GithubHelp home page GithubHelp logo

reentrancy-attack's Introduction

Reentrancy Demo in Hardhat

Initialize Everything

Follow only if you start from scratch. If you clone this GitHub repo, skip this section.

npm install -g yarn
yarn init --yes
yarn add -D hardhat
npx hardhat init

Deploy and Interact with Vault

// in terminal 1, start a localhost hardhat ethereum node
// if you've done so in the underflow terminal, just skip this
npx hardhat node

// in terminal 2, do
npx hardhat run --network localhost .\scripts\deploy.ts
npx hardhat run --network localhost .\scripts\query.ts
npx hardhat run --network localhost .\scripts\deposit.ts

Deploy the Attack

npx hardhat run --network localhost .\scripts\deploy.attack.ts

Attack the Vault

// then run the full attack script
npx hardhat run --network localhost .\scripts\attack.full.ts

// output
--- operator deposit ---
vault balance:  1000000000000000000n
owner balance:  1000000000000000000n
--- attack contract deposit ---
vault balance:  2000000000000000000n
owner balance:  1000000000000000000n
attack contract balance:  1000000000000000000n
--- attacker contract withdraw ---
vault balance:  0n
owner balance:  1000000000000000000n
// ^^^ The attacker steal owner's balance from the vault
attack contract balance:  0n

BONUS POINTS HERE!

You win bonus points if you are first to finish the following tasks correctly (any).

To claim the bonus and secure your position, submit an issue to THIS repo. Include the link to you solution (in a separate github repo). The repo must come with full hack/defence explaination and step by step tutorial on how to run it. The last commit timestamp to the repo must in PRIOR to your issue timestamp (surely you can continue to work on another branch, I will look at the main branch only). Failures to follow the rules disqualify your submission.

  1. How to defend reentrancy attack for this vault? The submission should come with (1) a secured vault contract source code; (2) a script trying to attack (just like the one i provided) but fails; and (3) explaination on how you do it.
  2. Is there any other vulnerabilities (bug) in the code of Vault.sol and Attack.sol ? The submission should come with (1) a bug report, where is the bug, why it is a bug, what is the consequnece of the bug? (2) a script that exploits the bug; and (3) a secured version of the contract source code.

NB: There are MORE THAN ONE answers to each question. Points go to the first submissions of each unique answer.

reentrancy-attack's People

Contributors

siriussee avatar

Watchers

avatar

Forkers

diceyecid codingwchris

reentrancy-attack's Issues

Task 1 - Defend reentrancy attack

The Issue feature is disable on Siriussee/underflow-attack. I guess here is where I should raise the issue for bonus task...

Task 1 - Defend reentrancy attack

Please refer to the source code on GitHub: diceyecid/reentrancy-attack.

  1. Secured Vault Contract: The secured vault contract is located at contracts/FixedEtherVault.sol.

  2. Attack Script: The script attempting the reentrancy attack can be found at scripts/attack.full.ts.

  3. Defense Mechanism:

    To defend against the reentrancy attack, the following modifications have been implemented in the secured vault contract:

    • A require gate has been added to verify if the user's balance is positive before proceeding with the send Ether operation.

    • The code to update the user's balance is moved to execute before calling send Ether operation.

    These changes ensure that the user's balance is updated prior to sending Ethers, and the require gate prevents the execution of the withdraw function if the user's balance is not positive.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.