*本文中涉及到的相关漏洞已报送厂商并得到修复,本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。
*本文原创作者:umiiii,本文属FreeBuf原创奖励计划,未经许可禁止转载
b>* Original author: umiii, this is the FreeBuf original incentive scheme, prohibited from reproducing /span>
without permission
6月28日,慢雾科技发布了一条针对 USDT 的预警和漏洞分析,提醒各大交易所尽快暂停 USDT 充值功能,并自查代码是否存在该逻辑缺陷。全文如下:
(b) > June 28, slow fog technology released an early warning and gap analysis for USDT, reminding major exchanges to suspend the USDT charge function as soon as possible, and to check for the logical defect of the code itself. The full text reads as follows:
#预警# #漏洞分析# 交易所在进行 USDT 充值交易确认是否成功时存在逻辑缺陷,未校验区块链上交易详情中 valid 字段值是否为 true,导致“假充值”,用户未损失任何 USDT 却成功向交易所充值了 USDT,而且这些 USDT 可以正常进行交易。
很遗憾,经过笔者的一番查找发现,网上的很多资料都倾向于描述 USDT 的资本意义,而对于技术上原理的文章却寥寥无几。于是经过一些调查,笔者发现这个漏洞实际上并不能归因于 USDT 本身,而是交易所一方的问题导致。这种漏洞起因可以说非常简单,但一旦利用成功,造成的后果却难以估算。区块链开发中,各种低级错误,诸如大小写拼错导致的智能合约漏洞也是数不胜数(如:http://www.freebuf.com/vuls/175904.html),仅以本文抛砖引玉。本文将回答以下问题:
Unfortunately, as a result of some research, I found that the gap was not actually attributable to the USDT itself, but to the problem on the other side of the exchange. The causes of the gap can be described as simple, but the consequences are difficult to estimate once it has been used. In block chain development, there are numerous low-level errors, such as smart contract loopholes caused by small spelling errors (e.g.: https://github.com/bitcoin/bitcoin/pull/3737)。
In the past year, ETH has received a lot of attention because of its smart contract system, where you can send your first token in 5 minutes, while the issue and transfer of the coin are dependent on smart contracts, and the bottom is the ETH chain. In fact, long before ETH was born, you wanted to do something with the Bitcoin chain. One of the important concepts is: dyeing the currency. Specifically, dyed currency means attaching some information to ordinary bitcoin transactions, recorded by using the bottom infrastructure of Bitcoin. However, the Bitcoin official development team (Core) is controversial in this way, shrunk from 80 bytes to 40 bytes (
Omni Layer 也属于染色币,其核心思想是将 Omni Protocol 层的数据用某种方式写入比特币区块链中,目前在协议定义中有三种,、和 ?。
Omni Layer is also a dye currency whose core idea is to write data from the Omni Protocol layer in some way into the bitcoin block chain, which currently has three in the protocol definition, and?
1. Class A? - 这种方法是利用了比特币每个地址本质上都是大小为 20 bytes 的二进制字符串。先将数据分割成 20 bytes 为一组的数据块,然后使用 Base58 编码作为目标地址发送即可。当然这些被发送的 UTXO 将永远丢失。使用这项技术的还有 cryptograffiti。
1. Class A? - This method uses binary string size 20 bytes for each address in bitcoin. Split the data into 20 bytes as a set of data blocks and send it using Base58 codes as a target address. Of course, these sent UTXOs will be lost forever.
2. Class B? - 这种方法利用了比特币的 multisig ,即多签特性。发送一笔 的多重签名交易(即,n 个地址中,任何一个地址签名即可花费这笔 UTXO)。当前版本的 Omni Layer 协议中最大支持 n=3。
2. Glass B? - This method uses the multi-sign feature of Bitcoin. Sends a multi-signature transaction (i. e. n at an address where the signature of any address costs the UTXO). The largest support in the current Omni Layer protocol is n=3.
