| N° | Contract | Done | Exploit PoC | Description |
|---|---|---|---|---|
| 01 | Fallback | ✅ | FallbackExploit | Call a contract with some value to target the receive method. |
| 02 | Fallout | ✅ | FalloutExploit | Typo in the constructor name. |
| 03 | CoinFlip | ✅ | CoinFlipExploit | The contract relies on block.number to generate a random value. |
| 04 | Telephone | ✅ | TelephoneExploit | Use a helper contract to make sure tx.origin and msg.sender are different. |
| 05 | Token | ✅ | TokenExploit | Exploit overflows and underflows of the 0.6.0 solidity compiler. |
| 06 | Delegation | ❌ | DelegationExploit | Make use of the delegatecall to overwrite the storage of the main contract. |
| 07 | Force | ✅ | ForceExploit | Create a contract, fund it with some ether and use the selfdestruct method to send the contract balance to any other contract (e.g. a contract without any implementation). |
| 08 | Vault | ✅ | VaultExploit | Read the password from the contract storage. |
| 09 | King | ✅ | KingExploit | Implement a helper contract that reverts when receiving ether. |
| 10 | Reentrance | ✅ | ReentranceExploit | Perform all state changes before making external calls to avoid re-entrancy exploits. |
| 11 | Elevator | ✅ | ElevatorExploit | When calling an external contract, always check the returned value before using it! |
| 12 | Privacy | ✅ | PrivacyExploit | Read the key from the contract storage |
| 13 | GatekeeperOne | ✅ | GatekeeperOneExploit | - Estimate the amount of gas a contract call would take using gasleft and binary search (dichotomy).- Another method is to use a while loop and to consume the gas tiny bits by tiny bits until the call succeeds.- Perform operations using bit masks. |
| 14 | GatekeeperTwo | ✅ | GatekeeperTwoExploit | - Create a contract that has a size equal to zero by putting all the logic inside the constructor. Indeed, a contract does not have source code available during construction. - Solidity does not support bitwise negation, but a simple way to perform the operation is to use the XOR operation ( ^) with 0xff (ones). |
| 15 | NaughtCoin | ✅ | NaughtCoinExploit | Use the ERC20 allowance and transferFrom methods to send tokens on behalf of a nother address. |
| 16 | Preservation (*) | ✅ | PreservationExploit | Make use of the delegatecall to overwrite the storage of the main contract. This time it involved a bit more creativity as it required to overwrite an address (20 bytes) using a uint256 (32 bytes). |
| 17 | Recovery | ✅ | RecoveryExploit | The address of an Ethereum contract is deterministically computed from the address of its creator (sender) and its nonce (how many transactions the creator has sent). The sender and nonce are RLP-encoded and then hashed with keccak256. For a Solidity implementation, check the exploit code. |
| 18 | MagicNumber | ✅ | MagicNumberExploit | - Use raw bytecode to create the smallest possible contract. - Learn about initialization code to be able to run any runtime code. - Learn about create to create a contract from the initialization code. |
| 19 | AlienCode | ✅ | AlienCodeExploit | Take advantage of an array underflow vulnerability in the contract, to allow the attacker to manipulate the contract's storage. |
| 20 | Denial | ✅ | DenialExploit | - Always set the amount of gas when using a low-level call. It will prevent the external contract to consume all the gas. - Check the return value of low-level calls, especially when the address is controlled by someone else. |
| 21 | Shop | ✅ | ShopExploit | - When calling an external contract, always check the returned value before using it! - This challenge is very similar to challenge 11. |
| 22 | Dex | ✅ | DexExploit | The contract uses a division operation to compute the swap amount which can be exploited because of a precision loss. Indeed, Solidity does not support floating points. |
| 23 | DexTwo | ✅ | DexTwoExploit | The swap method does not check the addresses of the ERC20 tokens. This is a very bad practice since an exploiter can manipulate the balances of those tokens. Indeed, the swap amount is computed based on the token balances, so anyone can drain the tokens of the contract. |
| 24 | PuzzleWallet | ✅ | PuzzleWalletExploit | When writing a Proxy contract, and more generally any contract that uses delegatecall, always make sure that the sensible storage values are not colliding with other values. The storage layout should be identical, for those values, on both the proxy and the implementation contracts. |
| 25 | Motorbike | ❌ | ||
| 26 | DoubleEntry | ✅ | DoubleEntryExploit | - When delegating calls from a deprecated token to another token (or any other contract), avoid sending new tokens in place of old tokens. - This level is made of a lot of different contracts, you can find an architecture diagram below. |
| 27 | GoodSamaritan | ✅ | GoodSamaritanExploit | Making external calls after updating token balance is very dangerous... |
| 28 | GatekeeperThree | ✅ | GatekeeperThreeExploit | - Make sure the constructor method is spelled properly.- Do not use tx.origin to check the origin of the caller.- Private variables are not private on a public blockchain. - It's easy to implement a contract that do not accepts ether. |
| 29 | Switch | ❌ | ||
| 30 | HigherOrder | ✅ | HigherOrderExploit | Reading function parameters (or any other value) using calldataload is dangerous because it will always return a 32-byte value and not the expected type of the variable. |
| 31 | Stake | ✅ | StakeExploit | The contract updates the balance of the user before making sure the tokens have been transfered to the contract. |
(*) I opened a PR to prevent cheating in challenge 16.
