Web3 Security and Hacks that I find interesting.
ProxyMr Steal Yo Crypto - Jpeg Sniper
DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesBaseLaunchpegNFT is basically an ERC721 ownable token that uses the counters contract to track the number of NFTs for functions that return the total...
ProxySynopsis of DeFiRanger: Detecting Price Manipulation Attacks On DeFi Applications
Paper Source: https://arxiv.org/pdf/2104.15068.pdfIntroductionThe most popular DeFi applications are Decentralized Exchanges (DEXes) and lending apps. They both heavily depend on getting the price of an asset correct. There are two types of attacks that manipulate the price of an asset. Direct and indirect price manipulation attacks. As the name suggests, the former one means that an attacker directly manipulates the token price in a pool of an AMM. It is usually achieved through performing a...
ProxyMr Steal Yo Crypto - Jpeg Sniper
DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesBaseLaunchpegNFT is basically an ERC721 ownable token that uses the counters contract to track the number of NFTs for functions that return the total...
ProxySynopsis of DeFiRanger: Detecting Price Manipulation Attacks On DeFi Applications
Paper Source: https://arxiv.org/pdf/2104.15068.pdfIntroductionThe most popular DeFi applications are Decentralized Exchanges (DEXes) and lending apps. They both heavily depend on getting the price of an asset correct. There are two types of attacks that manipulate the price of an asset. Direct and indirect price manipulation attacks. As the name suggests, the former one means that an attacker directly manipulates the token price in a pool of an AMM. It is usually achieved through performing a...
Web3 Security and Hacks that I find interesting.
Subscribe to Proxy
Subscribe to Proxy
Share Dialog
Share Dialog
<100 subscribers
<100 subscribers
This is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.
GameAsset and AssetHolder seem like normal ERC721 and ERC1155 contracts
Looking at AssetWrapper contracts wrap function we see it immediately calls _wrap which mints an ERC1155 token to assetOwner parameter without any check that it is the owner of the ERC721 token, so anyone can mint the ERC1155.
Another major problem is the fact that _wrap calls ERC1155s _mint function which can be maliciously used via Reentrancy, because the _mint function calls an external function onERC1155Received to check that a contract can receive the ERC1155 token.
Wrapping tokens into ERC1155 can be dangerous because there are several functions from which we can reenter a contract if there is no ReentrancyGuard implemented
The vulnerable ERC1155 functions are safeTransferFrom(), safeBatchTransferFrom(), _mint() and _mintBatch() (more on this in Resources section).
This is because all of these functions implement an external function call to msg.sender contract, calling the onERC1155Received() function, from where an attacker can reenter.
The attack contract needs to call wrap for the first NFT with assetOwner = address(this) and implement onERC1155Received to then again call wrap for the other NFT with the same assetOwner and then call unwrap on both NFTs to trap them in the wrapper contract
This is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.
GameAsset and AssetHolder seem like normal ERC721 and ERC1155 contracts
Looking at AssetWrapper contracts wrap function we see it immediately calls _wrap which mints an ERC1155 token to assetOwner parameter without any check that it is the owner of the ERC721 token, so anyone can mint the ERC1155.
Another major problem is the fact that _wrap calls ERC1155s _mint function which can be maliciously used via Reentrancy, because the _mint function calls an external function onERC1155Received to check that a contract can receive the ERC1155 token.
Wrapping tokens into ERC1155 can be dangerous because there are several functions from which we can reenter a contract if there is no ReentrancyGuard implemented
The vulnerable ERC1155 functions are safeTransferFrom(), safeBatchTransferFrom(), _mint() and _mintBatch() (more on this in Resources section).
This is because all of these functions implement an external function call to msg.sender contract, calling the onERC1155Received() function, from where an attacker can reenter.
The attack contract needs to call wrap for the first NFT with assetOwner = address(this) and implement onERC1155Received to then again call wrap for the other NFT with the same assetOwner and then call unwrap on both NFTs to trap them in the wrapper contract
No activity yet