Ethernaut Level 15, “Naught Coin,” throws you headfirst into the world of ERC20 tokens and their potential vulnerabilities. This challenge presents a seemingly locked contract with a 10-year transfer lock on your own token balance. But fear not, intrepid hacker (for educational purposes only!), there’s a way to bypass this lock. Here’s a walkthrough on how to conquer Level 15 and the key takeaways you’ll gain.

Understanding the Challenge:

Upon entering Ethernaut Level 15, you’ll be presented with a deployed Naught Coin contract. This contract inherits the standard ERC20 functionality, allowing you to view your token balance but preventing any transfers due to the built-in timelock. The objective? Find a way to bypass the lock and transfer your tokens out of the contract.

The Exploit: Abusing Approvals

The key to cracking the Naught Coin vault lies in understanding the approve function within the ERC20 standard. This function allows users to grant permission to another address (called a spender) to transfer a specific amount of tokens on their behalf.

The vulnerability in this challenge stems from the way the Naught Coin contract interacts with the timelock. While the transfer function is restricted, the approvefunction doesn’t have the same limitations. This creates an opportunity for exploitation of the transferFrom  function.

The Walkthrough:

1. Check Your Balance: Use the console to create a new constant: player and to view your initial token balance in the Naught Coin contract: 

2. Copy the contract into Remix IDE and replace the import with this URL: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol

3. Compile the code and go to the deploy section, make sure to select Injected Provider – MetaMask as environment. Then copy the instance address in the “At address” field to deploy the contract at that address.

4. Check the player function to see if it’s match your address and check the balance as well.

5. Approve Your Own Address: Here comes the clever part. Use the approve function to grant your own address permission to transfer your entire token balance. In essence, you’re approving yourself to move your own tokens.

6. Transfer Using transferFrom: Now, here’s the twist. Instead of using the transfer function (which is locked), leverage the transferFrom function. This function allows an approved spender (which is your address in this case) to transfer tokens on behalf of the owner (also your address). 

Go to etherscan find a random address and enter it in the “To” address in the transferFrom function. Then transfer the tokens to that address.

7. Check the your balance it should be reduced to 0

8. Finally submit the instance. Congratulations you passed this level

By cleverly using transferFrom with your own address as both the spender and the owner, you can bypass the timelock and transfer your entire token balance out of the contract, effectively “draining” it.

Conclusion:

By exploiting the mismatch between the locked transfer function and the unrestricted approve function, you’ve successfully bypassed the timelock and transferred your tokens in the Ethernaut Level 15 challenge. This walkthrough of the Ethernaut challenge highlights the importance of careful contract design and security audits within the DeFi space. Approaching unfamiliar tokens, especially those with custom logic or odd functionalities, requires extra caution.

FAQs:

Is this a vulnerability in all ERC20 tokens?

• No, not necessarily. This exploit relies on a specific design flaw in the Naught Coin contract. Well-written ERC20 contracts should have proper access control mechanisms to prevent such abuses.

What are the takeaways from this challenge?

• This challenge emphasizes the importance of understanding ERC20 token standards and potential vulnerabilities associated with approvals. It also highlights the need for thorough contract audits before deployment in DeFi.

Can I get my tokens back after draining them?

• Unfortunately, no. Once you transfer your tokens out, they’re gone from the Naught Coin contract. This is why it’s crucial to only use such exploits in educational settings and never on real contracts with your funds.

Are there other ways to solve this challenge?

• While the approve and transferFrom approach is a common solution, there might be alternative ways to exploit the contract’s logic depending on its specific implementation.

What’s next on my Ethernaut journey?

• Ethernaut offers a variety of challenges with increasing difficulty. Keep exploring to learn more about smart contract vulnerabilities and how to write secure code for the blockchain!