$29
In this project, you will write an Ethereum smart contract to play a simple game of Rock/Paper/Scissors, and deploy it on the Ropsten Test Network. You’ll also exploit an existing smart contract to steal (testnet) funds from it.
Objectives:
• Implement and deploy a basic Ethereum smart contract in Solidity
• Understand basic smart contract vulnerabilities
• See how vulnerabilities can lead to stolen funds.
•
Part 0. Setup
You’ll need to familiarize yourself with a few new tools for interacting with the Ethereum Blockchain. We’ll be using Ropsten Testnet Ethereum, which is exactly like the main Ethereum, but the Ether is free and not exchangeable. You won’t need to buy anything, or use real money at any point in this project (though all the techniques could be used on the main net as well).
Install MetaMask
MetaMask is a Chrome/Firefox/Brave extension that acts as an Ethereum wallet and will store your (testnet) Ether currency. Install it in your browser of choice: https://metamask.io/download.html
You’ll need to create/save a password that lets you open your wallet. Be sure to keep the password safe!
Once installed, go get some Ropsten Testnet Ether from the faucet: https://faucet.metamask. io/. Click on “request 1 ether from faucet”. You should see the transaction show up under the transactions list, and then you should see in your MetaMask that you have 1 Ether (make sure you have Ropsten Test Network selected instead of Main Ethereum Network) in your account.
Use MyEtherWallet
MyEtherWallet is used to interact with existing and deploy new smart contracts. Go to https: //www.myetherwallet.com/ and make a wallet. You don’t need to create a new wallet, since you connect to MetaMask instead. When you get to the creating a wallet step, click on “Access My Wallet”, and then select “MEW CX” (we’ll connect with MetaMask). Accept the terms and click the “Access My Wallet” button. This should bring up a MetaMask Connect Request notification, where you can click Connect.
Interact with a contract / send a transaction Click on the Contract / Interact with Contract:
https://www.myetherwallet.com/interface/interact-with-contract
Enter a contract address: 0xFB81aDf526904E3E71ca7C0d2dc841a94B1E203C
and copy/paste the ABI/JSON at https://ecen4133.org/static/vuln-abi.json into the ABI/JSON Interface field. Click Continue.
Deposit Ether in contract This contract lets you deposit and withdraw Ether, and tracks the balance that you’ve entered. Try using the deposit function to deposit a small amount of Ether (e.g. 0.05 ETH). Enter the value and click Write, then confirm the transaction in MetaMask. This creates a transaction, that you can click on in MetaMask to view on Etherscan.io (an Ethereum block/contract/transaction explorer website). You can see all the transactions that have interacted with this contract here:
https://ropsten.etherscan.io/address/0xfb81adf526904e3e71ca7c0d2dc841a94b1e203c. How much ETH does this contract have in its balance?
2
Read from the contract Now select “balances” and enter your MetaMask account address (e.g. 0x5a7A84f39f5F9E653b9ee54DC1dB0BfF34EF2b10). Click Read. The value returned will be in Wei, which is 10 18 Ether, the smallest unit of ETH.
Notice that reading a contract does not require any confirmation from MetaMask, and does not create a transaction. Why not?
Make your own contract with Remix
Remix is an online IDE for Ethereum smart contracts. You can write contracts in Solidity, a high-level language that compiles down to Ethereum VM Bytecode (what miners use to execute contracts). Go to https://remix.ethereum.org/.
Select Solidity, and New File, and give it a name. You can write your own source, or copy in the above vulnerable contract (and modify it, if you want!) from https://ecen4133.org/static/ vuln.sol. Click Compile.
Deploy your contract to the testnet You can use MyEtherWallet to deploy a new contract (Contract / Deploy Contract). Paste in your Bytecode and ABI/JSON copied from Remix, and give it a name. Click Sign Transaction, and confirm with MetaMask, and soon you’ll be able to see (and interact) with your contract!
What to submit Part 0 is just for introduction, no need to submit anything for this part.
3
Part 1. Vulnerable Contracts
In this part, you’ll investigate how to steal Ethereum from vulnerable smart contracts. We have setup a vulnerable smart contract on the Ropsten testnet that you have permission to steal funds from. However, using this technique on other contracts you do not have the same permission for outside this class is a crime. Remember that just because you can do something technical, doesn’t mean that you should!
We’ve deployed our contract to address 0xFB81aDf526904E3E71ca7C0d2dc841a94B1E203C. You can download its source from https://ecen4133.org/static/vuln.sol.
The contract has two functions: deposit and withdraw that let you send and receive money from the contract. On the surface, it appears that an address will only be able to withdraw what that address originally deposited. But this contract is vulnerable to a bug that lets you extract more if you’re clever!
In this part, you’ll write and use a contract that steals funds from the Vuln contract. Your goal is to make a contract that includes a payable function, that interacts with the Vuln contract to steal funds from it. Your contract should let you pay it a small amount (e.g. 0.1 ETH), and then later let you extract a greater amount (e.g. 0.2 ETH). If we look at the (internal) transactions between your contract and the Vuln contract, we should see that yours sends (deposits) less than it gets back (withdraws) from the Vuln contract.
Note : This is a class-wide contract, and only has so many testnet coins in it. As such, please limit your stealing to a humble amount, so that others can also enjoy the thrill of stealing as well. We suggest trying to deposit/steal small amounts such as 0.1 ETH (100 finney) at a time. You don’t need to steal all the coins to prove that you can, but if you end up stealing too much, you can always deposit() it back.
Feel free to deploy your own copy of the Vuln contract (and fund it with your own testnet coins) to practice attacking before you try to attack the main Vuln contract.
What to submit
1. Your stealing contract, attack.sol, that you used to extract more funds than you deposited.
2. A plaintext file, attack.txt, that lists the deployed address of your attack.sol contract (e.g. 0x5b95c5aff4b...217e)
4
Submission Checklist
Upload to Canvas a gzipped tarball (.tar.gz) named project5.identikey1.identikey2.tar.gz. You can make a tarball with
• tar czf project5.identikeys.tar.gz ./attack.sol ./attack.txt The tarball should contain only the following files:
Part 1
Your stealing contract attack.sol, and a plaintext file attack.txt with its deployed address.
5