Skip to content

Instantly share code, notes, and snippets.

@hayeah

hayeah/bug.md

Created July 27, 2017 08:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hayeah/7976ce123094b1f9acf3b2b51b082de7 to your computer and use it in GitHub Desktop.
Save hayeah/7976ce123094b1f9acf3b2b51b082de7 to your computer and use it in GitHub Desktop.
Download ZIP
crowdfund example exploit
Raw
bug.md

Looking at the crowdfunding example at https://dappsforbeginners.wordpress.com/tutorials/contracts-that-send-transactions/

There's a possible denial of service attack at the line:

c.funders[j].addr.send(c.funders[j].amount);

If one of the funders is a malicious contract, its default function could be a recrusive call to itself. This would cause all refunds to lock up.

Code:

function checkGoalReached(uint campaignID) returns (bool reached) {
    Campaign c = campaigns[campaignID];
    if (c.amount >= c.fundingGoal){
        c.beneficiary.send(c.amount);
        c.amount = 0;
        c.beneficiary = 0;
        c.fundingGoal = 0;
        c.deadline = 0;
        uint i = 0;
        uint f = c.numFunders;
        c.numFunders = 0;
        while (i <= f){
            c.funders[i].addr = 0;
            c.funders[i].amount = 0;
            i++;
        }
        return true;
    }
    if (c.deadline <= block.number){
        uint j = 0;
        uint n = c.numFunders;
        c.beneficiary = 0;
        c.fundingGoal = 0;
        c.numFunders = 0;
        c.deadline = 0;
        c.amount = 0;
        while (j <= n){
            c.funders[j].addr.send(c.funders[j].amount);
            c.funders[j].addr = 0;
            c.funders[j].amount = 0;
            j++;
        }
        return true;
    }
    return false;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment