Fallout | OpenZeppelin Ethernaut Level 2 Walk-Through

Ethernaut / / By

Fallout or FAL1OUT as the hint in the image says, has an error in the code that incorrectly implements a constructor that leads to ownership transfer by any public address interacting with a specific function.

Level 2

This is the first level that suggests we try Solidity’s Remix IDE, a fully web based IDE for solidity with built in tools to make things easier for developers to test and build.

Remix IDE homepage

Opening remix we are fine to work in the default workspace or we can add a separate one for this challenge if we choose.

Don’t be intimidated by all the fancy buttons, we are just copying and pasting our one smart contract file that Ethernaut has given us.

Challenge Contract Code

Copy the contract code and head back to Remix to create a new .sol file to paste it in.

Add new file ‘fallout.sol’

Now paste in the contract you copied into the empty file, a warning will pop up, press OK.

Pasted Code Warning

Now we need to compile our contract.

Error: not found openzepp...
We need to change our import statement on line 4.

Remove this statement

Repace it with this import:
import '@openzeppelin/contracts@3.4.2/math/SafeMath.sol';

New import statement

Now compile again.

Successful compile

Now lets head back over to our Ethernaut page and request a new instance for this level.

Get new instance

Once your instance is ready let’s switch back to Remix and go down to the ‘Deploy and run transactions’ tab.

Select MetaMask

Select MetaMask as the Provider but don’t press deploy.

At Address

We want to take our instance address that we were given and paste it into the ‘At Address’ box, then click the At Address button and scroll down.

Our deployed contracts

Our deployed contract (the actual instance) and all of it’s functions are shown here, and these buttons allow us to interact with it.
Instantly the ‘Fal1out’ button stands out, and it is colored red because it is payable.

constructor code

If we take a look at the source we can deduce what happened here.
The “constructor” as is labeled with a comment is actually defined as a function.
function Fal1out() should have been constructor Fal1out()

Solidity Docs

So let’s use that button to call the function, which will execute the first line of that function:
owner = msg.sender;
Making us (the sender) the new owner of the contract.
I scrolled up and set the value to 1 wei before sending and the results don’t disappoint:

owner function activated

Using the owner button at the bottom we can call for the owner and we clearly see it returns my address, success!

All that’s left is to submit our instance.

Submit instance

Congrats, we completed this level.
If you missed level 1, click here.

DAVE

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top