\u4ee3\u7406\u8207\u53ef\u5347\u7d1a\u6027\u6f0f\u6d1e\u662f\u6307\u7576\u667a\u80fd\u5408\u7d04\u63a1\u7528\u53ef\u5347\u7d1a\u67b6\u69cb\uff0c\u4f46\u5176\u5347\u7d1a\u8def\u5f91\u3001\u521d\u59cb\u5316\u6a5f\u5236\u6216\u7ba1\u7406\u54e1\u63a7\u5236\u6b0a\u8a2d\u8a08\u4e0d\u826f\u6216\u914d\u7f6e\u932f\u8aa4\u6642\u6240\u7522\u751f\u7684\u6f0f\u6d1e\u3002\u653b\u64ca\u8005\u53ef\u4ee5\u52ab\u6301\u4ee3\u7406\u7ba1\u7406\u54e1\u6216\u5347\u7d1a\u89d2\u8272\uff0c\u9032\u800c\u90e8\u7f72\u60e1\u610f\u7684\u5be6\u4f5c\u5408\u7d04\u3001\u91cd\u65b0\u521d\u59cb\u5316\u5408\u7d04\u4ee5\u596a\u53d6\u6240\u6709\u6b0a\uff0c\u6216\u662f\u7e5e\u904e\u521d\u59cb\u5316\u8207\u9077\u79fb\u6b65\u9a5f\u4e2d\u7684\u95dc\u9375\u6aa2\u67e5\u3002<\/p>\n\n\n\n
\u9019\u985e\u6f0f\u6d1e\u6703\u5f71\u97ff\u6240\u6709\u4f7f\u7528\u53ef\u5347\u7d1a\u67b6\u69cb\u7684\u5408\u7d04\u985e\u578b\uff0c\u5305\u62ec\uff1a<\/p>\n\n\n\n
\u5e38\u898b\u7684\u5347\u7d1a\u6a21\u5f0f\u5305\u62ec\u900f\u660e\u4ee3\u7406\uff08Transparent Proxy\uff09\u3001UUPS\uff08EIP-1822\uff09\u3001\u4fe1\u6a19\u4ee3\u7406\uff08Beacon Proxy\uff09\u4ee5\u53ca\u81ea\u5b9a\u7fa9\u7684\u300c\u8def\u7531\u2014\u5be6\u4f5c\uff08Router-Implementation\uff09\u300d\u8a2d\u8a08\u3002\u5728\u975e EVM \u93c8\u4e0a\uff08\u4f8b\u5982 Move \u6a21\u7d44\u3001Solana \u7684\u7a0b\u5e8f\u5347\u7d1a\uff09\uff0c\u4e5f\u5b58\u5728\u985e\u4f3c\u7684\u5347\u7d1a\u6a5f\u5236\uff0c\u4e14\u540c\u6a23\u9762\u81e8\u8457\u9ad8\u5ea6\u4fe1\u4efb\u8207\u521d\u59cb\u5316\u5931\u6548\u7684\u98a8\u96aa\u3002<\/p>\n\n\n\n
\u5340\u584a\u93c8\u4e0a\u7684\u667a\u6167\u5408\u7d04\u4e00\u65e6\u90e8\u7f72\u5c31\u7121\u6cd5\u4fee\u6539\uff08Immutable\uff09<\/strong>\u3002\u4f46\u5c08\u6848\u9700\u8981\u66f4\u65b0\u529f\u80fd\u6216\u4fee\u5fa9 Bug \u600e\u9ebc\u8fa6\uff1f\u958b\u767c\u8005\u65bc\u662f\u767c\u660e\u4e86\u4ee3\u7406\u6a21\u5f0f\uff08Proxy Pattern\uff09<\/strong>\u3002<\/p>\n\n\n\n \u4f60\u53ef\u4ee5\u628a\u9019\u60f3\u50cf\u6210\u958b\u4e00\u5bb6\u9910\u5ef3<\/strong>\uff1a<\/p>\n\n\n\n \u5169\u8005\u4e4b\u9593\u6e9d\u901a\u7684\u6a4b\u6a11\u53eb\u505a <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u9019\u4e9b\u554f\u984c\uff08\u4ee3\u7406\u8207\u5347\u7d1a\u6f0f\u6d1e\uff09\u5728\u6280\u8853\u672c\u8cea\u4e0a\uff0c\u5f80\u5f80\u8ddf\u300e\u5b58\u53d6\u63a7\u5236\uff08Access