Detailed explanation of Ethereum smart contract vulnerabilities
— — On-chain vulnerability recurrence access to private data

0x01 Environment installation

  • To access private data on the chain, we need to install the web3 environment.
  • First, we have to install Node.js, the official website is: https://nodejs.org/en
  • After the installation is complete, create a project and introduce web3 dependencies: npm install web3
  • If the execution is successful, the project initialization is successful.

0x02 Vulnerable contract

The Solidity contract version is: 0.8.10

The contract has been deployed on Ropsten:

0x3505a02BCDFbb225988161a95528bfDb279faD6b

0x03 Create Account

We need a web3 provider through which to call data.

You can visit: https://infura.io, go to register an account, and create a project, choose Ethereum:

After success, you can see: https://mainnet.infura.io/v3/ then copy this URL.

0x04 access data

Create a file with the suffix .js in the project and write the following two lines of code:

Then, we follow the above code to write the access code:

Execute node your .js file, output:

0x000000000000000000000000000000000000000000000000000000000000007b

We can go to this website to convert the base:

https://www.rapidtables.com/convert/number/hex-to-decimal.html,

you will get: 123, just for the data in the contract.

Next we try “Access Private Data”:

Execute, Output:

0x4141414242424343430000000000000000000000000000000000000000000000

Copy the content after 0x (excluding the 0 padded at the end), namely: 414141424242434343, go to this website to convert it: https://codebeautify.org/hex-string-converter, you will get: AAABBBCCC, this is the private one we accessed Data “password”!

Next let’s try something more complex:

Execute, Output:

0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f

0xb39221ace053465ec3453ce2b36430bd138b997ecea25c1043da0c366812b828 0xb39221ace053465ec3453ce2b36430bd138b997ecea25c1043da0c366812b828

For slot6 and slot7, the result of calling the contract function converted to hexadecimal is exactly the same as the result of calling the API.

0x05 Means of defense

The information stored on the blockchain is publicly accessible, so do not store sensitive data on the blockchain network, there is no defense here.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
lunaray

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.