1️⃣2️⃣ #ETHERNAUT #level_12 #Privacy
you can access the private variables using cast :
🥷🍷 <Happy Hacking/>
you can access the private variables using cast :
cast storage $CHALLENGE_CONTRACT_ADDRESS 5 --rpc-url $RPC_URL
🥷🍷 <Happy Hacking/>
🔑 Smart Contract Obfuscation Techniques
1️⃣ https://titan.csit.rmit.edu.au/~e13322/hai_dong/papers/Bian_TSE2022.pdf
2️⃣ https://www.mecs-press.org/ijmsc/ijmsc-v8-n3/IJMSC-V8-N3-3.pdf
3️⃣ https://degatchi.com/articles/smart-contract-obfuscation/
1️⃣ https://titan.csit.rmit.edu.au/~e13322/hai_dong/papers/Bian_TSE2022.pdf
2️⃣ https://www.mecs-press.org/ijmsc/ijmsc-v8-n3/IJMSC-V8-N3-3.pdf
3️⃣ https://degatchi.com/articles/smart-contract-obfuscation/
🔥2
📦 Transient Storage
1️⃣ https://hackernoon.com/transient-storage-ethereums-game-changing-feature
2️⃣ https://etherworld.co/2022/12/13/transient-storage-for-beginners/
3️⃣ https://soliditylang.org/blog/2024/01/26/transient-storage/
4️⃣ https://youtu.be/0-hiB5I39Mk?si=-0qy3ZeiuW_L9D8p
5️⃣ https://solidity-by-example.org/transient-storage/
6️⃣ https://www.evm.codes/#5c?fork=cancun
1️⃣ https://hackernoon.com/transient-storage-ethereums-game-changing-feature
2️⃣ https://etherworld.co/2022/12/13/transient-storage-for-beginners/
3️⃣ https://soliditylang.org/blog/2024/01/26/transient-storage/
4️⃣ https://youtu.be/0-hiB5I39Mk?si=-0qy3ZeiuW_L9D8p
5️⃣ https://solidity-by-example.org/transient-storage/
6️⃣ https://www.evm.codes/#5c?fork=cancun
Hackernoon
Transient Storage: Ethereum's Game-Changing Feature
Explore Transient Storage in Ethereum: a game-changer reducing transaction costs and enhancing operations. Discover its mechanism, significance, and use cases.
🧩 Function's Correct order
[public/external/internal/private] [view/pure/none] [payable|OPTIONAL] [virtual|OPTIONAL] [override|OPTIONAL] [customModifier|OPTIONAL] [returns|OPTIONAL]
🔎 Decode The `msg.data`
⁉️ Why msg.data[4:] => Because the first 4-byte of data is function signature
⁉️ Why msg.data[4:] => Because the first 4-byte of data is function signature
// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
contract Decode {
function run(
string memory _i1,
address _i2,
uint256 _i3,
bool _i4
) public pure returns (
string memory,
address,
uint256,
bool
) {
return abi.decode(
msg.data[4:],
(string,address,uint256,bool)
);
}
}
⚒ Best Smart Contract Development Toolkits ( i think )
1️⃣ Foundry
- 🐈⬛ https://github.com/foundry-rs/foundry
- 📚 https://book.getfoundry.sh/
2️⃣ Hardhat
- 🐈⬛ https://github.com/NomicFoundation/hardhat
- 📚 https://hardhat.org/hardhat-runner/docs/getting-started
1️⃣ Foundry
- 🐈⬛ https://github.com/foundry-rs/foundry
- 📚 https://book.getfoundry.sh/
2️⃣ Hardhat
- 🐈⬛ https://github.com/NomicFoundation/hardhat
- 📚 https://hardhat.org/hardhat-runner/docs/getting-started
GitHub
GitHub - foundry-rs/foundry: Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written…
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust. - foundry-rs/foundry
🤖 useful AI
1️⃣ Phind : https://www.phind.com
2️⃣ ChatGPT : https://chatgpt.com/
3️⃣ ChainGPT : https://app.chaingpt.org/
1️⃣ Phind : https://www.phind.com
2️⃣ ChatGPT : https://chatgpt.com/
3️⃣ ChainGPT : https://app.chaingpt.org/
ChatGPT
ChatGPT helps you get answers, find inspiration, and be more productive.
started with solidity, played CTF/Challenge(s) such as HTB & Ethernaut (playing until death 🫡), Learned many things and at this point, i want to start Auditing on the past CodeHawks's First Flights 🦅✈️ and i want to write report at the specified time, then want to check other auditor's submission and compare with myself. hope to learn many things 🥷
🍷 Enjoy The Road
🍷 Enjoy The Road
🦅✈️ First Flight 1️⃣
https://www.codehawks.com/contests/clnuo221v0001l50aomgo4nyn
🔴 [HIGH-0] user can access the value of s_password and s_owner variables beacuse of the storage layout. we can get the value and decode them.
