":"PreAttack","0x45660abd04d88f0dae0524b40182d11cb57710316e58ac14413909a9aaf44869":"Convert","0xcd8749d61d8e96da48de8bd641280f2ce8d93aa5e1e44c9144d322d8b01b1c81":"Swap"},"profit":"0

,{"SNX/WETH":{"0x7eea5790e31176d45b944c0f2624c30a755650b1a353e052191e36d23db2abbc":"PreAttack","0x1518424118b519af43657d5de42311f5b5174aab941ff1b7bfe14b0ef5d0874a":"Convert","0x04cd83c93cf8f37fbafb7d05d5f34cb23bcef8871b2744efad517e6aab38395c":"Swap"},"profit":"0

,{"OUSD/WETH":{"0xc4c196e2383e472edf7dee0c93830f20b3314490d9145dfeac936249688a4cd8":"SwapExactETHForTokens","0x975e65569e52644fe7b029ce28fef2c3f07dcb818ea9c9d4b7235ab7c4e11c67":"Approve","0x8c569e7eaa6d7dfc57d5115e628a2b8fc2628837d4e73d6ca85125f639e4f0d0":"AddLiquidityETH","0x0f2ed674f497069878c585297812f036a6dd50060e0685e275092320a3797db0":"Approve","0x483eb12c36b997e9fcb26210e116400f13702db4887b0f4cc3e04fdb8d40c04b":"AddLiquidityETH","0xc18eb762dc3fe84afdc7d2642f380c7f56c5ac18eb9a50103766ba0caa5a6bdf":"Transfer","0x45fd39eef68076c052908c7f8a214cac1cad073f2b5ccf0b919e95670bc801d5":"Convert","0x32beea84a5b4916cd7107adbb8f609071547e78751c360ceee9bff455d3e7660":"SwapExactETHForTokens","0x2eb1802c7771695e6dc0835ed2a0e4d029345f35f1d465b8f15ccae11824da2a":"RemoteLiquidityETH","0x2be981eb82e7577ce43c91718e734cc83e7dd4b384095ea18d62540e53b391bc":"SwapExactTokensForETH","0x584c6f03a2029bc1b262f31016d87156af3c0c773ebad44f6a2b1e63d623ba5d":"SwapExactTokensForETH"},"profit":"0

Fireblocks獲1.33億美元C輪融資，Stripes等領投、紐約梅隆銀行參投:加密安全初創公司Fireblocks宣布完成1.33億美元C輪融資，Coatue、Ribbit和Stripes領投，紐約梅隆銀行（BNY Mellon）和硅谷銀行（Silicon Valley Bank）作為戰略投資者參與投資。此前投資者Paradigm、Galaxy Digital和Swisscom Ventures參投。

據悉，Fireblocks此前獲得3000萬美元B輪融資，Paradigm領投，其他投資者包括Galaxy Digital、Digital Currency Group、Swisscom、Cyberstarts、Tenaya Capital和Cedar Hill Capital。Fireblocks周四表示，迄今為止已總計融資1.79億美元。（The Block）[2021/3/18 18:57:51]

,{"CRV/WETH":{"0xa7b8e476e15ff576878efee81bf200abeec1491941c5507ca846b51cd685d01e":"PreAttack","0x19ee64733e4edb44e22086814e7493f30d5bb66582e5963b0db9ea8d05a5bd73":"Convert","0xe959e2079d1366893cce39212194fd387a0c4594f423c07b9af0d4fa7c2c062c":"Swap"},"profit":"0

,{"LINK/WETH":{"0x62b3ae66524c68ddabd255066807cd7b7f7304e4e8b2da72b9a5e4d8352d35b9":"PreAttack","0xb0f7512a12afabb56b3d69cef4df83add82c81338dc92e059d8ba130ef777a1e":"Convert","0x54570d6f723c3b9f9c6c9e5f7c0357ba50c847b87f17ef5bb517416dcc7f47c3":"Swap"},"profit":"0

