🪲 在 NEAR 智能合约中查找错误
这是来自 2022 年的真实 NEAR 可替代代币的核心文件
一家受尊敬的安全公司审计了它,发现缺少某些内容以确保 `ft` 相关函数按预期工作
你能找出它吗?
我将在 24 小时后在此线程中揭示所有内容 ↓
+ 缺失的是什么
+ 这是什么合约
+ 哪家安全公司发现的
+ 修复后的代码现在是什么样子
---
如果你想在答案公布时收到提醒,请评论!
🪲 在 NEAR 智能合约中查找错误
这是来自 2022 年的真实 NEAR 可替代代币的核心文件
一家受尊敬的安全公司审计了它,发现缺少某些内容以确保 `ft` 相关函数按预期工作
你能找出它吗?
我将在 24 小时后在此线程中揭示所有内容 ↓
+ 缺失的是什么
+ 这是什么合约
+ 哪家安全公司发现的
+ 修复后的代码现在是什么样子
---
如果你想在答案公布时收到提醒,请评论!
🧑🏫 THE BUG EXPLAINED
*as @mihaikodo already found the right answer
this is @LinearProtocol's $LiNEAR token contract from 2022, audited by @BlockSecTeam
this finding went as a recommendation, named
"Missing check on the `prepaid_gas` in function `ft_transfer_call`"
the `prepaid_gas` should be checked to ensure it is enough for the target functions including `ft_on_transfer` and `ft_resolve_transfer`
current code already has the fix implemented, which is a `require!()` macro for the `env::prepaid_gas`
basically, it requires `ft_transfer_call` calls to have some prepaid gas attached that is checked against a minimum amount to make sure the entire transaction journey (with cross-contract calls) work flawlessly
this is important because if gas isn't enough, the contract's callbacks may fail later, which worsens the user experience and creates some security risks
now, everything is checked beforehand.
if prepaid_gas is too low, the contract will panic and more gas will be requested -- the transaction never
@mihaikodo @LinearProtocol @BlockSecTeam you can read the full report here:
https://t.co/fm5P43QQVa
提醒:[email protected] 对 https://t.co/YBUSFVdjxE 上的真实活动提供奖励。
如果您在 https://t.co/YBUSFVdjxE 上切换了隐私模式并保持 $100+ 的隐私余额,您有资格获得 Drop 1。
如果没有,现在是开始的时机。隐私模式只需点击一下。 https://t.co/Xe8ERgOtFF
完整的 NEAR 里程碑激励计划详情:https://t.co/rqGz98yEdX
$NEAR / $USD - 更新
仍在等待那次跌至低点的机会。耐心在此起关键作用。 https://t.co/4pRjBzKp3h