From 67ad55f50732ae3f17b0d2c3a05f337b6c09b56c Mon Sep 17 00:00:00 2001 From: Alan Xu Date: Mon, 4 Nov 2024 16:56:32 +0800 Subject: [PATCH 1/2] docs(link): fix broken link (#832) * docs(link): fix broken link fix broken link --- Topics/Onchain_debug/01_tools/en/readme.md | 16 ++++++++-------- Topics/Onchain_debug/01_tools/readme.md | 21 ++++++++++++--------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/Topics/Onchain_debug/01_tools/en/readme.md b/Topics/Onchain_debug/01_tools/en/readme.md index 8cdf0bb00..bb727cfa3 100644 --- a/Topics/Onchain_debug/01_tools/en/readme.md +++ b/Topics/Onchain_debug/01_tools/en/readme.md @@ -9,27 +9,26 @@ From my studies, we will launch a series of Web3 security articles to entice mor In the first series, we will introduce how to conduct an on-chain analysis, and then we will reproduce on-chain attack(s). This skill will aid us in understanding the attack process, the root cause of the vulnerability, and even how the arbitrage robot arbitrages! ## Tools can greatly improve efficiency + Before getting into the analysis, allow me to introduce some common tools. The right tools can help you do research more efficiently. ### Transaction debugging tools -[Phalcon](https://phalcon.blocksec.com/) | [Tx.viewer](https://tx.eth.samczsun.com/) | [Cruise](https://cruise.supremacy.team/) | [Ethtx](https://ethtx.info/) | [Tenderly](https://dashboard.tenderly.co/explorer) -Transaction Viewer is the most commonly used tool, it is able to list the stack trace of function calls and the input data in each function during the transaction. Transaction viewer tools are all similar; the major difference is the chain support and auxiliary functions support. I personally use Phalcon and Sam’s Transaction Viewer. If I encounter unsupported chains, I will use Tenderly. Tenderly supports most chains, But the readability is limited, and analysis can be slow using its Debug feature. It is however one of the first tools I learned along with Ethtx. +[Phalcon](https://phalcon.blocksec.com/) | [Ethtx](https://ethtx.info/) | [Tenderly](https://dashboard.tenderly.co/explorer) + +Transaction Viewer is the most commonly used tool, it is able to list the stack trace of function calls and the input data in each function during the transaction. Transaction viewer tools are all similar; the major difference is the chain support and auxiliary functions support. I personally use Phalcon's Transaction Viewer. If I encounter unsupported chains, I will use Tenderly. Tenderly supports most chains, But the readability is limited, and analysis can be slow using its Debug feature. It is however one of the first tools I learned along with Ethtx. #### Chain support comparison Phalcon: `Ethereum、BSC、Cronos、Avalanche C-Chain、Polygon` -Sam's Transaction viewer: `Ethereum、Polygon、BSC、Avalanche C-Chain、Fantom、Arbitrum、Optimism` - -Cruise: `Ethereum、BSC 、Polygon、Arbitrum、Fantom、Optimism、Avalanche、Celo、Gnosis` - Ethtx: `Ethereum、Goerli testnet` Tendery: `Ethereum、Polygon、BSC、Sepolia、Goerli、Gnosis、POA、RSK、Avalanche C-Chain、Arbitrum、Optimism 、Fantom、Moonbeam、Moonriver` #### Lab + We will look at JayPeggers - Insufficient validation + Reentrancy [Incident](https://github.com/SunWeb3Sec/DeFiHackLabs/#20221229---jay---insufficient-validation--reentrancy) as