3. Class C? - 这种方法则利用了操作码储存数据,目前来看,基本上所有的 Omni layer 层的交易都采用了这种方式。使用这项技术的还有 CoinSpark 。
3. Glass C? - This method uses the code to store data, and currently basically all Omni layer transactions are in this way . CoinSpark also uses this technology.
Omni Protocol 能让用户发行自己的数字资产,其中资产编号为 31 的就是被广泛使用的 USDT 。而日常中,发送 USDT 使用的交易类型是 。
Omni Protocol allows users to distribute their digital assets, of which the asset number 31 is USDT, which is widely used. On a daily basis, the type of transaction used to send USDT is.
下面是对?交易的定义。?
Here's the definition of the transaction.
是一项将 Omni Layer 层中特定的数字资产从原地址转移到目标地址的操作,注意原地址和目标地址均使用比特币的地址。
It is an operation to transfer specific digital assets in the Omni Layer layer from their original address to the target address, bearing in mind that both the original address and the address are in Bitcoin.
可以看到上面的交易并没有任何的余额信息,这就是说,原地址的 Omni Layer 层数字资产,由 Omni Core 自己维护一个额外的账本并校验。
The transactions above do not contain any balance information, which means that the Omni Layer floor digital asset at the original address of is maintained by Omni Core itself and verified by .
Omni core 的实现是遍历交易,自己维护一个 tally map,下图所示是 Omni core 正在逐笔扫描并构建账簿。
Omni core is achieved through transactions and maintains one of its own. The figure below shows that Omni core is scanning and building books on a paper-by-written basis. 
以随机抽取的某笔交易为例(b364bea8e4a9c9aeefda048df6f71dd62dc39d07a2286340e7c83c19b7ffd895):
Take a random sample of a transaction (b364bea8e4a9c9aeefda048df6f71dd62dc39d07a22286340e7c83c19b7ffd895);
输入 (1) 0.00500000 BTC?
Enter (1) 0.005 million BTC?
1NJdUJGCJgZ4YEwthHD1skdHPsr5TxHbpq 0.00500000?
源地址输出 (3) 0.00498879 BTC
Source Address Output (3) 0.00498879 BTC
地址解析失败 - (解码) 0.00000000?
Address parsing failed - (decoding) 0.00000000?
1FoWyxwPXuj4C6abqwhjDWdz6D4PZgYRjA 0.00000546 转账目标
1 FoWyxwPXuj4C6abqwhjDdz6D4PZgyRjA 0.0000546 Transfer Target
1NJdUJGCJgZ4YEwthHD1skdHPsr5TxHbpq 0.00498333 找零
1 NJJJJGCJgZ4YEwthHD1skd HPsr5TxHbpq 0.00498333
其 OP_RETURN 字段为
The OP_RETURN field is
6f6d6e69 0000 0000 0000001f 0000001ac68eac4b
6f6d6e69=> omni
0000=> 版本:0
Version: 0
0000=> 交易类型:Simple Send(0)
> transaction type: Simple Send(0)
0000001f=31=> 货币:USDT
100001f = 31 > Currency: USDT
0000001ac68eac4b=115000388683=1150.00388683=> 转账金额
00001ac68ec4b = 115000388683 = 1150.00388683 > Transfers
与 Omni 浏览器的内容一致。
Consistent with the contents of the Omni browser.
而 Omni 浏览器 中的 Raw Data,则是由 Omni Core 自己根据扫描比特币区块链并重新构筑账本后输出的内容,这其中就有我们今天的主角 了。?
And Raw Data from Omni Browser is the output of Omni Core based on scanning the bitcoin block chain and reconstructing the account book. This is where we're headed today. 
从背景知识中我们可以看出,实际上对于余额的校验是通过客户端来进行的,但很遗憾的是,与比特币不同,Omni Layer 并没有 UTXO 机制,这也就导致了无效交易也能被广播。
From background knowledge, we can see that the verification of the balance is actually through a client, but unfortunately, unlike Bitcoin, Omni Layer does not have a UTXO mechanism, which also results in invalid transactions being broadcast.
正常的转账流程如下:
The normal transfer process is as follows:
用户发起 USDT 转账行为。
User initiates USDT transfers.