,{"RSR/WETH":{"0xa69b5290fe5dd5580e0c738baa47000cf51ed77cc06b8b54a244c7509f8002ad":"PreAttack","0x87a639847c58b6704f28407be39e3ec64b01f005b47753b1a99faf776ea11780":"Convert","0xa458915881d79debafe5f465843931e572321d35bc98ec25db9ecb9f6a3ea6fd":"Swap"},"profit":"0

,{"CORE/WETH":{"0xa01fd6fcfee90a7a2b0a180e7271b9429e9f23cf502ba7966932e5012c1bc9b7":"PreAttack","0x05af95d603cba12d9ca14ce307a973c8875cdcb2e70b07b295440cd2940ea953":"Convert","0x9bb8b7ca5b41c55a8efcdcd49fdec16747ccee0bf33df8e8f4d62eb116142b21":"Swap"},"profit":"0

動態 | Galaxy Digital領投加密貨幣貸款公司BlockFi:據coindesk援引Business Insider周二的報道，加密貸款公司BlockFi在由Mike Novogratz的Galaxy Digital領投的籌款活動中籌集了5250萬美元。據報道，BlockFi旨在借助比特幣和以太坊資產作為抵押，為個人和公司提供貸款。該公司計劃將此次籌得的資金用于在美國以外的地區發展業務，并為平臺增加對更多加密資產的支持。[2018/7/25]

,{"zLOT/WETH":{"0x0bb5d792a1d1ea598e45997d5dedb4fcf6acafab47afdb45892417cd128cf37f":"PreAttack","0x2550eb33adbe7cfb68cce685363ad2cab90860e5e8a8ed87de1f0a6321e24cf8":"Convert","0x514bd13f68c8afc1f86ea3e74ca5f51724c2736fa327144b7b6aaf7228bd9124":"Swap"},"profit":"0

,{"USDC/WETH":{"0x98b24059e21c3bdbf7de835f8f30daacaac7a00ba2e9cfdff7e0540b172828aa":"PreAttack","0x29fd17d8060f94cd43b45718d0f36df727a27ff4ce67b3ce5a65d6d40ff2d99a":"Convert","0x24b03cbacf310b5efd2500c3aa8499a356a5ea835426a33d929a38ceef6ea83d":"Swap"},"profit":"0

,{"sUSD/WETH":{"0x8014c37ff678124d5fcf652547264769aa125bba933aadd4a81a4f6115d71ff2":"PreAttack","0xc55509dbd81f4da525a540cdbd319d1ffacd2aab2dd3f07abd51cfa2528f28fb":"Convert","0xc0867b786399a23804f60bb2e974ee5f214a44d418ba5d7a0e51496f9d5f8ff8":"Swap"},"profit":"0

,{"AKRO/WETH":{"0xc38c30660b9c06e9cecc77c9ff0019020eb9c6fa20887dc15b354ed1a50fec26":"PreAttack","0x03b9eb788861e5442c3739738cfa848c73f20871e110c6587609169136c3e772":"Convert","0x88d3a3e31df87329e87fbfc21b9648907365c1e2d5a7a236eae5655c1ba3ad41":"Swap"},"profit":"0

,{"DAI/WETH":{"0x6964f68672edb916ae170254ee48c537cbb64ca0584651d21fd575550559354f":"PreAttack","0x61856228835bfd97dc6b9d7674aaabb577b74fa7d7ff7b7f45454a8d521ff533":"Convert","0x053ebfe8aedd5975137cfa9bf7d7329a2d6413f6d6e364b252f4386222957eed":"Swap"},"profit":"0

,{"YFI/WETH":{"0xf28c246bf1ce25da1811c7c0eb6fefb8587fa2cdafc84cec4e709600429e6e3f":"PreAttack","0xc75a8ca881d4da75774f51006651c9946311d40145ce69d07aee3a85627153d6":"Convert","0x332c7eff23c9022fe6578550a079034cd3356d9f66507d2ec38462169a4b282c":"Swap"},"profit":"0

