BurgerSwap 攻击策略

DemaxPlatform合约地址:https://bscscan.com/address/0xbf6527834dbb89cdc97a79fcd62e6c08b19f8ec0#code

BurgerSwap 是一个仿 Uniswap AMM 项目,但是和 Uniswap 架构有所区别。BurgerSwap 架构总体分成【Delegate -> lpPlatForm -> Pair】。其中 Delegate 层管理了所有的 Pair 的信息,并负责创建 lpPlatForm 层。然后 lpPlatForm 层再往下创建对应的 Pair 合约。在整个架构中,lpPlatForm 层充当了 Uniswap 中 Router 的角色,负责将计算交易数据和要兑换的代币转发到 Pair 合约中,完成兑换。

攻击者从 Pancake 中借出了大量的 WBNB,然后将这些 WBNB 通过 BurgerSwap 兑换成 Burger 代币。在完成以上的操作后,攻击者使用自己控制的代币(攻击合约本身) 和 Burger 代币通过 Delegate 层创建了一个交易对并添加流动性,为后续攻击做准备。

由于先前攻击者在创建交易对的时候使用的是自己控制的代币,在代币兑换过程中, _innerTransferFrom 函数会调用攻击者控制的代币合约,于是攻击者可以 _innerTransferFrom 函数中重入 swapExactTokensForTokens 函数。为什么攻击者要这样做呢?

通过对 PlatForm 层的 swapExactTokensForTokens 函数进行代码分析,我们不难发现,合约在调用 _innerTransferFrom 函数时首先计算了用户的兑换数据,然后在 _innerTransferFrom 函数的操作后使用预先计算的数据来转发到底层进行真正的代币兑换。从这个函数层面来看,就算攻击者重入了 swapExactTokensForTokens 函数,底层调用的 swap 函数也是独立的。

问题就出在 Pair 层本身并不做恒定乘积的检查,在重入的过程中,在 _innerTransferFrom 函数完成后,Pair 的更新数据也没有反映到 PlatForm 层中,导致重入交易中的兑换产生的滑点并不影响下一次的兑换,从而造成了损失。

DemaxPair合约地址

LogoContract Address 0x7ac55ac530f2c29659573bde0700c6758d69e677 | BscScanBinance (BNB) Blockchain Explorer

DemaxPair 合约的swap函数代码

// this low-level function should be called from a contract which performs // important safety checks
function swap(
    uint256 amount0Out,
    uint256 amount1Out,
    address to,
    bytes calldata data
) external onlyPlatform lock {
    require(amount0Out > 0 || amount1Out > 0, 'DEMAX PAIR : INSUFFICIENT_OUTPUT_AMOUNT');
    (uint112 _reserve0, uint112 _reserve1, ) = getReserves(); // gas savings
    require(amount0Out < _reserve0 && amount1Out < _reserve1, 'DEMAX PAIR :  INSUFFICIENT_LIQUIDITY');
    uint256 balance0;
    uint256 balance1;
    {
        address _token0 = token0;
        address _token1 = token1;
        require(to != _token0 && to != _token1, 'DEMAX PAIR : INVALID_TO');
        if (amount0Out > 0) _safeTransfer(_token0, to, amount0Out);
        if (amount1Out > 0) _safeTransfer(_token1, to, amount1Out);
        if (data.length > 0) IDemaxCallee(to).demaxCall(msg.sender, amount0Out, amount1Out, data);
        balance0 = _balanceOf(_token0, address(this));
        balance1 = _balanceOf(_token1, address(this));
    }
    uint256 amount0In = balance0 > _reserve0 - amount0Out ? balance0 - (_reserve0 - amount0Out) : 0;
    uint256 amount1In = balance1 > _reserve1 - amount1Out ? balance1 - (_reserve1 - amount1Out) : 0;
    uint256 _amount0Out = amount0Out;
    uint256 _amount1Out = amount1Out;
    require(amount0In > 0 || amount1In > 0, 'DEMAX PAIR : INSUFFICIENT_INPUT_AMOUNT');
    _update(balance0, balance1, _reserve0, _reserve1);
    emit Swap(msg.sender, amount0In, amount1In, _amount0Out, _amount1Out, to);
}

UniswapV2Pair合约的swap函数代码

// this low-level function should be called from a contract which performs important safety checks
function swap(uint amount0Out, uint amount1Out, address to, bytes calldata data) external lock {
    require(amount0Out > 0 || amount1Out > 0, 'UniswapV2: INSUFFICIENT_OUTPUT_AMOUNT');
    (uint112 _reserve0, uint112 _reserve1,) = getReserves(); // gas savings
    require(amount0Out < _reserve0 && amount1Out < _reserve1, 'UniswapV2: INSUFFICIENT_LIQUIDITY');

    uint balance0;
    uint balance1;
    { // scope for _token{0,1}, avoids stack too deep errors
    address _token0 = token0;
    address _token1 = token1;
    require(to != _token0 && to != _token1, 'UniswapV2: INVALID_TO');
    if (amount0Out > 0) _safeTransfer(_token0, to, amount0Out); // optimistically transfer tokens
    if (amount1Out > 0) _safeTransfer(_token1, to, amount1Out); // optimistically transfer tokens
    if (data.length > 0) IUniswapV2Callee(to).uniswapV2Call(msg.sender, amount0Out, amount1Out, data);
    balance0 = IERC20(_token0).balanceOf(address(this));
    balance1 = IERC20(_token1).balanceOf(address(this));
    }
    uint amount0In = balance0 > _reserve0 - amount0Out ? balance0 - (_reserve0 - amount0Out) : 0;
    uint amount1In = balance1 > _reserve1 - amount1Out ? balance1 - (_reserve1 - amount1Out) : 0;
    require(amount0In > 0 || amount1In > 0, 'UniswapV2: INSUFFICIENT_INPUT_AMOUNT');
    { // scope for reserve{0,1}Adjusted, avoids stack too deep errors
    uint balance0Adjusted = balance0.mul(1000).sub(amount0In.mul(3));
    uint balance1Adjusted = balance1.mul(1000).sub(amount1In.mul(3));
    require(balance0Adjusted.mul(balance1Adjusted) >= uint(_reserve0).mul(_reserve1).mul(1000**2), 'UniswapV2: K');
    }

    _update(balance0, balance1, _reserve0, _reserve1);
    emit Swap(msg.sender, amount0In, amount1In, amount0Out, amount1Out, to);
}

参考UniswapV2Pair的25行,Uniswap有做恒定乘积K值的检查,但BurgerSwap的DemaxPair 合约并没有,因为这个原因,科学家发起重入交易中的兑换产生的滑点并不影响下一次的兑换,从而造成了损失。

PreviousEleven Finance 攻击策略NextArray Finance 攻击策略

Last updated