This is the second part of my series around Ethernaut Game. In this post, we will deal with Level 2: Fallout.
Our goal is to claim the ownership of a given smart contract.
If we look at the function Fallout we see that it suppose to be the constructor. This is due to comments and the fact that constructors always are named in the same way as the smart contract. As you know a constructor only gets executed when the contract first deploys.
After further analysis we see that this is the only place where the ownership of the smart contract is assigned.
/* constructor */
function Fal1out() public payable {
owner = msg.sender;
allocations[owner] = msg.value;
}
One of the recommendations was to analyse the contract in the Remix IDE. Why?
Because when you look at the constructor again you will see a typo in the name. Recall that the name of the constructor should be the same as the smart contract name, i.e. in that case Fallout. However, the name of the constructor is Fal1out This means that this is not a constructor, but a normal function that we can call to claim ownership.
So, let's give it a try. First, we call the function and after that check who is the owner of the contract.
That's it. We claimed the ownership.
Conclusion
The vulnerability in the smart contract was the wrong name of the constructor. It was supposed to be a constructor however, due to a type (Fal1out not Fallout) it behaves similarly to any other function.
Also Published Here