# Ethernaut 6: Force

By [0xbanky](https://paragraph.com/@banky) · 2022-08-16

---

My solution for my 6th ethernaut challenge:

[https://ethernaut.openzeppelin.com/level/0x22699e6AdD7159C3C385bf4d7e1C647ddB3a99ea](https://ethernaut.openzeppelin.com/level/0x22699e6AdD7159C3C385bf4d7e1C647ddB3a99ea)

Investigation
-------------

The code for the contract here is very simple. The contract does not have a `receive` or `fallback` function, so it does not intend to receive any ether. The challenge here is to send some ether to the contract unexpectedly.

    // SPDX-License-Identifier: MIT
    pragma solidity ^0.6.0;
    
    contract Force {/*
    
                       MEOW ?
             /\_/\   /
        ____/ o o \
      /~____  =ø= /
     (______)__m_m)
    
    */}
    

I was not familiar with any ways of sending ether to a contract without through the fallback methods. In fact, I tried sending funds directly to the contract address with metamask but the transaction [failed](https://rinkeby.etherscan.io/tx/0xa59b868467b78e48974c76566849d78971d97f969985b60ee4c6efcd76baf8aa).

So, to the docs! Under the section for `receive`, there is a handy warning about receiving funds

> A contract without a receive Ether function can receive Ether as a recipient of a _coinbase transaction_ (aka _miner block reward_) or as a destination of a `selfdestruct`.

If the contract address receives a miner block reward or if it is the destination of a `selfdestruct`, it will always receive that ether even without a fallback function. I was not aware of `selfdestruct`, so I did some more digging.

> `selfdestruct` sends all remaining Ether stored in the contract to a designated address.

This looks very handy. If I can create a new contract, I should be able to use `selfdestruct` to send the ether in the contract to the one I am interested in attacking

Solution
--------

I created a new solidity contract to attack the contract of interest

    contract ForceSendEther {
        address payable recepient;
    
        constructor(address payable _recepient) {
            recepient = _recepient;
        }
    
        receive () external payable {}
    
        function attack() public {
            selfdestruct(recepient);
        }
    }
    

I now deployed this contract and sent a little bit of eth to it. Finally, calling the `attack` function on my contract, I self destruct it and the EVM sends all the eth in the contract to the recipient. Interestingly, the ether shows up in the contract, but there were no transactions indicating it did

[https://rinkeby.etherscan.io/address/0xFe58aDE3a009C593cF5621dB793f5dBEd403523D](https://rinkeby.etherscan.io/address/0xFe58aDE3a009C593cF5621dB793f5dBEd403523D)

I think this has an interesting implication that there is no paper trail when ether is sent to a contract this way.

What I learned
--------------

1.  Even without a fallback function, contract A can still be forced to receive ether if contract B `selfdestruct`’s and sets contract A as the recipient
    
2.  There is no visible transaction in etherscan indicating that ether was deposited. Rather, the ether just shows up in the new contract. I will investigate this further

---

*Originally published on [0xbanky](https://paragraph.com/@banky/ethernaut-6-force)*