Ethernaut — Level 5— Token
I hope some of us aware of Buffer Overflow attacks, this challenge is kind of similar to kind of attack as we are going to perform a similar attack called Overflow attack. To understand the attack you need to first understand how the datatype “uint” works in solidity. For the sake of simplicity lets consider “uint8”
Integer Overflow vs Underflow
uint8 — represents an unsigned integer with lower range value as 0 and upper range values as 255. The attack happens when we try to add or subtract the value 1 when its current value is at the extremes (0 or 255).
First one being Integer Overflow. If we represent the uint8 in form of 8-bit, then what actually happens is that when we add 1 to the value 255, it resets the bits and the current value instead of 256 changes to 0. Refer the diagram below for better understanding.
Similarly, in Integer Underflow, If we subtract 1 from 0 then the bits flip and the value is set to 255.
Click here to access the source code
Investigation
The challenge wants us to somehow get a large number of tokens deposit to our wallet. Looking at the source code “transfer” function is the one that looks vulnerable. Also, remember that we have 20 tokens in our wallet.
Note: uint is equivalent to uint256
The variables “balances” and “_value” are declared as uint. So both these variables are prone to attack.
The Solution
Pick up a random Ethereum address from etherscan and call the transfer function on it. We are sending the value of 21 to trigger an underflow attack since we already have 20 tokens in our wallet.
contract.transfer(‘0xB3dE526DDf26B3cf1E4Ce324e3cE7048C4xxx’, 20 + 1)
Lets debug how the overflow occurs transfer function executes.
require(balances[msg.sender] — _value >= 0);
//require(20 - (20 + 1)) >= 0 --- pass [known issue]balances[msg.sender] -= _value;
//balances[msg.sender] = 20 - 21 --- Interger Underflow
//balances[msg.sender] = 2^256 - 1 --- final value after overflow
To stop Overflow attacks, one can use the SafeMath.sol library provided by Openzeppelin. It basically reverts the transaction if it detects any overflow attacks.
Hope you learnt something new.
Thanks for Reading!