an example transaction [TXID](https://phalcon.blocksec.com/tx/eth/0xd4fafa1261f6e4f9c8543228a67caf9d02811e4ad3058a2714323964a8db61f6) to dissect. First I use the Phalcon tool developed by Blocksec to illustrate. The basic information and balance changes of the transaction can be seen in the figure below. From the balance changes, we can quickly see how much profit the attacker has made. In this example, the attacker made a profit of 15.32 ETH. @@ -62,7 +61,7 @@ This can help us clarify all the things this transaction did. Before writing the ### Ethereum Signature Database -[4byte](https://www.4byte.directory/) | [sig.eth](https://sig.eth.samczsun.com/) | [etherface](https://www.etherface.io/hash) +[4byte](https://www.4byte.directory/) | [etherface](https://www.etherface.io/hash) In the Raw Input data, the first 4 bytes are Function Signatures. Sometimes if Etherscan or analysis tools cannot identify the function, we may check the possible Functions through the Signature Database. @@ -92,6 +91,7 @@ Obtain ABI for unverified contracts: If you encounter a contract that is not ver ![圖片](https://user-images.githubusercontent.com/52526645/210588945-701b0e22-7390-4539-9d2f-e13479b52824.png) ### Decompile tools + [Etherscan-decompile bytecode](https://etherscan.io/address/0xaE9C73fd0Fd237c1c6f66FE009d24ce969e98704#code) | [Dedaub](https://library.dedaub.com/decompile) | [heimdall-rs](https://github.com/Jon-Becker/heimdall-rs) Etherscan has a built-in decompilation feature, but the readability of the result is often poor. Personally, I often use Dedaub, which produces better decompiled code. It is my recommended decompiler. Let's use a MEV Bot being attacked as an example You can try to decompile it for yourself using this [contract](https://twitter.com/1nf0s3cpt/status/1577594615104172033). @@ -105,6 +105,7 @@ First, copy the Bytecodes of the unverified contract and paste it on Dedaub, and If you want to learn more, you can refer to the following videos. ## Resources + [samczsun's eth txn explorer and vscode extension](https://www.youtube.com/watch?v=HXgu239mPBc) [Vulnerabilities in DeFi by Daniel V.F.](https://www.youtube.com/watch?v=9fcOffCg2ig) @@ -114,4 +115,3 @@ If you want to learn more, you can refer to the following videos. [Reversing The EVM: Raw Calldata](https://degatchi.com/articles/reading-raw-evm-calldata) https://web3sec.xrex.io/ - diff --git a/Topics/Onchain_debug/01_tools/readme.md b/Topics/Onchain_debug/01_tools/readme.md index 86be63352..7f4d4af26 100644 --- a/Topics/Onchain_debug/01_tools/readme.md +++ b/Topics/Onchain_debug/01_tools/readme.md @@ -7,27 +7,26 @@ Author: [SunSec](https://twitter.com/1nf0s3cpt) 第一个系列我们将介绍如何进行链上分析到撰写攻击重现。此技能将能帮助你分析攻击过程和漏洞原因甚至套利机器人如何套利! ## 工欲善其事,必先利其器 + 在进入分析之前,我先介绍一些常用工具,正确的工具可以帮助你做研究时更有效率。 + ### Transaction debugging tools -[Phalcon](https://phalcon.blocksec.com/) | [Tx.viewer](https://tx.eth.samczsun.com/) | [Cruise](https://cruise.supremacy.team/) | [Ethtx](https://ethtx.info/) | [Tenderly](https://dashboard.tenderly.co/explorer) + +[Phalcon](https://phalcon.blocksec.com/) | [Ethtx](https://ethtx.info/) | [Tenderly](https://dashboard.tenderly.co/explorer) Transaction Viewer 这类工具是最常用的,可以帮助我们针对想要分析的交易 Transaction,以可视化列出函数呼叫的流程以及每个函数带入了什么的参数等。 -每个工具大同小异,只差异在链的支援度不同和辅助功能,我个人是比较常用 Phalcon 和 Sam 的 Transaction Viewer,如果遇到不支援的链则会使用 Tenderly,Tenderly 支援最多链,但是可读性就不是这么方便,需要 Debug 慢慢分析。不过我最初在研究链上分析是先学习 Ethtx 和 Tenderly。 +每个工具大同小异,只差异在链的支援度不同和辅助功能,我个人是比较常用 Phalcon 的 Transaction Viewer,如果遇到不支援的链则会使用 Tenderly,Tenderly 支援最多链,但是可读性就不是这么方便,需要 Debug 慢慢分析。不过我最初在研究链上分析是先学习 Ethtx 和 Tenderly。 #### 链支援度比较 Phalcon: `Ethereum、BSC、Cronos、Avalanche C-Chain、Polygon` -Sam's Transaction viewer: `Ethereum、Polygon、BSC、Avalanche C-Chain、Fantom、Arbitrum、Optimism` - -Cruise: `Ethereum、BSC 、Polygon、Arbitrum、Fantom、Optimism、Avalanche、Celo、Gnosis` - Ethtx: `Ethereum、Goerli testnet` -Tendery: `Ethereum、Polygon、BSC、Sepolia、Goerli、Gnosis、POA、RSK、Avalanche C-Chain、Arbitrum、Optimism -、Fantom、Moonbeam、Moonriver` +Tendery: `Ethereum、Polygon、BSC、Sepolia、Goerli、Gnosis、POA、RSK、Avalanche C-Chain、Arbitrum、Optimism、Fantom、Moonbeam、Moonriver` #### 实务操作 + 以 JayPeggers - Insufficient validation + Reentrancy [事件](https://github.com/SunWeb3Sec/DeFiHackLabs/#20221229---jay---insufficient-validation--reentrancy)来当例子 [TXID](https://phalcon.blocksec.com/tx/eth/0xd4fafa1261f6e4f9c8543228a67caf9d02811e4ad3058a2714323964a8db61f6) 使用 Blocksec 开发的 Phalcon 工具来说明,下图可以看到该交易的基本资讯和余额变化,从余额变化可以快速看出攻击者大概获利多少,以这个例子攻击者获利 15.32 ETH。 @@ -62,7 +61,7 @@ Phalcon 2.0 新增了资金流向和 Debug + 源代码分析可以在 Trace 的 ### Ethereum Signature Database -[4byte](https://www.4byte.directory/) | [sig.eth](https://sig.eth.samczsun.com/) | [etherface](https://www.etherface.io/hash) +[4byte](https://www.4byte.directory/) | [etherface](https://www.etherface.io/hash) 在原始 Input data,前面 4bytes 为 Function Signature. 有时遇到 Etherscan 或分析工具无法解出来时,可以透过 Signature Database 来查看看可能是什么 Function。 @@ -93,6 +92,7 @@ Get ABI for unverified contracts: 如果遇到未开源的合约,可以透过 ![图片](https://user-images.githubusercontent.com/52526645/210588945-701b0e22-7390-4539-9d2f-e13479b52824.png) ### Decompile tools + [Etherscan-decompile bytecode](https://etherscan.io/address/0xaE9C73fd0Fd237c1c6f66FE009d24ce969e98704#code) | [Dedaub](https://library.dedaub.com/decompile) | [heimdall-rs](https://github.com/Jon-Becker/heimdall-rs) Etherscan 内建有一个反编译功能但可读性偏差,个人比较常使用 Dedaub,可读性好一点,也是常常最多人DM 问我都使用哪个工具反编译。 @@ -105,8 +105,11 @@ Etherscan 内建有一个反编译功能但可读性偏差,个人比较常使 ![图片](https://user-images.githubusercontent.com/52526645/210591478-6fa928f3-455d-42b5-a1ac-6694f97386c2.png) 第一课分享就先到这边,想学更多可以参考以下学习资源。 + --- + ## 学习资源 + [samczsun's eth txn explorer and vscode extension](https://www.youtube.com/watch?v=HXgu239mPBc) [Vulnerabilities in DeFi by Daniel V.F.](https://www.youtube.com/watch?v=9fcOffCg2ig) From b5930151cf365ee2931fd017ffd8b071954a043e Mon Sep 17 00:00:00 2001 From: Alan Xu Date: Mon, 4 Nov 2024 21:18:41 +0800 Subject: [PATCH 2/2] docs(47): update doc (#833) update doc --- 47_Upgrade/readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/47_Upgrade/readme.md b/47_Upgrade/readme.md index 26eb6df2f..2e55a6de2 100644 --- a/47_Upgrade/readme.md +++ b/47_Upgrade/readme.md @@ -36,11 +36,12 @@ tags: 这个代理合约比[第46讲](https://github.com/AmazingAng/WTF-Solidity/blob/main/46_ProxyContract/readme.md)中的简单。我们没有在它的`fallback()`函数中使用`内联汇编`,而仅仅用了`implementation.delegatecall(msg.data);`。因此,回调函数没有返回值,但足够教学使用了。 它包含`3`个变量: + - `implementation`:逻辑合约地址。 - `admin`:admin地址。 - `words`:字符串,可以通过逻辑合约的函数改变。 -它包含`3`个函数 +它包含`3`个函数: - 构造函数:初始化admin和逻辑合约地址。 - `fallback()`:回调函数,将调用委托给逻辑合约。