🔴 [HIGH-1] there is not any limit on setPassword() function. user can access the setPassword() function without any limit and can change the value of s_password;
⚪️ [INFO-0] should declare errors out of the contract ( make them global )
⚪️ [INFO-1] should change the name of errors.
🍷 Learned :
1️⃣ sensitive variables mustn't have the default value during deploying. deployer must pass the value to constructor and set the new value there.
https://www.codehawks.com/contests/clnuo221v0001l50aomgo4nyn
🔴 [HIGH-0] user can access the value of s_password and s_owner variables beacuse of the storage layout. we can get the value and decode them.
cast storage $CONTRACT_ADDRESS 0 # s_owner
cast storage $CONTRACT_ADDRESS 1 # s_password
🔴 [HIGH-1] there is not any limit on setPassword() function. user can access the setPassword() function without any limit and can change the value of s_password;
⚪️ [INFO-0] should declare errors out of the contract ( make them global )
⚪️ [INFO-1] should change the name of errors.
🍷 Learned :
1️⃣ sensitive variables mustn't have the default value during deploying. deployer must pass the value to constructor and set the new value there.
📜 About Remappings in foundry ( something like
🔗 https://book.getfoundry.sh/projects/dependencies#remapping-dependencies
alias )🔗 https://book.getfoundry.sh/projects/dependencies#remapping-dependencies
🪖 Glider
1️⃣ Hexens Secureum Workshop
2️⃣ JohnnyTime YT Video
3️⃣ Owen YT Video [1] - [2]
4️⃣ daily-glider
5️⃣ Glider Gitbook
6️⃣ Kasper Zwijsen
7️⃣ Officer CIA
8️⃣ rxyz's YT
1️⃣ Hexens Secureum Workshop
2️⃣ JohnnyTime YT Video
3️⃣ Owen YT Video [1] - [2]
4️⃣ daily-glider
5️⃣ Glider Gitbook
6️⃣ Kasper Zwijsen
7️⃣ Officer CIA
8️⃣ rxyz's YT
YouTube
This Web3 Security Tool Transform a $1,000 to a $1,000,000 Bounty | Glider by Hexens Tutorial
This Web3 Security Tool Changes The Game | Glider by Hexens Tutorial
Glider, a powerful new tool created by Hexens, is here to take your Web3 bug-hunting game to the next level. In this video, I’ll show you how to leverage Glider to uncover vulnerabilities…
Glider, a powerful new tool created by Hexens, is here to take your Web3 bug-hunting game to the next level. In this video, I’ll show you how to leverage Glider to uncover vulnerabilities…
👑 ALΞCTRONA - The Educational Hub for Blockchain & Smart Contract Security!
🔗 https://linktr.ee/alectrona.eth
🔗 https://linktr.ee/alectrona.eth
Linktree
@Alectrona.eth | Twitter | Linktree
ALΞCTRONA - The Educational Hub for Blockchain & Smart Contract Security!
🔥2
📝 Smart Contract Layout
1️⃣ Pragma statements
2️⃣ Import statements
3️⃣ Interfaces
4️⃣ Libraries
5️⃣ Contracts
📝 Inside contract, library or interface :
1️⃣ State variables
2️⃣ Events
3️⃣ Modifiers
4️⃣ Struct, Arrays or Enums
5️⃣ Constructor
6️⃣ Fallback OR Receive function
7️⃣ External functions
8️⃣ Public functions
9️⃣ Internal functions
🔟 Private functions
1️⃣ Pragma statements
2️⃣ Import statements
3️⃣ Interfaces
4️⃣ Libraries
5️⃣ Contracts
📝 Inside contract, library or interface :
1️⃣ State variables
2️⃣ Events
3️⃣ Modifiers
4️⃣ Struct, Arrays or Enums
5️⃣ Constructor
6️⃣ Fallback OR Receive function
7️⃣ External functions
8️⃣ Public functions
9️⃣ Internal functions
🔟 Private functions
💻 Deployed my First contract using thirdweb :
🤩 you can deploy & verify your smart contract just using one command & many other options
🔗 https://sepolia.etherscan.io/address/0xA4B8E72aB7a1BE73470Bd6207774ac2d474700A6
@nxenon54 ❤️😆
npx thirdweb deploy
🤩 you can deploy & verify your smart contract just using one command & many other options
🔗 https://sepolia.etherscan.io/address/0xA4B8E72aB7a1BE73470Bd6207774ac2d474700A6
@nxenon54 ❤️😆
Ethereum (ETH) Blockchain Explorer
AminIsGay | Address 0xA4B8E72aB7a1BE73470Bd6207774ac2d474700A6 | Etherscan
The Contract Address 0xA4B8E72aB7a1BE73470Bd6207774ac2d474700A6 page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on Etherscan.