Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add gasclaim #6

Merged
merged 3 commits into from
Sep 18, 2020
Merged

add gasclaim #6

merged 3 commits into from
Sep 18, 2020

Conversation

Lichen9618
Copy link

No description provided.

shargon
shargon reviewed Sep 14, 2020
View reviewed changes
NeoContract/CNEO.cs
@@ -10,6 +10,8 @@ namespace CNEO
{
public class CNEO : SmartContract
{
private static readonly byte[] GasClaim = "AQzRMe3zyGS8W177xLJfewRRQZY2kddMun".ToScriptHash();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testnet address?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, a template for someone can control the gas generated by NEO in CNEO contract.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remember to change it before deploy on mainnet

@steven1227 steven1227 merged commit 2df6430 into neo-ngd:master Sep 18, 2020
chenzhitong
chenzhitong reviewed Sep 20, 2020
View reviewed changes
NeoContract/CNEO.cs
foreach (var output in outputs)
{
if (output.ScriptHash.AsBigInteger() == currentHash.AsBigInteger())
if (output.ScriptHash.AsBigInteger() == currentHash.AsBigInteger() && output.AssetId.AsBigInteger() == AssetId.AsBigInteger())
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里应该检查所有的outputs,只有都满足条件才将 ifClaimGas 设置为 false;否则一个output满足就可以绕过这个检查,并没修复那个漏洞。
也许可以改为:

bool ifClaimGas = false;
foreach (var output in outputs)
{
    if (output.ScriptHash.AsBigInteger() != currentHash.AsBigInteger() || output.AssetId.AsBigInteger() != AssetId.AsBigInteger())
        ifClaimGas = true;

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

output.ScriptHash.AsBigInteger() != currentHash.AsBigInteger()
检查所有output的话, 比如这个判断条件会给管理员通过走ClaimGas的条件, 取走所有neo的权限

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

那现在这样其它人也能提GAS吧(貌似)
如果这么改呢:

if((byte)tx.Type == 0x02)
{
    return inputs == null ? Runtime.CheckWitness(GasClaim) : false;
}

@chenzhitong chenzhitong mentioned this pull request Sep 20, 2020
Open
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenzhitong chenzhitong chenzhitong left review comments

@shargon shargon shargon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Lichen9618 @shargon @chenzhitong @steven1227