Omni Layer 的一个正常实现客户端生成交易。
One of Omni Layer's normal realization client generation transactions.
客户端广播交易。
Client broadcast transactions.
比特币区块链确认交易。
The bitcoin block chain confirms the transaction.
交易所确认交易数足够。
The exchange confirms that the number of transactions is sufficient.
入帐交易所。
Entered into the exchange.
恶意攻击流程如下:
The malicious attack process is as follows:
黑客发起一笔恶意转账行为。
The hacker initiated a malicious transfer.
黑客重新编译客户端,绕过余额检查,或采用其他方式生成恶意交易。
Hackers redraw their clients, bypass balance checks or otherwise generate malicious transactions.
黑客广播恶意交易。
Hackers broadcast malicious deals.
比特币区块链确认交易。
The bitcoin block chain confirms the transaction.
交易所确认交易数足够,没有校验交易合法性。
The exchange confirmed that the number of transactions was sufficient and that the legitimacy of the transactions had not been verified.
入帐交易所。
Entered into the exchange.
黑客提走资产。
The hackers took the assets.
以下几种情况均会导致交易状态不合法:?
All of the following causes the transaction to be illegal:
地址被冻结。
The address is frozen.
交易类型不允许。(目前只有当 property=0 ,即为比特币时会出现这种情况)
The type of transaction is not allowed. (This is currently the case only if it is property=0, i. e. bitcoin)
交易金额超限,或小于零。
The transaction amount is exceeded, or less than zero.
交易资产无效。
Transactional assets are invalid.
余额不足。
Insufficient balance.
对交易合法性的定义在 的中。?
What's the definition of the legitimacy of the transaction?
下面我们亲自来构建一笔恶意交易。
We'll build a bad deal ourselves.
为了方便起见,使用的是 Electrum 轻节点钱包。准备工具:
For convenience, use is the Electrum Light Node Wallet. Preparation tool:
1. 一个有一点余额的比特币钱包
1. A bit of a bitcoin wallet
2. 一笔 Simple Send 的原始 tx
2. An original tx of Simple Send
步骤:
Steps:
先使用 Electrum 发送一笔交易,目标地址随便写一个。
Sends a transaction using Electrum, with a random address.
点击预览交易,将未签名的原始交易复制。
Click to preview the transaction, copy the unsigned original transaction. 
打开工具3
Open Tool 3
把原始交易粘贴上去,复制 JSON 交易。
Paste the original transaction and copy the JSON transaction.
在中 添加如下字段?
Add the following fields in it: 
然后把 JSON 粘贴回去,原始交易粘贴回来,签名广播(工具->加载交易->从文本),搞定。
Then paste the JSON back, paste back the original transaction, sign the broadcast (tool-load the transaction from the text) and do it.
https://www.omniexplorer.info/tx/6791b04ff752bffc9251910fa58bda5c85f28dabb4f2651dd1b9830037a2c1da
凭空产生的 USDT。
It's a vacuum-generated USDT.
当然,之后这笔交易会被判定为 invalid。
Then, of course, the transaction will be judged as invalid. 
本文首先对 USDT 进行了基础建设上的分析,然后讨论了这次漏洞出现的原因,最后,本文复现了被攻击场景。
This paper first examines the infrastructure of the USDT, then discusses the reasons for this gap, and finally reproduces the scene of the attack.
实际上,这个逻辑漏洞的主要原因还是在交易所方面没有做好处理,面对这种涉及到金钱的事情,小心一些总是好的。?
In fact, the main reason for this logical gap is that it has not been dealt with properly at the exchange level, and is it always better to be careful about such money-related matters?
Tether 公司在以太坊上也发行了基于 ERC20 的 USDT,不知道会不会也出现类似的问题。
Tether also published an ERC20-based USDT at Etheria and wondered if similar problems would arise.
*本文原创作者:umiiii,本文属FreeBuf原创奖励计划,未经许可禁止转载
b>* Original author: umiii, this is the FreeBuf original incentive scheme, prohibited from reproducing /span>
without permission
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论