SolidityFoundry 安全审计测试 memory滥用

 名称：

memory滥用

https://github.com/XuHugo/solidityproject/tree/master/vulnerable-defi
描述：

在合约函数中滥用storage和memory。

memory是一个关键字，用于临时存储执行合约所需的数据。它保存函数的参数数据，并在执行后清除。
storage可以看作是默认的数据存储。它持久地保存数据，消耗更多的gas。
函数updaterewardDebt的功能是，更新UserInfo结构体的rewardDebt值。为了节约gas，我们将变量用关键字memory声明了，这样会导致的问题是，在函数执行结束之后，rewardDebt的值并不会保存下来。因为一旦函数完成执行，内存就会被清除，所做的更改也会丢失。

参考：

Cover protocol hack analysis: Infinite Cover tokens minted via an exploit - Mudit Gupta's Blog

解决方法：

https://mudit.blog/cover-protocol-hack-analysis-tokens-minted-exploit/

proxy合约：

contract Array is Test {mapping(address => UserInfo) public userInfo; // storagestruct UserInfo {uint256 amount; // How many tokens got staked by user.uint256 rewardDebt; // Reward debt. See Explanation below.}function updaterewardDebt(uint amount) public {UserInfo memory user = userInfo[msg.sender]; // memory, vulnerable pointuser.rewardDebt = amount;}function fixedupdaterewardDebt(uint amount) public {UserInfo storage user = userInfo[msg.sender]; // storageuser.rewardDebt = amount;}
}

foundry测试合约；

// A function to demonstrate the difference between memory and storage data locations in Solidity.
function testDataLocation() public {// Simulate dealing 1 ether to Alice and Bob.address alice = vm.addr(1);address bob = vm.addr(2);vm.deal(address(alice), 1 ether);vm.deal(address(bob), 1 ether);// Create a new instance of the Array contract.ArrayContract = new Array();// Update the rewardDebt storage variable in the Array contract to 100.ArrayContract.updaterewardDebt(100); // Retrieve the userInfo struct for the contract's address and print the rewardDebt variable.// Note that the rewardDebt should still be the initial value, as updaterewardDebt operates on a memory variable, not the storage one.(uint amount, uint rewardDebt) = ArrayContract.userInfo(address(this));console.log("Non-updated rewardDebt", rewardDebt);// Print a message.console.log("Update rewardDebt with storage");// Now use the fixedupdaterewardDebt function, which correctly updates the storage variable.ArrayContract.fixedupdaterewardDebt(100);// Retrieve the userInfo struct again, and print the rewardDebt variable.// This time the rewardDebt should be updated to 100.(uint newamount, uint newrewardDebt) = ArrayContract.userInfo(address(this));console.log("Updated rewardDebt", newrewardDebt);
}