# QIXI漏洞分析 交易记录\ [Binance Transaction Hash (Txhash) Details | BscScan](https://bscscan.com/tx/0x16be4fe1c8fcab578fcb999cbc40885ba0d4ba9f3782a67bd215fb56dc579062) 开始看的时候就觉得离谱,攻击者闪电贷获取wbnb,一波操作之后就收获QIXI离场。 经过分析,最重要的一步就是`_transfer` ![](https://1074961489-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJzir9UNmKRbv22Aq3ms%2Fuploads%2FRexz03JbBGvfRyshtDZQ%2Fimage.png?alt=media\&token=0255dafa-0313-4efd-b183-9f02c2b15f0c) 这个函数会调用`_basicTransfer`给10个账户转币。也就是这里出现了问题。 ![](https://1074961489-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJzir9UNmKRbv22Aq3ms%2Fuploads%2Fm5vrspqezLSLd8tBfMSZ%2Fimage.png?alt=media\&token=4f35feeb-74f8-4c5f-8219-a77c8f266551) 这个函数是这样写的。 ```js function _basicTransfer(address sender, address recipient, uint256 value) internal returns (bool) { balanceOf[sender] -= value; balanceOf[recipient] += value; emit Transfer(sender, recipient, value); return true; } ``` 漏洞点也就在这里,开始的时候`balanceOf[sender]`为0,减去value的时候造成溢出。而且他这个solidity的版本为`^0.4.25`。不会检查溢出。 最终攻击者得到了这么多的token
![](https://1074961489-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJzir9UNmKRbv22Aq3ms%2Fuploads%2FlOG5a84EIHivO0dLjjOt%2Fimage.png?alt=media\&token=422d6366-1293-4c3b-bcaf-224cb7f9041f)
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://8olidity.gitbook.io/qu-kuai-lian-bi-ji/lou-dong-fu-xian/qixi-lou-dong-fen-xi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.