Cross chain re -creation attacks are used to call smart contract functions across different chains and cause money loss in smart contracts. Learn more about this vulnerabilities for example to keep the code open to the attacker.
Vulnerability
The events emitted from the inappropriate position of the code can create a crosschain re -creation vulnerability. These events are still incomplete in the original chain, but can be used to trigger the calls of other chains. You can find an example code to run in the environment.
Example contract
This is an example of a vulnerable contract. You can place it in multiple chains. Meeting only one designated chain while enabling transmission tokens between chains. This means only one token of the same tokenId It must exist in several chains.
By phone crossChainTransfer Function, users can transfer tokens. This burns the token in the source chain. Movement emits messages relayed by the validated test machine off chain. Then this validation machine calls the function of the target chain to finish the designated token. tokenId.
Attack example
The vulnerability is in the mining process. There is an external call when warning _safeMint Check the possibility of locked tokens. yes, tokenIds++; later _safeMint Function call.
Attackers can exploit it by performing:
While in an external call, that is onERC721Received Functions, they can call crossChainTransfer Function and phone mint again.
This creates a situation tokenIds++; Run twice to make the same tokenId Tokens in various chains.
Attacker
Wake code
In the test environment, there are two chains: chain1 and chain2. at test_expected_usage Functions, we are sending tokens from Chain 1 to Chain2 via the relay. The relay captures the events emitted from the chain1 and delivers the event to Chain2 by message. This call is only allowed by an effective test device, so it is used to use it through the validation test of each chain using use. from_=validator_chain1 etc.
Wake output
We can make the same tokenId Two chains tokens.
prevention
Inspection effect interaction
This preventive method allows the status change to be completed before the external call.
Re -creation guard
REENTRANTRANTRANTRANCY Guards offers additional protection for this type of attack.
Post -call verification
You can check the value tokenIds after _safeMint The function call is completed and the transaction is reversed tokenIds Although unexpectedly changed, this approach adds complexity.
conclusion
It is important to recognize the external call of the function. Because they make a door for re -creation attacks. Always consider which features can be triggered during these external calls.
For more examples, read the reentrancy example GitHub repository. There are other types of re -creation attacks and protocol re -opening, and blogs have a deep dive for some of them.
