Ethernaut: Token

0xjarix

4 min read
Ethernaut: Token

My take on CTFs

CTFs constitute a crucial part in the process of becoming a successful security researcher as they require from you an eye for details, a good understanding of solidity and great technical skills to perform the attack and capture the flag. The most talented security researchers are great at CTFs, at solving them of course and sometimes at designing them. CTFs will not turn you into a great web3 security researcher over night, but it will surely arm you with good enough technical skills to be able to write decent coded PoCs to have your finding validated and maybe get selected for report.

What is Ethernaut?

Ethernaut is a CTF(Capture The Flag) developed by the openzeppelin team that you most propbably already heard of. If you haven't, consider taking a look at this roadmap https://www.0xjarix.com/if-i-had-to-start-again/
This CTF gathers 31 challenges for the moment, this number keeps increasing so check their website every now and then: https://ethernaut.openzeppelin.com/
Maybe you'll design your challenge one day and send it to the openzeppelin team.

Also why you here?

Of all the kinds of articles I publish, CTF writeups are those I wish you read the least. I am a big advocate of giving everything the time it needs, if you cannot solve a challenge that you know for a contains an intentional bug in such a small codebase, do not expect to do really well in the contests. There are 2 reasons why someone can fail at solving a challenge, and when I say 'fail' I mean giving up and looking at the writeups, knowing damn well these CTFs are not time-bounded. So if you failed you either:

  • aren't ready for this challenge yet and that is most probably due to the fact that you skipped some steps in the roadmap
  • are lazy, you read the challenge, read the codebase, maybe not enough times, you had some assumptions maybe, you might have identified some entrypoints or some conditions to bypass or break, but you did not give it enough time, you did not allow yourself to succeed and that's a shame
💡
StErMi provided us with a github repo to solve ethernaut challenges in foundry, you can fork it, remove his solutions and try solving the challenges just like I'm doing
GitHub - 0xjarix/foundry-ethernaut: My solutions to the ethernaut CTF
My solutions to the ethernaut CTF. Contribute to 0xjarix/foundry-ethernaut development by creating an account on GitHub.
GitHub0xjarix

Token

The goal of this level is for you to hack the basic token contract below.

You are given 20 tokens to start with and you will beat the level if you somehow manage to get your hands on any additional tokens. Preferably a very large amount of tokens.

Things that might help:

  • What is an odometer?

Goal

Increase our balance significantly

Reasoning

  1. The solidity version used is 0.6.0.
  2. Prior to solidity 0.8, underflows and overflows would occur if the integer's type lower or upperbound (respectively) are exceeded, that was dangerous and resulted in many real world hacks, it was advised to use a certain SafeMath library, but as of the 0.8 compiler version the call reverts on over/underflows and the SafeMath library is not used anymore. If we want the compiler to stop checking for under/overflows we now use the unchecked box for better optimization. The solidity team made the choice to make security the default, rather than optimization, and that tradeoff is widely approved.
  3. We already have 20 tokens in our balance, we only have to underflow it so it reaches type(uint256).max
  4. So the value we should transfer has to be enough to cause the underflow: 21 and the address we are transferring to will also enjoy the transfer(not as much as us of course) as they will still get this value added to their balance, so choose any arbitrary address except yours as it will cause an overflow and reset your balance back to 20, I personally chose the zero-address.
odometer

Fix

Either use a solidity version >= 0.8 or use the SafeMath lib.