Control\uff09\u300f\u662f\u91cd\u758a\u7684\uff1b\u4f46\u56e0\u70ba\u4ee3\u7406\u8207\u5347\u7d1a\u6a5f\u5236\u51fa\u932f\u6642\uff0c\u6703\u5c0d\u6574\u500b\u7cfb\u7d71\u9020\u6210\u300e\u6bc0\u6ec5\u6027\u7684\u9023\u5e36\u6253\u64ca\uff08Systemic Impact\uff09\u300f\uff0c\u6240\u4ee5\u5fc5\u9808\u628a\u5b83\u5011\u62c9\u51fa\u4f86\uff0c\u7576\u4f5c\u4e00\u500b\u7368\u7acb\u7684\u5927\u985e\u5225\u4f86\u56b4\u8085\u5c0d\u5f85\u3002<\/p>\n\n\n\n <\/p>\n\n\n\n \u4ee5\u4e0b\u662f\u4e00\u500b\u5b58\u5728\u6f0f\u6d1e\u7684\u667a\u80fd\u5408\u7d04\u7bc4\u4f8b\uff1a<\/p>\n\n\n\n \u9664\u4e86\u6b0a\u9650\u5927\u958b\u4e4b\u5916\uff0c\u9019\u500b\u51fd\u6578\u5c0d\u50b3\u5165\u7684 \u4ee5\u4e0b\u662f\u4e00\u500b\u5b58\u5728\u6f0f\u6d1e\u7684\u667a\u80fd\u5408\u7d04\u7bc4\u4f8b\uff1a<\/p>\n\n\n\n \u958b\u767c\u8005\u77e5\u9053\u5728\u53ef\u5347\u7d1a\u67b6\u69cb\u4e2d\uff0c\u4ee3\u7406\u5408\u7d04\uff08Proxy\uff09\u7121\u6cd5\u8b80\u53d6\u5be6\u4f5c\u5408\u7d04\uff08Implementation\uff09\u7684 \u958b\u767c\u8005\u9810\u671f\u7684\u5b89\u5168\u90e8\u7f72\u8173\u672c\uff08Script\uff09\u662f\u9019\u6a23\u7684\uff1a<\/p>\n\n\n\n \u958b\u767c\u8005\u5929\u771f\u5730\u4ee5\u70ba\uff1a\u300c\u53cd\u6b63\u6211\u90e8\u7f72\u5b8c\u5c31\u300e\u99ac\u4e0a\u300f\u547c\u53eb\u4e86\uff0c\u53ea\u8981\u6211\u624b\u8173\u5920\u5feb\u628a \u5340\u584a\u93c8\u662f\u4e00\u500b\u300c\u9ed1\u6697\u68ee\u6797\u300d\uff0c\u99ed\u5ba2\u7d55\u5c0d\u4e0d\u6703\u8ddf\u958b\u767c\u8005\u6bd4\u624b\u901f\uff0c\u4ed6\u5011\u4f7f\u7528\u7684\u662f\u81ea\u52d5\u5316\u76e3\u63a7\u6a5f\u5668\u4eba\uff08Mempool Sniffer\uff09\u8207Front-running\u624b\u6bb5\u3002<\/p>\n\n\n\n \u5982\u679c\u958b\u767c\u8005\u904b\u6c23\u597d\uff0c\u6b65\u9a5f C \u6210\u529f\u4e86\uff0c\u4ee3\u7406\u5408\u7d04\uff08Proxy\uff09\u88e1\u7684 <\/p>\n\n\n\n \u653b\u64ca\u8005\u5229\u7528\u4e86\u672a\u521d\u59cb\u5316\u7684 ERC1967 \u4ee3\u7406\u5408\u7d04\u3002\u4ed6\u5011\u5075\u6e2c\u5230\u525b\u90e8\u7f72\u3001\u4f46\u5c1a\u672a\u88ab\u6b63\u78ba\u521d\u59cb\u5316\u7684\u4ee3\u7406\u5408\u7d04\uff0c\u96a8\u5f8c\u76f4\u63a5\u5c0d\u5176\u9032\u884c\u521d\u59cb\u5316\uff0c\u4e26\u6307\u5411\u5305\u542b\u300c\u6f5b\u4f0f\u5f8c\u9580\uff08Dormant Backdoors\uff09\u300d\u7684\u60e1\u610f\u5be6\u4f5c\u5408\u7d04\u3002\u5e7e\u500b\u6708\u5f8c\uff0c\u653b\u64ca\u8005\u555f\u52d5\u4e86\u8a72\u5f8c\u9580\uff0c\u5c07\u4ee3\u7406\u5408\u7d04\u5347\u7d1a\u70ba\u60e1\u610f\u7a0b\u5f0f\u78bc\uff0c\u4e26\u76f4\u63a5\u9444\u9020\uff08Mint\uff09\u5927\u91cf\u7684 K \u4ee3\u5e63\uff0c\u85c9\u6b64\u6372\u8d70 155 \u842c\u7f8e\u5143\u3002\u8a72\u6f0f\u6d1e\u7684\u6838\u5fc3\u5728\u65bc\uff1a\u672a\u53d7\u4fdd\u8b77\u7684\u521d\u59cb\u5316\u6a5f\u5236\uff0c\u5141\u8a31\u4efb\u4f55\u4eba\u90fd\u80fd\u76f4\u63a5\u6210\u70ba\u8a72\u4ee3\u7406\u5408\u7d04\u7684\u7ba1\u7406\u54e1\uff08Proxy Admin\uff09\u3002<\/p>\n\n\n\n \u9019\u662f\u4e00\u5834\u91dd\u5c0d\u591a\u689d EVM \u76f8\u5bb9\u93c8\u4e0a\u3001\u591a\u500b\u672a\u521d\u59cb\u5316 ERC1967 \u4ee3\u7406\u5408\u7d04\u6240\u5c55\u958b\u7684\u5927\u898f\u6a21\u7121\u5dee\u5225\u653b\u64ca\u6d3b\u52d5\u3002\u653b\u64ca\u8005\u5229\u7528\u81ea\u52d5\u5316\u6383\u63cf\u5668\uff0c\u5c08\u9580\u5728\u6b63\u7d71\u958b\u767c\u8005\u4f86\u5f97\u53ca\u547c\u53eb\u521d\u59cb\u5316\u4e4b\u524d\uff0c\u52ab\u6301\u4e26\u5075\u6e2c\u525b\u90e8\u7f72\u597d\u7684\u4ee3\u7406\u5408\u7d04\uff0c\u96a8\u5f8c\u7528\u60e1\u610f\u7684\u5be6\u4f5c\u5408\u7d04\u6436\u5148\u5b8c\u6210\u521d\u59cb\u5316\u3002\u9019\u4e9b\u57cb\u5165\u7684\u6697\u9580\u5728\u5408\u7d04\u4e2d\u6f5b\u4f0f\u4e86\u6578\u500b\u6708\uff0c\u6210\u529f\u898f\u907f\u4e86\u5e38\u898f\u7684\u7a0b\u5f0f\u78bc\u5be9\u8a08\uff08Audits\uff09\u3002\u7576\u6697\u9580\u88ab\u6fc0\u6d3b\u6642\uff0c\u653b\u64ca\u8005\u4fbf\u80fd\u76f4\u63a5\u5347\u7d1a\u9019\u4e9b\u4ee3\u7406\u5408\u7d04\u4e26\u5c07\u88e1\u9762\u7684\u8cc7\u91d1\u5168\u6578\u638f\u7a7a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":" \u4ee3\u7406\u8207\u53ef\u5347\u7d1a\u6027\u6f0f\u6d1e\u662f\u6307\uff1a\u7576\u667a\u80fd\u5408\u7d04\u63a1\u7528\u53ef\u5347\u7d1a\u67b6\u69cb\uff0c\u4f46\u5176\u5347\u7d1a\u8def\u5f91\u3001\u521d\u59cb\u5316\u6a5f\u5236\u6216\u7ba1\u7406\u54e1\u63a7\u5236\u6b0a\u8a2d\u8a08\u4e0d\u826f\u6216\u914d\u7f6e\u932f\u8aa4\u6642\u6240\u7522\u751f\u7684\u6f0f\u6d1e\u3002\u653b\u64ca\u8005\u53ef\u4ee5\u52ab\u6301\u4ee3\u7406\u7ba1\u7406\u54e1\u6216\u5347\u7d1a\u89d2\u8272\uff0c\u9032\u800c\u90e8\u7f72\u60e1\u610f\u7684\u5be6\u4f5c\u5408\u7d04\u3001\u91cd\u65b0\u521d\u59cb\u5316\u5408\u7d04\u4ee5\u596a\u53d6\u6240\u6709\u6b0a\uff0c\u6216\u662f\u7e5e\u904e\u521d\u59cb\u5316\u8207\u9077\u79fb\u6b65\u9a5f\u4e2d\u7684\u95dc\u9375\u6aa2\u67e5\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[371],"tags":[],"class_list":["post-3157","post","type-post","status-publish","format-standard","hentry","category-blockchain-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/3157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=3157"}],"version-history":[{"count":5,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/3157\/revisions"}],"predecessor-version":[{"id":3163,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/3157\/revisions\/3163"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=3157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=3157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=3157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
delegatecall<\/code>\uff08\u59d4\u8a17\u8abf\u7528\uff09\u3002\u9019\u662f\u4e00\u7a2e\u7279\u6b8a\u7684\u7a0b\u5f0f\u78bc\u8abf\u7528\u65b9\u5f0f\uff1a\u57f7\u884c\u300c\u65b0\u5eda\u5e2b\u300d\u7684\u7a0b\u5f0f\u78bc\uff0c\u4f46\u6263\u9322\u548c\u8a18\u5e33\u90fd\u5728\u300c\u5e97\u9762\uff08Proxy\uff09\u300d\u7684\u5e33\u672c\u4e0a\u3002<\/strong><\/p>\n\n\n\n
\n\n\n\n\u6f0f\u6d1e\u5bb9\u6613\u767c\u751f\u7684\u5730\u65b9 <\/h2>\n\n\n\n
1. Upgrade and admin roles<\/h3>\n\n\n\n
\n
\n
2. Initialization and re-initialization<\/h3>\n\n\n\n
\n
constructor<\/code> \u5728\u90e8\u7f72\u6642\u53ea\u6703\u5f71\u97ff\u5b83\u81ea\u5df1\u7684\u74b0\u5883\uff0c\u7121\u6cd5\u6539\u8b8a Proxy \u7684\u72c0\u614b\u3002\u56e0\u6b64\uff0cProxy \u5fc5\u9808\u4f9d\u8cf4\u4e00\u500b\u666e\u901a\u7684\u51fd\u6578\uff08\u901a\u5e38\u53eb initialize()<\/code>\uff09\u4f86\u8a2d\u5b9a\u521d\u59cb\u72c0\u614b\uff08\u5982 Owner\u3001\u4ee3\u5e63\u7e3d\u91cf\uff09\u3002<\/li>\n\n\n\n\n
initializer<\/code> \u4fee\u98fe\u7b26\uff0c\u78ba\u4fdd\u8a72\u51fd\u6578\u53ea\u80fd\u88ab\u547c\u53eb\u4e00\u6b21<\/strong>\u3002<\/li>\n\n\n\nreinitializer(2)<\/code>\u3002\u5982\u679c\u9019\u4e9b\u5347\u7d1a\u521d\u59cb\u5316\u51fd\u6578\u6c92\u6709\u505a\u597d\u7248\u672c\u63a7\u5236\u6216\u6b0a\u9650\u6aa2\u67e5\uff0c\u5c31\u6703\u7559\u4e0b\u7834\u7dbb\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n3. Proxy delegation<\/h3>\n\n\n\n
\n
delegatecall<\/code> \u7684\u904b\u4f5c\u8108\u7d61\uff08Context\uff09\u3002<\/li>\n\n\n\n\n
delegatecall<\/code> B \u5408\u7d04\u6642\uff0c\u7a0b\u5f0f\u78bc\u96d6\u7136\u662f B \u7684\uff0c\u4f46\u57f7\u884c\u74b0\u5883\uff08Storage\u3001Balances\u3001msg.sender\u3001msg.value\uff09\u5168\u90e8\u90fd\u5728 A \u5408\u7d04\u4e2d\u3002<\/li>\n\n\n\nmsg.sender<\/code> \u662f\u4f7f\u7528\u8005\u3002Proxy \u900f\u904e delegatecall<\/code> \u547c\u53eb Implementation\uff0c\u6b64\u6642\u5728 Implementation \u7684\u7a0b\u5f0f\u78bc\u88e1\uff0cmsg.sender<\/code> \u4f9d\u7136\u662f\u4f7f\u7528\u8005\uff0c\u800c\u4e0d\u662f Proxy\u3002\u5982\u679c\u958b\u767c\u8005\u8aa4\u4ee5\u70ba msg.sender<\/code> \u662f Proxy\uff0c\u5c31\u6703\u5c0e\u81f4\u6b0a\u9650\u908f\u8f2f\u5927\u4e82\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n4. Storage layout<\/h3>\n\n\n\n
\n
\n
_implementation<\/code>\uff08\u8a18\u9304\u76ee\u524d\u5f8c\u7aef\u5730\u5740\uff09\u3002\u5982\u679c\u9019\u500b\u8b8a\u6578\u4e0d\u5c0f\u5fc3\u8ddf Implementation \u5408\u7d04\u7684\u67d0\u500b\u696d\u52d9\u8b8a\u6578\uff08\u4f8b\u5982 owner<\/code> \u6216 balance<\/code>\uff09\u4f54\u7528\u4e86\u540c\u4e00\u500b Slot \u7de8\u865f\uff0c\u5169\u8005\u5c31\u6703\u4e92\u76f8\u8986\u84cb\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n5. Timelocks and governance<\/h3>\n\n\n\n
\n
\n
\n\n\n\n\u5e38\u898b\u653b\u64ca\u65b9\u6cd5 <\/h2>\n\n\n\n
1. Unprotected upgrade functions<\/h3>\n\n\n\n
\n
upgradeTo()<\/code> \u6216 upgradeToAndCall()<\/code> \u51fd\u6578\u6642\uff0c\u5fd8\u8a18\u52a0\u4e0a onlyOwner<\/code> \u6216\u6b0a\u9650\u6aa2\u67e5\u4fee\u98fe\u7b26\u3002<\/li>\n\n\n\nwithdrawAll()<\/code> \u51fd\u6578\u628a Proxy \u88e1\u5132\u5b58\u7684\u6240\u6709\u8cc7\u7522\uff08DeFi \u8cc7\u91d1\u6c60\u88e1\u7684\u9322\uff09\u5168\u90e8\u63d0\u8d70\u3002<\/li>\n<\/ul>\n\n\n\n2. Re-initialization<\/h3>\n\n\n\n
\n
initializeV2()<\/code>\uff09\uff0c\u4f46\u6c92\u6709\u6b63\u78ba\u9650\u5236\u53ea\u6709 Admin \u80fd\u547c\u53eb\uff0c\u6216\u8005\u6c92\u6709\u7d81\u5b9a\u6b63\u78ba\u7684\u521d\u59cb\u5316\u7248\u672c\u865f\u3002<\/li>\n\n\n\nowner<\/code> \u5730\u5740\uff0c\u5c07\u5408\u7d04\u6240\u6709\u6b0a\u8b8a\u66f4\u70ba\u81ea\u5df1\uff0c\u96a8\u5f8c\u638c\u63a7\u6574\u500b\u5354\u8b70\u3002<\/li>\n<\/ul>\n\n\n\n3. Initialization through delegatecall<\/h3>\n\n\n\n
\n
delegatecall<\/code> \u53bb\u57f7\u884c\u65b0\u5408\u7d04\u7684\u521d\u59cb\u5316\u908f\u8f2f\uff08\u5373 upgradeToAndCall(impl, data)<\/code>\uff09\u3002<\/li>\n\n\n\ndata<\/code>\uff08\u60e1\u610f\u53c3\u6578\uff09\u3002\u56e0\u70ba\u662f\u4ee5 delegatecall<\/code> \u57f7\u884c\uff0c\u653b\u64ca\u8005\u50b3\u5165\u7684\u53c3\u6578\u53ef\u4ee5\u76f4\u63a5\u7ac4\u6539 Proxy \u5408\u7d04\u6838\u5fc3\u5132\u5b58\u5340\uff08Storage\uff09\u7684\u4efb\u4f55\u8cc7\u6599\uff0c\u5305\u542b\u76f4\u63a5\u6539\u5beb\u7ba1\u7406\u54e1\u6b0a\u9650\u6216\u8cc7\u7522\u6b78\u5c6c\u3002<\/li>\n<\/ul>\n\n\n\n4. Storage collision leading to overwrites<\/h3>\n\n\n\n
\n
admin<\/code> \u7684\u5730\u5740\u3002\u653b\u64ca\u8005\u900f\u904e\u9019\u7a2e\u300c\u9694\u5c71\u6253\u725b\u300d\u7684\u65b9\u5f0f\uff0c\u5229\u7528\u5408\u7d04\u81ea\u8eab\u7684\u908f\u8f2f\u628a Slot 0 \u6539\u6210\u4e86\u81ea\u5df1\u7684\u5730\u5740\uff0c\u5e73\u767d\u7121\u6545\u8b8a\u6210\u4e86\u5408\u7d04\u7684\u7ba1\u7406\u54e1\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\u6f0f\u6d1e\u7bc4\u4f8b<\/h2>\n\n\n\n
Vulnerable Upgradeable Proxy Admin <\/h3>\n\n\n\n
\/\/ SPDX-License-Identifier: MIT\npragma solidity ^0.8.20;\n\ncontract VulnerableProxyAdmin {\n address public admin;\n address public implementation;\n\n constructor(address _implementation) {\n \/\/ Critical: no way to set custom admin; implicitly trusts deployer logic\n admin = msg.sender;\n implementation = _implementation;\n }\n\n function upgrade(address newImplementation) external {\n \/\/ Missing: access control (only admin) and sanity checks\n implementation = newImplementation;\n }\n}<\/code><\/pre>\n\n\n\n\u6f0f\u6d1e\u5206\u6790<\/strong>\uff1a<\/h3>\n\n\n\n
1.\u5347\u7d1a\u51fd\u6578\u5b8c\u5168\u6c92\u6709\u6b0a\u9650\u63a7\u5236\uff08No access control on upgrade\uff09<\/h4>\n\n\n\n
\n
admin<\/code>\uff08\u7ba1\u7406\u54e1\uff09\u53ef\u4ee5\u66f4\u63db\u65b0\u5eda\u5e2b\uff08Implementation\uff09\u300d\u3002<\/li>\n\n\n\nexternal<\/code>\uff08\u516c\u958b\u8abf\u7528\uff09\uff0c\u5b8c\u5168\u6c92\u6709\u52a0\u4e0a require(msg.sender == admin, \"Not admin\");<\/code> \u6216\u8005\u662f OpenZeppelin \u7684 onlyOwner<\/code> \u4fee\u98fe\u7b26\u3002<\/li>\n\n\n\nupgrade(malicious contract address)<\/code>\u3002\u5f9e\u9019\u4e00\u79d2\u958b\u59cb\uff0c\u9019\u500b\u4ee3\u7406\u7cfb\u7d71\u5c31\u88ab\u9ed1\u5ba2\u5168\u9762\u63a5\u7ba1\u4e86\u3002<\/li>\n<\/ul>\n\n\n\n2.\u5b8c\u5168\u6c92\u6709\u5c0d\u65b0\u5730\u5740\u505a\u5b89\u5168\u6aa2\u67e5\uff08No checks on newImplementation\uff09<\/h4>\n\n\n\n
