Recently, the issue of flaws in the FAIRWIN smart contract has attracted the attention of all parties. FAIRWIN, as the capital disk mode application with the highest transaction volume on the Ethereum chain recently, has a large number of similar clone disks on the Ethereum chain. If there are hidden vulnerabilities, it will give The public chain brings a big wind direction, so the Chengdu Lianan security personnel conducted an in-depth analysis of the FAIRWIN smart contract, and the analysis results are as follows:
By auditing the FAIRWIN contract code, we found that there is a remedy() interface in the contract. If the contract owner does not close the interface through close(), the interface can be called by any user, and the betting data can be forged through this interface to realize creating something out of nothing, forging the recharge record without using any funds, and then the attacker can enjoy dividends, or withdraw all the balance through userWithDraw().
Through the records on the chain, we found that the project party closed the interface through closeAct() on July 28, 2019 (the second day after the contract was launched).
Through Chengdu Lianan Beosin-AML system to analyze all transaction records of the project party, we further analyze whether there has been an attacker who has successfully inserted betting data. Analysis revealed that this vulnerability has been severely abused.
From ten days ago to now, there have been accounts trying to call the remedy() interface to insert betting data, but because the operation has been closed, the insertion of data failed, and it can be seen that the inserted amount is tens of thousands of ETH.
Insert failed record:
Through a complete traceback, we found a total of 503 successfully inserted transaction records (500 addresses), and the insertion dates were all before the project party closed the interface. According to statistics, these 503 transactions were all initiated by the address 0xcb104fA25a1a46040DBaB9F554FF564CE325668b.
According to statistics, a total of 5093 ETHs were inserted, including 4711 frozen ETHs and 382 unfrozen ETHs.
And more than 500 trumpets set by the attacker by inserting betting records have already performed cash withdrawal operations.
Through further analysis of its contract deployment, it was found that the day before the project party closed actStu, that is, on July 27, 2019, the project party just deployed the FAIRWIN contract. In less than a day, the project contract was created out of nothing. More than 5,000 ETH were raised.
On July 29, the Ethereum browser showed that the contract was open-sourced.
