Smart Contract Security Class (No.004)

In this class, we will use the two contracts from TRON-Eye to talk about inheritance features in Solidity, and possible vulnerabilities or attacks on TRON. At the same time, everyone is welcome to follow @tron official twitter, and submit your contract code.

The following is the contract code from https://troneye.com (hereinafter referred to as TRON-Eye). TRON-Eye is a TRON verification platform from the community. The previous classes have introduced the TRON-Eye verification platform in detail. Figure 1 shows the contract, HonestBank (contract address: TYSXj1cx6rGVHSuTwogJs3zdqTkbmUjtoy).

Figure 1 contract HonestBank on TRON-Eye

The code for the HonestBank contract is short and the core code is as follows.

contract Owned {

address public owner;

function Owned() { owner = msg.sender; }

modifier onlyOwner{ if (msg.sender != owner) revert(); _; }

}

contract HonestBank is Owned {

address public owner = msg.sender;

uint256 ecode;

uint256 evalue;

function useEmergencyCode(uint256 code) public payable {

if ((code == ecode) && (msg.value == evalue)) owner = msg.sender;

}

function withdraw(uint amount) public onlyOwner {

require(amount <= this.balance);

msg.sender.transfer(amount);

}

Intuitively, this contract allows the player to enter the correct code and at the same time give the contract a specified amount of trx, then become the owner of the contract. Once you become owner, you can take all the balances of the contract. The correct code and the specified balance are set by the contract deployer via setEmergencyCode(uint256 code, uint256 value) .

Figure 2 transaction setEmergencyCode on TronScan

Since the contract deployer’s call to setEmergencyCode is available through tronscan.org. Well, you might think: "The opportunity is coming, I can take the contract money away!"

So is it right? This involves the issue of inheritance in Solidity. Before we start, let’s write a simple test for you with the SClass04_01 contract. SClass04_01 (contract address: TAteb3fS3CgtruSkPPTf9WN84wKs1G4C94).

Figure 3 contract SClass04_1 on TRON-Eye

This is a simple test contract, Class4 inherits from the parent class Base contract. The subclass Class4 and the parent class Base have the variable variable of the same name. Both subclasses and parent classes have functions with the same name or different names for the variable operation. We use this example to test the inheritance features in Solidity.

The inheritance principle of Solidity is code copy, so in other words, the test1 of the parent class Base manipulates the variable in the parent class, the variable in the test2 manipulation subclass of the child class Class4, and the test2 in the parent class does not exist because it is not called.

The actual execution can be found that the test2 operation of the Class4 contract is a variable in the subclass, but the test1 operation is the variable in the parent class. The fact that the Class4 contract is equivalent to:

contract Class4{

uint variable1 = 0;

uint variable2 = 0;

function getV1() public view returns(uint){

return variable1;

}

function getV2() public view returns(uint){

return variable2;

}

function test1() returns(uint v){

variable1++;

return variable1;

}

function test2(uint a) returns(uint v){

variable2++;

return variable2;

}

}

In other words, each storage variable of TVM will have a uniquely identified slot id. In the example below, although they are called variable, from the bytecode point of view, they are determined by different slot ids, so it has nothing to do with what the variable is called.

Looking back at the previous HonestBank contract, you will find that the contract's onlyOwner is a utility that is the owner of the parent class. This has been fixed at the time of contract deployment and can never be modified. The owner variable in the subclass of other players modified by useEmergencyCode. In this way, the HonestBank contract actually constitutes a honeypot attack, tempting the player to think that he can take the money and recharge the contract.

This class will be end here. Thanks to TRON-Eye for providing the contract verification tool. More information about them can be found directly on their website https://troneye.com.

We continue to call for source code for follow-up classes, and we welcome your official twitter submissions.

The official Medium of Tron Foundation. Learn more: https://tron.network