In this post, I will share my explanations for the Miscellaneous section of the Capture The Ether challenges. There are plenty of solutions around the web - my goal was to solve the challenges locally, avoiding Etherscan when possible, and writing code locally.

You can find the code here.

Let’s begin.

This challenge might be the easiest.

Solidity now allows you to use the constructor keyword so constructors stand out. However, the challenge contract doesn't use that keyword. If you look at the code you'll notice a severe error: the function that's meant to be the constructor is misspelled as AssumeOwmershipChallenge, allowing anyone to call it and become the owner.

There's not much to this challenge, just:

1. Get the contract abi and address;

2. Get the private key of the ropsten account you are using to interact with Capture The Ether. Otherwise, you can't pass the challenge as CTE doesn't know who you are;

3. Get the contract and connect with it using your account;

4. Call AssumeOwmershipChallenge;

5. Call authenticate;

6. Win;

This challenge involves two contracts: TokenBankChallenge which acts as a bank, as the name suggests. It deploys the SimpleERC223Token and assigns half to the CTE challenge factory, given that it created the TokenBankChallenge contract, and half to the player, meaning us. Our goal is to withdraw all 1000000 tokens, not just our 500000.

It's important to know that one difference between the ERC20 and ERC223 token standards is that the ERC223 notifies the recipient of a transfer by calling the tokenFallback function in case it is a contract.

Now, as you've probably guessed, the TokenBankChallenge withdraw function must be used. If you look through the function, you'll see that it is vulnerable to reentrancy attacks, as it only updates the msg.sender balance after sending the funds.

So, even though this looks like a lot of code, the solution isn't all that complicated. We just need to create a contract that has a tokenFallback function that keeps withdrawing until the contract is empty. This tokenFallback function will be called by the SimpleERC223Token contract on each withdrawal, allowing us to check if there are tokens left and keep withdrawing until it is empty.

Even though it is obvious, you must not forget that you can only withdraw funds that you have, so before initiating our attack we'll need to send our tokens to the attack contract and deposit them in the bank again.

So, here are the steps needed:

1. Get the bank contract abi and address;

2. Get the token contract abi;

3. Deploy the TokenBankHelper contract;

4. Get the bank contract;

5. Get the token contract that the challenge bank is using;

6. Withdraw your 500000 tokens;

7. Send your 500000 tokens to the TokenBankHelper;

8. Deposit them in the bank;

9. Initiate the attack by withdrawing 500000;

10. Wait until the TokenBank contract is empty;

11. Win;

In this post, I will share my explanations for the Miscellaneous section of the Capture The Ether challenges. There are plenty of solutions around the web - my goal was to solve the challenges locally, avoiding Etherscan when possible, and writing code locally.

You can find the code here.

Let’s begin.

This challenge might be the easiest.

Solidity now allows you to use the constructor keyword so constructors stand out. However, the challenge contract doesn't use that keyword. If you look at the code you'll notice a severe error: the function that's meant to be the constructor is misspelled as AssumeOwmershipChallenge, allowing anyone to call it and become the owner.

There's not much to this challenge, just:

1. Get the contract abi and address;

2. Get the private key of the ropsten account you are using to interact with Capture The Ether. Otherwise, you can't pass the challenge as CTE doesn't know who you are;

3. Get the contract and connect with it using your account;

4. Call AssumeOwmershipChallenge;

5. Call authenticate;

6. Win;

This challenge involves two contracts: TokenBankChallenge which acts as a bank, as the name suggests. It deploys the SimpleERC223Token and assigns half to the CTE challenge factory, given that it created the TokenBankChallenge contract, and half to the player, meaning us. Our goal is to withdraw all 1000000 tokens, not just our 500000.

It's important to know that one difference between the ERC20 and ERC223 token standards is that the ERC223 notifies the recipient of a transfer by calling the tokenFallback function in case it is a contract.

Now, as you've probably guessed, the TokenBankChallenge withdraw function must be used. If you look through the function, you'll see that it is vulnerable to reentrancy attacks, as it only updates the msg.sender balance after sending the funds.

So, even though this looks like a lot of code, the solution isn't all that complicated. We just need to create a contract that has a tokenFallback function that keeps withdrawing until the contract is empty. This tokenFallback function will be called by the SimpleERC223Token contract on each withdrawal, allowing us to check if there are tokens left and keep withdrawing until it is empty.

Even though it is obvious, you must not forget that you can only withdraw funds that you have, so before initiating our attack we'll need to send our tokens to the attack contract and deposit them in the bank again.

So, here are the steps needed:

1. Get the bank contract abi and address;

2. Get the token contract abi;

3. Deploy the TokenBankHelper contract;

4. Get the bank contract;

5. Get the token contract that the challenge bank is using;

6. Withdraw your 500000 tokens;

7. Send your 500000 tokens to the TokenBankHelper;

8. Deposit them in the bank;

9. Initiate the attack by withdrawing 500000;

10. Wait until the TokenBank contract is empty;

11. Win;