Detailed explanation of Ethereum smart contract vulnerabilities
— — On-chain vulnerability recurrence access to private data
Detailed explanation of Ethereum smart contract vulnerabilities — On-chain vulnerability access to private data
Welcome to follow and discuss with us
0x01 Environment installation
- To access private data on the chain, we need to install the web3 environment.
- First, we have to install Node.js, the official website is: https://nodejs.org/en
- After the installation is complete, create a project and introduce web3 dependencies: npm install web3
- If the execution is successful, the project initialization is successful.
0x02 Vulnerable contract
The Solidity contract version is: 0.8.10
The contract has been deployed on Ropsten:
0x03 Create Account
We need a web3 provider through which to call data.
You can visit: https://infura.io, go to register an account, and create a project, choose Ethereum:
After success, you can see: https://mainnet.infura.io/v3/ then copy this URL.
0x04 access data
Create a file with the suffix .js in the project and write the following two lines of code:
Then, we follow the above code to write the access code:
Execute node your .js file, output:
We can go to this website to convert the base:
you will get: 123, just for the data in the contract.
Next we try “Access Private Data”:
Copy the content after 0x (excluding the 0 padded at the end), namely: 414141424242434343, go to this website to convert it: https://codebeautify.org/hex-string-converter, you will get: AAABBBCCC, this is the private one we accessed Data “password”!
Next let’s try something more complex:
For slot6 and slot7, the result of calling the contract function converted to hexadecimal is exactly the same as the result of calling the API.
0x05 Means of defense
The information stored on the blockchain is publicly accessible, so do not store sensitive data on the blockchain network, there is no defense here.