TRON Foundation
Jul 7 · 3 min read

This class will discuss the problem of computational overflow and give an example of exploiting this vulnerability for a honeypot attack. At the same time, everyone is welcome to follow @tron official twitter, and actively submit the contract code.

The following is the contract code from https://troneye.com (hereinafter referred to as TRON-Eye). TRON-Eye is a TRON verification platform from the community. The previous classes have introduced the TRON-Eye verification platform in detail. This contract is PayYouDouble (url: https://troneye.com/reveal?address=TDN5L5a6m81F2dicgi5rYGovuuFEpCfBAT)

Figure 1 PayYouDouble’s source code

Before discussing the PayYouDouble contract, we have to explain two issues.

1.Overflow

Similar to other languages, when solidity uses variables to record values, this variable has a range of values. When the maximum value is reached, the additional 1 will become the minimum value, which is called the overflow. When the minimum value is reached, the decrease of 1 will become the maximum value, which is called the underflow. For example, a variable a of type uint8 indicates an unsigned number of 8 bits.

The current value of a is 255. When a is increased by 1, it becomes 0. When 0 is subtracted, it will become 255. This is not the same as our daily understanding. When we use var i, the data type of i will be uint8, which is very confusing.

2.Unit

In the tron’s smart contract, the msg.value unit is SUN, 1 TRX = 1000000 SUN, and 0.1 TRX stands for 100000 SUN.

Any increase, subtraction, multiplication and division involving such calculations must pay attention to the overflow problem. Let’s look at this PayYouDouble contract now.

1. contract PayYouDouble

2. {

3. function play() payable public {

4. if(msg.value> 100 trx) {

5. uint256 multi =0;

6. uint256 amountToTransfer=0;

7. for(var i=0;i<msg.value*2;i++) {

8. multi=i*2;

9. if(multi<amountToTransfer) {

10. break;

11. }

12. else {

13. amountToTransfer=multi;

14. }

15. }

16. msg.sender.transfer(amountToTransfer);

17. }

18. }

19. }

According to the content of this smart contract, when the play() function is called, as long as it exceeds 100 TRX, it will enter the loop and finally get the value of amountToTransfer, and send the amountToTransfer SUN to the msg.sender. Without regard to overflow, amountToTransfer will be msg.value * 2. This is also the attraction of this honeypot contract.

Because of the integer overflow of i in the for loop, after i++ is executed at i=255, i = 0 causes multi = 0 < amountToTransfer to terminate the loop early.

Now calculate that the transfer is at least 100 TRX (100000000 SUN), the smart contract is transferred back to you 510 SUN, the loss is huge.

Extend a little:

This contract is locking funds for dividends (only the locking part is shown), and the user can only retrieve funds after 1 week. Can you see what is wrong?

1. pragma solidity ^0.4.25;

2.

3. contract LockForDividend {

4.

5. mapping(address => uint) public balances;

6. mapping(address => uint) public lockTime;

7.

8. function deposit() public payable {

9. balances[msg.sender] += msg.value;

10. lockTime[msg.sender] = now + 1 weeks;

11. }

12.

13. function increaseLockTime(uint _secondsToIncrease) public {

14. lockTime[msg.sender] += _secondsToIncrease;

15. }

16.

17. function withdraw() public {

18. require(balances[msg.sender] > 0);

19. require(now > lockTime[msg.sender]);

20. balances[msg.sender] = 0;

21. msg.sender.transfer(balances[msg.sender]);

22. }

23. }

Welcome to twitter, let me tell me the answer.

This class will be end here. Thanks to TRON-Eye for providing the contract verification tool. More information about them can be found directly on their website https://troneye.com.

We continue to call for source code for follow-up classes, and we welcome your official twitter submissions.

TRON

TRON

TRON Foundation

Written by

The official medium of Tron Foundation

TRON

TRON

TRON

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade