币安BSC智能链发币教程——AVE检测合约带有隐藏owner漏洞的修复方式【pdf+视频BSC发币教程下载】

一、说明

合约部署完成并添加完流动性以后，在ave执行合约安全性检测时，检测结果显示合约有隐藏owner安全性漏洞。出现该问题原因目前主要有两个，第一个是隐藏owner角色，第二个是二级owner权限：

1、隐藏owner角色是指合约部署完成后可以通过setowner接口设置一个另外的owner角色，然后放弃合约所有权后通过角色权限来实现onlyowner操作。

2、在owner以外还引入了二级owner权限，放弃合约所有权以后还可以通过二级owner实现onlyowner要求的操作质量。

二、合约代码漏洞

1、隐藏owner角色的主要代码漏洞如下：

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.12;

import "./Context.sol";

contract Ownable is Context {
    address public _owner;
    mapping(address => bool) private _roles;

    event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);

    constructor () internal {
        _owner = _msgSender();
        _roles[_msgSender()] = true;
        emit OwnershipTransferred(address(0), _msgSender());
    }

    function owner() public view returns (address) {
        return _owner;
    }

    modifier onlyOwner() {
        require(_roles[_msgSender()]);
        _;
    }

    function renounceOwnership() public onlyOwner {
        emit OwnershipTransferred(_owner, address(0));
        _roles[_owner] = false;
        _owner = address(0);
    }

    function transferOwnership(address newOwner) public onlyOwner {
        require(newOwner != address(0), "Ownable: new owner is the zero address");
        emit OwnershipTransferred(_owner, newOwner);
        _roles[_owner] = false;
        _roles[newOwner] = true;
        _owner = newOwner;
    }

    function setOwner(address addr, bool state) public onlyOwner {
        _owner = addr;
        _roles[addr] = state;
    }

}

setOwner后再次执行onlyowner验证校验时，校验的是角色权限而不是地址权限。这样就可以保留隐藏的owner漏洞。

2、二级owner权限代码漏洞

modifier onlyFunder() {
        require(owner() == msg.sender || fundAddress == msg.sender, "BEP20: caller is not owner or Funder");
        _;
    }

除了owner权限以为还保留了funder权限，也就是所谓的二级权限。在放弃合约所有权后仍然可以通过funder权限来实现onlyowner的操作要求。

三、漏洞解决方案

取消隐藏owner角色权限，通过以下ownerable合约验证owner地址而非角色权限

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.14;

import "./Context.sol";

contract Ownable is Context {
    address private _owner;

    event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);

    /**
     * @dev Initializes the contract setting the deployer as the initial owner.
     */
    constructor () {
        address msgSender = _msgSender();
        _owner = msgSender;
        emit OwnershipTransferred(address(0), msgSender);
    }

    /**
     * @dev Returns the address of the current owner.
     */
    function owner() public view returns (address) {
        return _owner;
    }

    /**
     * @dev Throws if called by any account other than the owner.
     */
    modifier onlyOwner() {
        require(_owner == _msgSender(), "Ownable: caller is not the owner");
        _;
    }

    /**
     * @dev Leaves the contract without owner. It will not be possible to call
     * `onlyOwner` functions anymore. Can only be called by the current owner.
     *
     * NOTE: Renouncing ownership will leave the contract without an owner,
     * thereby removing any functionality that is only available to the owner.
     */
    function renounceOwnership() public virtual onlyOwner {
        emit OwnershipTransferred(_owner, address(0));
        _owner = address(0);
    }

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Can only be called by the current owner.
     */
    function transferOwnership(address newOwner) public virtual onlyOwner {
        require(newOwner != address(0), "Ownable: new owner is the zero address");
        emit OwnershipTransferred(_owner, newOwner);
        _owner = newOwner;
    }
}

至此，完成AVE检测合约带有隐藏owner漏洞的修复方式所有操作流程。

pdf+视频币安智能链BSC发币教程及多模式组合合约源代码下载:

币安智能链BSC发币(合约部署、开源、锁仓、LP、参数配置、开发、故障处理、工具使用)教程下载：

多模式（燃烧、回流指定营销地址、分红本币及任意币种，邀请推广八代收益，LP加池分红、交易分红、复利分红、NFT分红、自动筑池、动态手续费、定时开盘、回购）组合合约源代码下载：

pdf+视频币安智能链BSC发币教程及多模式组合合约源代码下载地址：

此处为隐藏的内容！

登录后才能查看！

登录

添加VX或者telegram获取全程线上免费指导