How to Exploit ETH Using Delegatecall and Selfdestruct – Security Insights

contract-designSecurity

Even if a contract’s code does not contain a call to selfdestruct, it can still perform that operation using delegatecall or callcode.

This worries me.

I've created some pseudo code to give a gist of a possible exploit. The code below creates an "exception: invalid opcode", but you'll be able to follow my logic. Assuming this style of attack works, what can be done to guard against it?

pragma solidity ^0.4.2;        
contract Steal{
      function delegatecall_selfdestruct(address _target) external returns (bool _ans) {
          _ans = _target.delegatecall(bytes4(sha3("selfdestruct(address)")), this); 
      }
}

contract Mark { 
  function Deposit() payable {
  }
}

The idea is to send some testnet ETH to the contract Mark then use the Steal contract to call Mark and make it selfdestruct and give the ETH to the Steal Contract.

Best Answer

It doesn't work to just call built-in Solidity functions in other contracts using delegatecall.

What delegatecall really does is call a function in another contract, which executes in the context of the first contract. It's really dangerous to make delegatecalls to contracts you don't trust. The documentation is warning you about this possibility:

pragma solidity ^0.4.2;        
contract Steal{
    address owner;
    function Steal() {
        owner = msg.sender;
    }
    function innocence() {
        selfdestruct(owner);
    }
}

contract Mark { 
    function Deposit() payable {}
    function call(address a) {
        a.delegatecall(bytes4(sha3("innocence()"))); 
    }
}

If Mark calls Steal, then Mark will selfdestruct.

Details

When D does CALL on E, the code runs in the context of E: the storage of E is used.

When D does CALLCODE on E, the code runs in the context of D. So imagine that the code of E is in D. Whenever the code writes to storage, it writes to the storage of account D, instead of E.

contract D {
  uint public n;
  address public sender;

  function callSetN(address _e, uint _n) {
    _e.call(bytes4(sha3("setN(uint256)")), _n); // E's storage is set, D is not modified 
  }

  function callcodeSetN(address _e, uint _n) {
    _e.callcode(bytes4(sha3("setN(uint256)")), _n); // D's storage is set, E is not modified 
  }

  function delegatecallSetN(address _e, uint _n) {
    _e.delegatecall(bytes4(sha3("setN(uint256)")), _n); // D's storage is set, E is not modified 
  }
}

contract E {
  uint public n;
  address public sender;

  function setN(uint _n) {
    n = _n;
    sender = msg.sender;
    // msg.sender is D if invoked by D's callcodeSetN. None of E's storage is updated
    // msg.sender is C if invoked by C.foo(). None of E's storage is updated

    // the value of "this" is D, when invoked by either D's callcodeSetN or C.foo()
  }
}

contract C {
    function foo(D _d, E _e, uint _n) {
        _d.delegatecallSetN(_e, _n);
    }
}

When D does CALLCODE on E, msg.sender inside E is D as commented in the code above.

When an account C invokes D, and D does DELEGATECALL on E, msg.sender inside E is C. That is, E has the same msg.sender and msg.value as D.

You can quickly test above in Solidity Browser.

Solidity – Handling Unimplemented Functions in Contracts

The problem is that totalSupply() implementation is missing. Seems like autogenerated getters do not count. So you need to explicitly create the function.

contract StandardToken is Token {
    uint256 _totalSupply;

    function totalSupply() constant returns (uint256 totalSupply) {
        totalSupply = _totalSupply;
    }
}

Best Answer

Related Solutions

Contract Design – Difference Between CALL, CALLCODE, and DELEGATECALL in EVM

Details

Solidity – Handling Unimplemented Functions in Contracts

Related Topic