Day 74 of #100DaysOfDeFI 🚀 Today I learned about Delegate Call vulnerability in #Solidity 🦹🏼♀️ When using delegatecall opcode one should be careful because wrong usage will lead to unexpected results ⚠️ #womenwhocode#100DaysOfCode
How it works 🧵
1/ What delegatecall is? When contract A uses delegatecall to call contract B it means that the contract B code will be executed inside context of the contract A: storage, msg.sender, msg.value, msg.data, etc will be the A’s context.
2/ Storage layout must be the same for contract A and contract B → it means both contracts should declare the same state variables in the same order 👾
3/ Create a contract Lib that has a functionality of setting a msg.sender as an “owner” state variable 👇
4/ Then create a vulnerable contract HackMe → it uses delegatecall when calling Lib contract 👩🏻💻 When fallback function is called, it sends to the Lib contact msg data to execute 👇
5/ Then, implement an Attack contract that will exploit the vulnerability of HackMe contract 🦹🏼♀️ The attack tries to call pwn function in HackMe and since it doesn’t exist it redirects to fallback. The fallback delegates call to Lib and sets the attacker’s address as the owner 👾
6/ Let’s try it out in Remix! First deploy Lib contract, copy its address and use it for deploying HackMe contract. Then check the owner of HackMe → it should be the address that we used to deploy the contracts👇
7/ It’s time for a mischief! 🦹🏼♀️ Deploy the Attack contract with HackMe address. Then click on “attack” button and see what it’s done: the owner of HackMe contract has changed to the Attacker’s 👻
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Day 75 of #100DaysOfDeFI 🚀 today 3/4 of the challenge is done! 🎉 Also today I finish exploring Solidity vulnerabilities with learning about Denial of service (DoS) attacks 🦹🏼♀️ #womenwhocode#100DaysOfCode
How it works 🧵
1/ There are many ways to attack a smart contract and at some point create a DoS⚡
2/ Denial of Service attack paralyzes a smart contract and makes it temporarily unusable 🛑
Day 73 of #100DaysOfDeFI 🚀 Learned about Self Destruct vulnerability in #Solidity 🦹🏼♀️ Selfdestruct deletes the contract from the blockchain and and sends all Ether to a designated address 💸 In some scenarios it can lead to unexpected problems ❌ #100DaysOfCode
How it works 🧵
1/ Let’s see how it works with an example of a simple game 🎲 Players send to the contract 1 token 🪙 the one who deposits the fifth token wins 🏆
Game code 👇
Day 72 of #100DaysOfDeFI 🚀 Today I looked at arithmetic Over/Under Flows in #Solidity 👾 This vulnerability been secured by the current Solidity version 🦸♂️ Nevertheless, it is important to understand what it is and how to avoid it 👩🏻💻 #womenwhocode#100DaysOfCode
Summary 🧵
1/ An overflow in Solidity occurs when a number is incremented beyond its maximum value. For example, if we have a uint8 with a value of 255 and increment it by 1, it will “reset” and set a value to 0. Remember, the maximum value for uint8 is 255❗
2/ Similar thing happens when we decrease a value beyond its minimal level. Taking the same example, if a uint8 is set to 0 and we decrease it by 1, it will set to 255, since 0 is the minimal value of uint8❗
Day 71 of #100DaysOfDeFI 🚀 looked at Re-Entrancy vulnerability🦹🏻 It is one of the most destructive attacks in the #Solidity smart contracts 💸 The untrusted contract that exploits the vulnerability is able to drain all user's funds 🚰 #100DaysOfCode
How it works 🧵
1/ To make it happen, there should be 2 contracts: a vulnerable contract and an attacker’s contract 👺
2/ The attacker should deposit some funds into the vulnerable contract 💰
Day 68 of #100DaysOfDeFI 🚀 Today I worked on the Factory smart contract that is a part of the decentralized exchange architecture 💱 Factory creates and keeps track of all Pair contracts 👩🏻💻 #womenwhocode#100DaysOfCode
Summary 🧵
1/ The Factory will include:
🔷 createPair - create a Liquidity Pool;
🔷 adjustAmount - adjust a number of tokens using a formula;
🔷 getReserves - a getter function;
🔷 addLiquidity - add liquidity to the LP;
🔷 removeLiquidity - withdraw liquidity;
🔷 trade1for2 - swap tokens.
2/ First, initialize contract and define the state variables 👩🏻💻
Day 67 of #100DaysOfDeFI 🚀 Today I continued creating a basic DEX 👩🏻💻 and focused on developing a Pair smart contract 👾 Pair represents the Liquidity Pool 🪙 it is in charge of swapping 💱 managing the liquidity pool and burning 🔥 #womenwhocode#100DaysOfCode
Summary 🧵
1/ In this example of the Pair smart contract I’ll implement the following methods:
🔶 getReservers - get quantities of each token;
🔶 updateReserves - update the tokens’ quantities;
🔶 swap - exchange two tokens;
🔶 withdrawTokens - send the tokens back to the LP.
2/ First, initialize the Pair contract. We’ll need to import some contracts from OpenZeppelin and a Tokens contract from the day 66 of the challenge. Initialize state variables and constructor, too👩🏻💻