Level 2 - Fallout ⏺
Level Setup
Claim ownership of the contract below to complete this level.
Things that might help
Solidity Remix IDE
Level Contract
Exploit
The contract uses an old method of defining the constructor by (attempting) to set it as the same name as the contract. In this instance, they made a mistake and there's a typo on the "constructor" which means it's different from the contract name, and therefore wasn't run on contract creation and can be run by anyone.
Call the function either using an interface or a
.call
with the function signature.
Submit instance... 🥳
Completion Message
That was silly wasn't it? Real world contracts must be much more secure than this and so must it be much harder to hack them right?
Well... Not quite.
The story of Rubixi is a very well known case in the Ethereum ecosystem. The company changed its name from 'Dynamic Pyramid' to 'Rubixi' but somehow they didn't rename the constructor method of its contract:
This allowed the attacker to call the old constructor and claim ownership of the contract, and steal some funds. Yep. Big mistakes can be made in smartcontractland.
Notes
This exploit occurred because before Solidity
v0.5.0
it was not mandatory to name the constructorconstructor
. This was updated with a breaking change in thev0.5.0
release.Even though this contract uses
v0.6.0
this mistake still happened.Exploited contract: https://etherscan.io/address/0xe82719202e5965Cf5D9B6673B7503a3b92DE20be
Last updated