DAPP泰山众筹系统开发功能案例分析
历史上已经{I88公链-I928合约-开发8024}出现过很多关于以太坊合约的安全事件,这些安全事件在当时的影响也是巨大的,轻则让已部署的合约无法继续运行,重则会导致数千万美元的损失。在金融领域,是不允许错误出现的,但从侧面来讲,正是这些安全事件的出现,才促使了以太坊或者说是区块链安全的发展,越来越多的人关注区块链安全、合约安全、协议安全等。
That was silly wasn't it?Real world contracts must be much more secure than this and so must it be much harder to hack them right?
Well...Not quite.
The story of Rubixi is a very well known case in the Ethereum ecosystem.The company changed its name from'Dynamic Pyramid'to'Rubixi'but somehow they didn't rename the constructor method of its contract:
contract Rubixi{
address private owner;
function DynamicPyramid(){owner=msg.sender;}
function collectAllFees(){owner.transfer(this.balance)}
...
This allowed the attacker to call the old constructor and claim ownership of the contract,and steal some funds.Yep.Big mistakes can be made in smartcontractland.
uint previousBalances=balances[_from]+balances[_to];
balances[_from]-=_value;
balances[_to]+=_value;
allowed[_from][msg.sender]-=_value;
Transfer(_from,_to,_value);
assert(balances[_from]+balances[_to]==previousBalances);
return true;
}
這個方法會傳入三個參數
Solidity提供了一系列在raw address上执行操作的底层方法,比如:address.call(),address.callcode(),address.delegatecall()和address.send。这些底层方法不会抛出异常(throw),只是会在遇到错误时返回false。另一方面,contract calls(比如,ExternalContract.doSomething()))会自动传递异常,(比如,doSomething()抛出异常,那么ExternalContract.doSomething()同样会进行throw))。
That was silly wasn't it?Real world contracts must be much more secure than this and so must it be much harder to hack them right?
Well...Not quite.
The story of Rubixi is a very well known case in the Ethereum ecosystem.The company changed its name from'Dynamic Pyramid'to'Rubixi'but somehow they didn't rename the constructor method of its contract:
contract Rubixi{
address private owner;
function DynamicPyramid(){owner=msg.sender;}
function collectAllFees(){owner.transfer(this.balance)}
...
This allowed the attacker to call the old constructor and claim ownership of the contract,and steal some funds.Yep.Big mistakes can be made in smartcontractland.
uint previousBalances=balances[_from]+balances[_to];
balances[_from]-=_value;
balances[_to]+=_value;
allowed[_from][msg.sender]-=_value;
Transfer(_from,_to,_value);
assert(balances[_from]+balances[_to]==previousBalances);
return true;
}
這個方法會傳入三個參數
Solidity提供了一系列在raw address上执行操作的底层方法,比如:address.call(),address.callcode(),address.delegatecall()和address.send。这些底层方法不会抛出异常(throw),只是会在遇到错误时返回false。另一方面,contract calls(比如,ExternalContract.doSomething()))会自动传递异常,(比如,doSomething()抛出异常,那么ExternalContract.doSomething()同样会进行throw))。