newImplementation<\/code>\uff08\u65b0\u5408\u7d04\u5730\u5740\uff09\u63a1\u53d6\u300c\u5b8c\u5168\u4fe1\u4efb\u300d\u7684\u614b\u5ea6\uff0c\u9019\u6703\u5f15\u767c\u4ee5\u4e0b\u5e7e\u7a2e\u707d\u96e3\uff1a<\/p>\n\n\n\n\n
upgrade(0x0000000000000000000000000000000000000000)<\/code>\uff08\u50b3\u5165\u7a7a\u5730\u5740\uff09\u3002\u5408\u7d04\u6703\u76f4\u63a5\u6307\u5411\u4e00\u500b\u4e0d\u5b58\u5728\u7684\u5730\u65b9\u3002\u4e00\u65e6\u6307\u5411\u96f6\u5730\u5740\uff0c\u5f8c\u7e8c\u6240\u6709\u900f\u904e\u9019\u500b Proxy \u9032\u884c\u7684\u4ea4\u6613\u90fd\u6703\u76f4\u63a5\u5931\u6557\uff0c\u9019\u7b49\u540c\u65bc\u76f4\u63a5\u628a\u5408\u7d04\u7d66\u300c\u8b8a\u78da\uff08Brick\uff09\u300d\u3001\u8cc7\u7522\u6c38\u4e45\u9396\u6b7b\u3002<\/li>\n\n\n\nproxiableUUID()<\/code> \u6aa2\u67e5\uff09\u6703\u53bb\u9a57\u8b49\u300c\u65b0\u5730\u5740\u5230\u5e95\u662f\u4e0d\u662f\u4e00\u500b\u771f\u6b63\u76f8\u5bb9\u7684\u667a\u6167\u5408\u7d04\u300d\u3002\u5982\u679c\u96a8\u4fbf\u50b3\u5165\u4e00\u500b\u666e\u901a\u7684\u9322\u5305\u5730\u5740\uff08EOA\uff09\uff0c\u6216\u8005\u662f\u529f\u80fd\u5b8c\u5168\u4e0d\u642d\u560e\u7684\u5408\u7d04\uff0cProxy \u8f49\u767c\u904e\u53bb\u5f8c\u5c31\u6703\u56e0\u70ba\u627e\u4e0d\u5230\u5c0d\u61c9\u7684\u51fd\u6578\u800c\u76f4\u63a5\u5d29\u6f70\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nInitialization & Re-Initialization Risks<\/h3>\n\n\n\n
\/\/ SPDX-License-Identifier: MIT\npragma solidity ^0.8.20;\n\ncontract VulnerableLogic {\n address public owner;\n\n \/\/ Missing initializer guard\n function initialize(address _owner) external {\n owner = _owner;\n }\n}<\/code><\/pre>\n\n\n\n\u6f0f\u6d1e\u5206\u6790<\/strong>\uff1a<\/h3>\n\n\n\n
\u958b\u767c\u8005\u7684\u9810\u671f\u908f\u8f2f<\/h4>\n\n\n\n
constructor<\/code>\u3002\u6240\u4ee5\u4ed6\u60f3\uff1a\u300c\u90a3\u6211\u5c31\u5beb\u4e00\u500b\u666e\u901a\u7684\u51fd\u6578\u53eb initialize<\/code>\uff0c\u4f86\u624b\u52d5\u7576\u4f5c\u5efa\u69cb\u51fd\u6578\u4f7f\u7528\u3002\u300d<\/p>\n\n\n\n\n
VulnerableLogic<\/code>\u3002<\/li>\n\n\n\nProxy<\/code>\uff0c\u4e26\u5c07\u5167\u90e8\u6307\u91dd\u6307\u5411 VulnerableLogic<\/code>\u3002<\/li>\n\n\n\nProxy.initialize(owner address)<\/code>\u3002<\/li>\n<\/ul>\n\n\n\nowner<\/code> \u6539\u6210\u6211\uff0c\u9019\u5bb6\u5e97\u4ee5\u5f8c\u5c31\u662f\u6211\u7684\u4e86\uff0c\u8def\u4eba\u5c31\u7b97\u60f3\u547c\u53eb\u4e5f\u53ea\u662f\u5e6b\u6211\u91cd\u65b0\u8a2d\u5b9a\u4e00\u6b21\u800c\u5df2\uff0c\u6c92\u5dee\u5427\uff1f\u300d<\/p>\n\n\n\n\u653b\u64ca\u624b\u6cd5 <\/h4>\n\n\n\n