,{"UBXT/WETH":{"0x635c79a8dca89a3aa95f545e2243a735906c4ff221cfbc160396c150d58ea036":"PreAttack","0x3ffcfc9985622ad7cf0fdc2eb582ad7ce8bf9e9295fd7a4de44354fdd71a688a":"Convert","0x7c6af5ca27ceb04aad514ddcaee8afc6dd4eb79d0816e24b007e7db205e93ce3":"Swap"},"profit":"1

,{"0xMaki":"Iseeu."},{"WBTC/WETH":{"0xa195c9c23a56ca5fa747677c04a2d5a8c513bdfd141e45c20a8c4e091ca73883":"PreAttack","0x136b1d2bf6c51a6ed1fc3f1da7a2783e3835fa78c9149c1c6d2b21e9aad8b05b":"Convert","0x43cde98b0be5932b8dbf709eebd0cbb4738599c9a4f0795ddb52d7d31f293cf4":"Swap"},"profit":"2

,{"USDC/WETH":{"0xfc8196231bfb22ae6fcc9ceb04f9e5e3d647fc9e023870020048be93958218a5":"PreAttack","0xe43fe2eb54c2eefba519a7ff9cf27f84e743961268dfdf9477a47cd2ea467642":"Convert","0x4b0b3b51150b3a270d10f3388ccf12a196a2cada4203e3a2c39af88d5dc04958":"Swap"},"profit":"1

,{"LINK/WETH":{"0x95eea1cedccffc405d0cb9743360712b69a295a66fe0649b5ab1b067869f05fa":"PreAttack","0xf259718ee2f81b543bbfbe2f236cd4235651f8365ec8944741a3c7f3242f06b9":"Convert","0x525929006fc3f089d67b6596f53c5ebe6b82de1f8d3cdeb397f1f55ff4937c47":"Swap"},"profit":"0

后續攻擊者又嘗試攻擊Sushiswap的其他相關仿盤項目，如LuaSwap：

https://etherscan

function_toETH(addresstoken){..

New：0x280ac711bb99dE7C73FB70fb6DE29846D5e4207Ffunctionconvert(addresstoken0,addresstoken1)public{//Atleastwetrytomakefront-runninghardertodo

function_toETH(addresstoken,uintamountIn){...}

可以看到區別在于：代碼第26行_toWETH限制了amount，這樣修改以后就不會將SushiMaker中存的全部SLP都去池中換成wETH，而只是換取burn出的一部分

但是這樣問題就解決了嗎？其實還沒有，時隔兩個月，同樣的地方，Sushiswap又中槍了見：amenda：SushiSwap攻擊事件(2021年1月27號)分析(https://zhuanlan.zhihu.com/p/372058217)

0x3.參考

以小博大，簡述SushiSwap攻擊事件始末：https://www.chainnews.com/zh-hant/articles/726256718885.htm

Astokenpricerisesandreputationmends,Sushiswapfoilsmidnightexploit:https://cointelegraph.com/news/as-token-price-rises-and-reputation-mends-sushiswap-foils-midnight-exploit

AnevolutionofUniswapwithSUSHItokenomics：https://sushichef.medium.com/the-sushiswap-project-dd6eb80c6ba2

一文看懂Uniswap和Sushiswap：https://zhuanlan.zhihu.com/p/226085593

sokdecentralizedexchanges(dex)withautomatedmarketmaker(amm)protocols:https://arxiv.org/abs/2103.12732

AttackingtheDeFiEcosystemwithFlashLoansforFunandProfit:https://arxiv.org/abs/2003.03810

https://www.blocksecteam.com/

contact@blocksecteam.com

Tags：QUOETHSWAPWETQuotienteth2.0幣價會漲嗎Uniswap Walletweth幣等于多少人民幣

狗狗幣