Skip links

Table of Contents

Ethernaut Level 8 Walkthrough: Vault

Ethernaut challenges, akin to a hacking Capture The Flag (CTF) for Web3 enthusiasts, provide an immersive platform to explore Ethereum and Solidity programming. Each challenge presents a unique smart contract puzzle, testing your skills in identifying and exploiting vulnerabilities.

As a full-stack software engineer venturing into the world of blockchain technology, Ethernaut challenges serve as stepping stones to understand smart contract vulnerabilities. With each challenge, we gain deeper insights into blockchain security, enhancing our capabilities in decentralized application development. In this blog we will be unveiling the Ethernaut Level 8 where we unravel the mysteries of Solidity smart contracts and master the art of bypassing security locks.

Decoding the Vault Contract

Explore the inner workings of the Vault contract, designed with a clever locking mechanism:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

contract Vault {

    bool public locked;

    bytes32 private password;

    constructor(bytes32 _password) {

        locked = true;

        password = _password;

    }

    function unlock(bytes32 _password) public {

        if (password == _password) {

            locked = false;

        }

    }

}

Unveiling the secrets

  • locked: Indicates whether the vault is locked (true) or unlocked (false).
  • password: Privately stores the password as a bytes32 hash.

The constructor initializes the vault with the specified password and locks it initially.

The unlock function checks if the provided password matches the stored password to unlock the vault.

Understanding the Vulnerability

The vulnerability in this smart contract lies in the storage of sensitive information (password) directly on the blockchain. In the decentralized and transparent nature of blockchain, all data stored on the blockchain is visible to anyone. This means that even though the password is stored as a private variable (private bytes32 password), its value can still be retrieved and manipulated through various techniques.

Why is Blockchain Transparent?

Blockchain’s transparency stems from its fundamental design principles. Blockchain operates on a distributed ledger where every transaction is recorded and verified by multiple nodes in the network. This transparency ensures immutability and trust but also means that data stored on the blockchain, including smart contract state variables, is accessible and auditable by anyone.

Cracking the Vault: Techniques Revealed

Uncover strategic techniques to deal with the Ethernaut Challenge 8:

Approach 1: Leveraging Blockchain Explorer

Transaction Analysis

Analyze blockchain transactions associated with the Vault contract.

State Change Identification

Identify transactions altering the contract state, particularly changes to the password variable.

Retrieve Password Hash

Extract the hashed password value from relevant transactions to unlock the vault.

Approach 2: Harnessing Ethereum Developer Console

Deploy New Contract Instance

Click on the new instance button in ethernaut challenge page.

Access Developer Console

Press F12 in the keyboard to open the developer console

Retrieve Password Hash

Execute command await web3.eth.getStorageAt(contract.address, 1) to retrieve the stored password hash. Basically this command is retrieving the value from storage slot 2 as the password variable is stored in the 2nd storage slot. To understand more about storage slot in blockchain check this link.

Unlock the Vault

Utilize the retrieved password hash to call the unlock function and gain access to the vault.

Accessing and Submitting the Solution

Once you have retrieved the password copy the contract code and create a new contract Vault in Remix IDE.

Compile the code then use the “At Address” feature to deploy the contract at the specified address retrieved from the Ethernaut browser console.

ethernaut level 8 vault walkthrough

Call the unlock function of the deployed contract instance using the retrieved password hash.

After successfully unlocking the vault, submit the instance on Ethernaut platform to complete the challenge.

Conclusion: Ethernaut Level 8

Ethernaut Challenge 8 provides invaluable lessons in smart contract vulnerabilities, emphasizing the importance of robust security practices in blockchain development.Unlock the vault responsibly and continue your journey towards mastering blockchain security!

Ready for the next Ethernaut challenge? Click to check out the previous ethernaut challenge and see what’s next in our series!

faq

FAQs

What is the vulnerability in Ethernaut Challenge 8?

  • Ethernaut Challenge 8 exposes the risk of storing sensitive data (like passwords) directly in smart contract state variables, which can be exploited through blockchain analysis.

How can developers mitigate risks associated with smart contract vulnerabilities?

  • Developers should avoid storing sensitive information directly in contract state and utilize encryption techniques for protection.

What skills are essential for tackling Ethernaut challenges?

  • Solidity proficiency, Ethereum smart contract understanding, and strategic problem-solving abilities in a blockchain context.

Which tools are recommended for Ethernaut challenges?

  • Use Remix IDE for Solidity development, MetaMask for Ethereum interactions, and Etherscan for blockchain insights.

Can participants engage in Ethernaut challenges without using real ETH?

  • Yes, explore test networks like Sepolia or Holesky, where test ETH is available for learning and challenges.
Ethernaut-Level-8-Walkthrough-Vault

Metana Guarantees a Job 💼

Plus Risk Free 2-Week Refund Policy ✨

You’re guaranteed a new job in web3—or you’ll get a full tuition refund. We also offer a hassle-free two-week refund policy. If you’re not satisfied with your purchase for any reason, you can request a refund, no questions asked.

Web3 Solidity Bootcamp

The most advanced Solidity curriculum on the internet!

Full Stack Web3 Beginner Bootcamp

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

You may also like

Metana Guarantees a Job 💼

Plus Risk Free 2-Week Refund Policy

You’re guaranteed a new job in web3—or you’ll get a full tuition refund. We also offer a hassle-free two-week refund policy. If you’re not satisfied with your purchase for any reason, you can request a refund, no questions asked.

Web3 Solidity Bootcamp

The most advanced Solidity curriculum on the internet

Full Stack Web3 Beginner Bootcamp

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

Learn foundational principles while gaining hands-on experience with Ethereum, DeFi, and Solidity.

Events by Metana

Dive into the exciting world of Web3 with us as we explore cutting-edge technical topics, provide valuable insights into the job market landscape, and offer guidance on securing lucrative positions in Web3.

Start Your Application

Secure your spot now. Spots are limited, and we accept qualified applicants on a first come, first served basis..

Career Track(Required)

The application is free and takes just 3 minutes to complete.

What is included in the course?

Expert-curated curriculum

Weekly 1:1 video calls with your mentor

Weekly group mentoring calls

On-demand mentor support

Portfolio reviews by Design hiring managers

Resume & LinkedIn profile reviews

Active online student community

1:1 and group career coaching calls

Access to our employer network

Job Guarantee