\n
\n
initialize(owner address)<\/code> \u7684\u4ea4\u6613\u6642\uff0c\u99ed\u5ba2\u7684\u6a5f\u5668\u4eba\u77ac\u9593\u5075\u6e2c\u5230\u4e86\u3002<\/li>\n\n\n\nProxy.initialize(hacker address)<\/code>\uff0c\u4f46\u662f\u7d66\u51fa\u6975\u9ad8\u7684\u624b\u7e8c\u8cbb\uff08Gas Fee\uff09\u3002<\/li>\n\n\n\nowner<\/code> \u88ab\u5beb\u6210\u4e86\u99ed\u5ba2\u3002\u4e00\u79d2\u5f8c\uff0c\u958b\u767c\u8005\u7684\u4ea4\u6613\u624d\u57f7\u884c\uff0c\u6b64\u6642\u53ef\u80fd\u56e0\u70ba\u908f\u8f2f\u885d\u7a81\u5931\u6557\uff0c\u6216\u8005\u958b\u767c\u8005\u53ea\u662f\u50bb\u50bb\u5730\u628a owner<\/code> \u91cd\u65b0\u5beb\u4e86\u4e00\u6b21\uff08\u4f46\u6b64\u6642\u5408\u7d04\u5167\u7684\u6700\u9ad8\u7ba1\u7406\u54e1\u5df2\u7d93\u88ab\u5b9a\u6027\u70ba\u99ed\u5ba2\u7684\u773c\u7dda\u4e86\uff09\u3002<\/li>\n<\/ol>\n\n\n\n\n
owner<\/code> \u78ba\u5be6\u8b8a\u6210\u4e86\u958b\u767c\u8005\u3002\u4f46\u4e0d\u4ee3\u8868\u9019\u6a23\u5c31\u5b89\u5168\uff0c\u99ed\u5ba2\u6703\u8f49\u5411\u53bb\u653b\u64ca\u90a3\u500b\u55ae\u7368\u8eba\u5728\u93c8\u4e0a\u7684\u300c\u5be6\u4f5c\u5408\u7d04\uff08VulnerableLogic\uff09\u672c\u8eab\u300d\u3002<\/p>\n\n\n\n\n
owner<\/code> \u88ab\u8a2d\u5b9a\u4e86\uff0c\u4f46\u662f\u5be6\u4f5c\u5408\u7d04\uff08VulnerableLogic\uff09\u81ea\u5df1\u672c\u9ad4\u88e1\u9762\u7684 owner<\/code> \u8b8a\u6578\u4f9d\u7136\u662f\u7a7a\u767d\u7684\uff080x000…\uff09\uff01<\/li>\n\n\n\ninitialize(hacker address)<\/code>\u3002\u9019\u6642\u5019\uff0c\u99ed\u5ba2\u8b8a\u6210\u4e86\u5be6\u4f5c\u5408\u7d04\u672c\u9ad4\u7684 owner<\/code>\u3002<\/li>\n\n\n\nselfdestruct<\/code>\uff08\u81ea\u6bc0\uff09\u7684\u908f\u8f2f\u3002\u8eab\u70ba\u5be6\u4f5c\u5408\u7d04 Owner \u7684\u99ed\u5ba2\uff0c\u53ef\u4ee5\u76f4\u63a5\u4e0b\u9054\u81ea\u6bc0\u6307\u4ee4\uff0c\u628a\u5be6\u4f5c\u5408\u7d04\u672c\u9ad4\u7684\u7a0b\u5f0f\u78bc\u5f9e\u5340\u584a\u93c8\u4e0a\u62b9\u9664\u3002<\/li>\n\n\n\n
\n\n\n\n2025 Case Studies<\/h2>\n\n\n\n
Kinto \u5354\u8b70\u906d\u99ed\u4e8b\u4ef6\uff082025 \u5e74 7 \u6708\uff0c\u640d\u5931 155 \u842c\u7f8e\u5143\uff09<\/h3>\n\n\n\n
\u5168\u57df\u672a\u521d\u59cb\u5316\u4ee3\u7406\u9023\u74b0\u653b\u64ca\uff082025 \u5e74\uff0c\u5168\u7db2\u5354\u8b70\u640d\u5931\u8d85\u904e 1,000 \u842c\u7f8e\u5143\uff09<\/h3>\n\n\n\n