add Proof of Weak Hands Coin

Author: MikeSpa

ProofofWeakHandsCoin/Analysis.md

@@ -0,0 +1,125 @@
+# Analysis of the Proof of Weak Hands Coin ponzi hack
+4chan decided to create a crypto ponzi scheme, which was advertised as such, and obviously it worked well. In only three days it had over 1,000 ETH, but an underflow vulnerability allowed someone to withdraw 866 ETH from the ponzi.
+
+## Addresses involved
+The Ponzi contract: [0xa7ca36f7273d4d38fc2aec5a454c497f86728a7a](https://etherscan.io/address/0xa7ca36f7273d4d38fc2aec5a454c497f86728a7a#code)  
+The approve tx: [0xc836c7c6ac8135cf1df3da5754cfa9959d327e2ec3748f83124089dfe621a98b](https://etherscan.io/tx/0xc836c7c6ac8135cf1df3da5754cfa9959d327e2ec3748f83124089dfe621a98b)  
+The transferFrom tx: [0x233107922bed72a4ea7c75a83ecf58dae4b744384e2b3feacd28903a17b864e0](https://etherscan.io/tx/0x233107922bed72a4ea7c75a83ecf58dae4b744384e2b3feacd28903a17b864e0)  
+The withdraw tx: [0x496c0411f52978dfd7953b7e6965465977162bfaf7b88c0c78fcdc97cd395d62](https://etherscan.io/tx/0x496c0411f52978dfd7953b7e6965465977162bfaf7b88c0c78fcdc97cd395d62)  
+
+The attacker address: [0xB9cd700b8A16069Bf77edEdC71c3284780422774](https://etherscan.io/address/0xB9cd700b8A16069Bf77edEdC71c3284780422774)  
+The attacker 2nd address: [0x945C84b2FdD331ed3E8e7865E830626e6CeFAB94](https://etherscan.io/address/0x945C84b2FdD331ed3E8e7865E830626e6CeFAB94)  
+
+## The vulnerability: Underflow 
+
+There is two issues in this contract: an underflow vulnerability and a poor internal logic that can potentialy lead to this underflow.  
+The underflow vulnerability of the contract is in the `sell()` function:
+```solidity
+function sell(uint256 amount) internal {
+    var numEthers = getEtherForTokens(amount);
+    // remove tokens
+    totalSupply -= amount;
+    balanceOfOld[msg.sender] -= amount; //** possible underflow if amount is bigger that the balance
+
+    // fix payouts and put the ethers in payout
+    var payoutDiff = (int256)(
+        earningsPerShare * amount + (numEthers * PRECISION)
+    );
+    payouts[msg.sender] -= payoutDiff;
+    totalPayouts -= payoutDiff;
+}
+```
+`sell()` is called when a user call `tranfer()` with `_to` equal to the contract address. There is in fact a check to ensure that when a user wants to sell his tokens, he has that amount of tokens. But since `transferTokens(_from, _to, _value)` allows a user to transfer tokens from a different address (who has previously approved the user to do so), the check is done for that `_from` address and if that address indeed has those tokens, the check pass. But when `sell()` decrease the balance, it does so to the `msg.sender` address instead of the `_from` so if the user (`msg.sender`) has less tokens that the amount passed in `_value`, an underflow will occur. The error is that `_from` is not passed to `sell()` as an argument.
+
+```solidity
+function transfer(address _to, uint256 _value) public {
+    transferTokens(msg.sender, _to, _value);
+}
+
+function transferTokens(
+    address _from,
+    address _to,
+    uint256 _value
+) internal {
+    if (balanceOfOld[_from] < _value) revert(); //** underflow check
+    if (_to == address(this)) {
+        sell(_value); //** sell doesn't know who _from is
+    } else {
+        int256 payoutDiff = (int256)(earningsPerShare * _value);
+        balanceOfOld[_from] -= _value;
+        balanceOfOld[_to] += _value;
+        payouts[_from] -= payoutDiff;
+        payouts[_to] += payoutDiff;
+    }
+    Transfer(_from, _to, _value);
+}
+
+
+```
+
+
+## The exploit
+
+The attacker will use an underflow to increase his token balance to the maximum amount and will then use that balance to exit the Ponzi with a lot of ETH.
+
+He first used a second account (0x945) to buy some tokens and to approv his first account (0xb9cd) to transfer some of his tokens:
+
+![approve transaction](img/approve.png "approve transaction")
+
+Now that he can transfer tokens on behalf of his other account, he called `transferFrom(_from_=0x945, _to=PonziContract, _value=1)`:
+
+![transferFrom transaction](img/transferFrom.png "transferFrom transaction")
+
+This check the allowance and then call `transferToken()`:
+```solidity
+function transferFrom(
+    address _from,
+    address _to,
+    uint256 _value
+) public {
+    var _allowance = allowance[_from][msg.sender];
+    if (_allowance < _value) revert();
+    allowance[_from][msg.sender] = _allowance - _value;
+    transferTokens(_from, _to, _value);
+}
+function transferTokens(
+    address _from,
+    address _to,
+    uint256 _value
+) internal {
+    if (balanceOfOld[_from] < _value) revert();
+    if (_to == address(this)) {
+        sell(_value); //** _from is not passed as parameter
+    } else {
+        int256 payoutDiff = (int256)(earningsPerShare * _value);
+        balanceOfOld[_from] -= _value;
+        balanceOfOld[_to] += _value;
+        payouts[_from] -= payoutDiff;
+        payouts[_to] += payoutDiff;
+    }
+    Transfer(_from, _to, _value);
+}
+```
+`transferToken()` check that the balance of `_from` is high enough to transfer `_value` of tokens (it is) and since `_to` is the address of the contract, call `sell()`:
+```solidity
+function sell(uint256 amount) internal {
+    var numEthers = getEtherForTokens(amount);
+    // remove tokens
+    totalSupply -= amount;
+    balanceOfOld[msg.sender] -= amount; //** possible underflow if amount is bigger that the balance
+
+    // fix payouts and put the ethers in payout
+    var payoutDiff = (int256)(
+        earningsPerShare * amount + (numEthers * PRECISION)
+    );
+    payouts[msg.sender] -= payoutDiff;
+    totalPayouts -= payoutDiff;
+}
+```
+But since `sell()` doesn't receive the `_from` parameter (0x945), it assumes that it is the `msg.sender` (0xb9cd), which doesn't have any token, so `balanceOfOld[msg.sender] -= amount` underflow and is now equal to the maximum amount of `uint256`.
+
+He then sold some of his tokens and called `withdraw()` which allowed him to exit the Ponzi with over 866 ETH:
+![transfer transaction](img/transfer.png "transfer transaction")
+
+![withdraw transaction](img/withdraw.png "withdraw transaction")
+