Ethernaut — Level 17 — Recovery
Have you ever wondered how the random 20 byte of address is generated every time you deploy a smart contract. Let us understand the process in brief by solving the challenge. We already know that the external address we see in our metamask wallet is the hashed value of our public key. Similarly, when we deploy a smart contract, the new address is generated using the creator address and the nonce (number of transactions sent from that address) — creating a new unique value every time.
The above formula is self explanatory. For the current scenario, you can assume RLP as some form of encoding being performed. As part of the challenge, we are also going to learn to compute our lost contract address and retrieve the ETH from it.
Click here to access the source code.
The Investigation
We see two contracts Recovery and SimpleToken. Our task is to find out the contract address SimpleToken contract, so that we can transfer the ETH to the player account from the smart contract. For the transfer function to be called, we need the contract address and it can be recovered using two methods.
First, is simpler — since we are working on the Rinkeby network. Just paste the address on the Rinkeby explorer and look for the first Contract Creation txn. This is the contract address of your SimpleToken contract.
Second method is to perform the RLP Encoding followed by Keccack hashing. The nonce will be “0x01”, since first transaction. The result is highlighted in the below screenshot.
From our previous challenge we already know that what selfdestruct function does. If you don't remember, it basically calls the destroy method and transfers the remaining ETH balance to the address sent as an argument.
Finally, we are calling the destroy method of the SimpleToken Contract — which transfers the ETH balance to the player address.
Thanks for Reading!