攻击描述
- 被黑目标:Bancor
- 事件描述:BancorConverter 合约被盗(黑客/内奸)
- 损失金额:
- 24,984 ETH
- 3,236,967 BNT
- 229,356,645 NPXS
- 攻击方式:疑似私钥被盗
合约描述
- 合约地址: 0x3839416bd0095d97bE9b354cBfB0F6807d4d609E
- 被攻击地址
- 0x0024d891047e844186758f89eb2f4dcfbb02c952
- 0x00894a35bc9deea9f9e20040c21c5607740a37a0
- 0x5aa9e9de3e667ad79a097b4b75ccde10acb7f930
- 被攻击的 Token: https://etherscan.io/token/0xc0829421C1d260BD3cB3E0F06cfE2D52db2cE315
- 黑客地址:
- 0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c (owner 地址)
- 0x33eD22f4b6B05F8a5faAC4701550D52286Bd735A (收 ERC20 ETH 的地址)
- 攻击交易:
- 合约代码: https://etherscan.io/token/0x3839416bd0095d97bE9b354cBfB0F6807d4d609E#code
目前地址已经被 Ethscan 打标签了: Warning! There are reports that this address was used in a (Bancor) hack. Please exercise caution when interacting with this address.
目前,区块链浏览器网站 EtherScan 已将攻击者的地址标注为 Fake_Phishing1701 和 Fake_Phishing1702
攻击过程技术分析
本次 Bancor 平台被盗事件与 BancorConverter 合约有关,攻击者获取 BancorConverter owner 地址 0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c 的控制权。
管理员有权限通过 withdrawTokens()
方法提走合约中的全部 ERC20 Token 至任意地址。
function withdrawTokens(IERC20Token _token, address _to, uint256 _amount)
public
ownerOnly
validAddress(_token)
validAddress(_to)
notThis(_to)
{
assert(_token.transfer(_to, _amount));
}
用户攻击的记录
Function: withdrawTokens(address _token, address _to, uint256 _amount) ***
MethodID: 0x5e35359e
[0]: 000000000000000000000000c0829421c1d260bd3cb3e0f06cfe2d52db2ce315
[1]: 00000000000000000000000033ed22f4b6b05f8a5faac4701550d52286bd735a
[2]: 0000000000000000000000000000000000000000000004a8a397f12e041ce6b4
解析数据如下
0 _token address 0xc0829421C1d260BD3cB3E0F06cfE2D52db2cE315 ERC20 ETH
1 _to address 0x33eD22f4b6B05F8a5faAC4701550D52286Bd735A 收款地址
2 _amount uint256 22000307091591390881460 金额
以上这些功能均通过 ownerOnly 进行限定,除了 owner 地址被盗以外,还有一个原因是 Bancor 合约拥有最高权限。它是合约的王,可以做任何事情。
相关阅读
- https://zhuanlan.zhihu.com/p/39758950
- https://medium.com/hummingbot/the-myth-of-the-erc-20-token-standard-ab0d76cf8532
- https://blog.bancor.network/response-to-bancor-unchained-cdb3bd2ba505?gi=24b066db0d42
- https://medium.com/unchained-reports/bancor-unchained-all-your-token-are-belong-to-us-d6bb00871e86