decred.org/dcrdex@v1.0.5/dex/testing/eth/reentryattack/README.md (about) 1 ## Reentry Attack Proof-of-Concept and Avoidance 2 3 The proof-of-concept Solidity contracts are no longer in the repository, but 4 they may be found at the following past revisions: 5 6 - https://github.com/decred/dcrdex/blob/5632a241faaa1d0ef25505731284337cbd29096d/dex/testing/eth/reentryattack/ReentryAttack.sol 7 - https://github.com/decred/dcrdex/blob/5632a241faaa1d0ef25505731284337cbd29096d/dex/testing/eth/reentryattack/VulnerableToReentryAttack.sol 8 9 ## Contract Creation 10 11 Have `solc` and `abigen` installed on your system and run from this directory: 12 13 ```sh 14 solc --combined-json abi,bin --optimize --overwrite ReentryAttack.sol -o . 15 abigen --combined-json combined.json --pkg reentryattack --out ./contract.go 16 rm combined.json 17 ``` 18 19 ## Reentry Contract Usage 20 21 In order to see the effects of a reentry attack on a vulnerable contract, 22 VulnerableToReentryAttack.sol can be used. 23 24 NOTE: The contract interface is no longer compatible with the 25 dex/networks/eth/contracts/v0 API, so the following substitution of the 26 ETHSwapV0 bytecode with the vulnerable contract's code will not work without 27 updating the vulnerable "ETHSwap" contract. 28 29 ```sh 30 solc --combined-json abi,bin --optimize --overwrite VulnerableToReentryAttack.sol -o . 31 abigen --combined-json combined.json --pkg v0 --out ../../../dex/networks/eth/contracts/v0/contract.go 32 rm combined.json 33 ``` 34 35 Then, the contract's hex in the newly created contract.go file must be used in 36 the harness, which deploys the contract used for testing, by replacing the hex 37 there and restarting the harness. 38 39 Finally, the harness tests in client/asset/eth contains a test that should fail 40 and show that indeed funds can be siphoned from the vulnerable contract.