可以在视图功能中欺骗味精吗？

发布于 2025-02-14 00:01:38 字数 829 浏览 2 评论 0原文

从我可以看到的情况下，通过“连接”函数通过ethers.js将视图功能中的消息发送到您想要的任何地址似乎很容易将消息发送者设置为。

例如，如果您有这样的合同：

contract Test {
    address public owner;
    string private secret;

    modifier onlyOwner() {
        require(msg.sender==owner,"onlyOwner");
        _;
    }

    constructor() {
        owner = msg.sender;
        secret="Abracadabra";
    }

    function setSecret(string memory newSecret) public onlyOwner {
        secret = newSecret;
    }
    function getSecret() public view onlyOwner returns(string memory) {
        return secret;
    }
}

即使您不是所有者帐户，也可以运行

 let owner = await con.owner();
 let secret = con.connect(owner).getSecret()

，也不会收到以太货币的投诉。我知道，如果您尝试运行setSecret，但是当没有涉及的交易时，似乎您不需要真正的签名人，只是合同地址。

还有其他需要检查味精是否实际上是一个帐户，而不仅仅是帐户地址的字符串？

原文

From what I can see, it seems trivially easy to set message sender in a view function to whatever address you want for external calls through ethers.js via the 'connect' function.

For example, if you have a contract like this:

contract Test {
    address public owner;
    string private secret;

    modifier onlyOwner() {
        require(msg.sender==owner,"onlyOwner");
        _;
    }

    constructor() {
        owner = msg.sender;
        secret="Abracadabra";
    }

    function setSecret(string memory newSecret) public onlyOwner {
        secret = newSecret;
    }
    function getSecret() public view onlyOwner returns(string memory) {
        return secret;
    }
}

Even if you aren't the owner account, you could run

 let owner = await con.owner();
 let secret = con.connect(owner).getSecret()

And get no complaints from ethers. I know this would fail if you tried to run setSecret but when there no transaction involved it looks like you don't need a real signer, just a contract address.

Is there some other to check if the msg.sender is actually an account, not just a string of the account address?

分享到QQ

分享到微博