Ethernaut#5 - Token

Ethernaut #5 - Token

#5

The goal of this level is for you to hack the basic token contract below. You are given 20 tokens to start with and you will beat the level if you somehow manage to get your hands on any additional tokens. Preferably a very large amount of tokens.

Things that might help:

  • What is an odometer?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Token {

  mapping(address => uint) balances;
  uint public totalSupply;

  constructor(uint _initialSupply) public {
    balances[msg.sender] = totalSupply = _initialSupply;
  }

  function transfer(address _to, uint _value) public returns (bool) {
    require(balances[msg.sender] - _value >= 0);
    balances[msg.sender] -= _value;
    balances[_to] += _value;
    return true;
  }

  function balanceOf(address _owner) public view returns (uint balance) {
    return balances[_owner];
  }
}

Contract Breakdown

Let us breakdown the contract to understand what each function and piece of code does. The code consists of a single contract Token compiled with solidity version ^0.6.0. Notice it is using an older version of Solidity, this is very important.

Variables
1
2
mapping(address => uint) balances;
uint public totalSupply;

A mapping balances that maps addresses to their token balance, and totalSupply which tracks the total amount of tokens.

Constructor
1
2
3
constructor(uint _initialSupply) public {
  balances[msg.sender] = totalSupply = _initialSupply;
}

The constructor takes an _initialSupply and assigns all of those tokens to the deployer. It also sets the totalSupply to that same value.

Functions
1
2
3
4
5
6
function transfer(address _to, uint _value) public returns (bool) {
  require(balances[msg.sender] - _value >= 0);
  balances[msg.sender] -= _value;
  balances[_to] += _value;
  return true;
}

The transfer function allows a user to send _value amount of tokens to another address _to. It first checks that balances[msg.sender] - _value >= 0. Then it subtracts _value from the sender and adds it to the receiver.

1
2
3
function balanceOf(address _owner) public view returns (uint balance) {
  return balances[_owner];
}

A simple view function that returns the balance of a given address.

Solution

The vulnerability here is an integer underflow. This contract is compiled with Solidity ^0.6.0 which does NOT have built-in overflow/underflow protection (that was introduced in ^0.8.0) and the contract doesn’t use SafeMath either.

The require(balances[msg.sender] - _value >= 0) check is useless because balances is of type uint (unsigned integer). An unsigned integer can never be negative, so balances[msg.sender] - _value will always be >= 0. If the subtraction would result in a negative number, it wraps around to a very large number instead.

Think of it like an odometer on a car. If you have 20 on the odometer and you try to subtract 21, instead of going to -1 it wraps around to the maximum value: 2^256 - 2 which is an astronomically large number.

To pass this challenge, we don’t even need to deploy a hack contract. We can just interact directly through Remix or the console.

Steps to pass:

  • Load the Token contract in Remix with the instance address from Ethernaut.
  • Call transfer with any address (that is not our own) as _to and 21 as _value.
  • We have 20 tokens. Transferring 21 triggers an underflow: 20 - 21 wraps around to 2^256 - 1 which is a massive number.
  • Our balance is now an absurdly large amount of tokens.

This is why Solidity 0.8.0+ introduced automatic overflow/underflow checks that revert the transaction. For older versions, always use OpenZeppelin’s SafeMath library. Never perform arithmetic operations on unsigned integers without proper checks in pre-0.8.0 contracts.