#17 — Ethernaut Challenge 17— Recovery


Note: The solution mentioned in this blog post is majorly inspired from the solution by Web3 Blockchain Developer so that you can find the video format of this solution here on his channel.

Understanding the code:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Recovery {

//generate tokens
function generateToken(string memory _name, uint256 _initialSupply) public {
new SimpleToken(_name, msg.sender, _initialSupply);


contract SimpleToken {

string public name;
mapping (address => uint) public balances;

// constructor
constructor(string memory _name, address _creator, uint256 _initialSupply) {
name = _name;
balances[_creator] = _initialSupply;

// collect ether in return for tokens
receive() external payable {
balances[msg.sender] = msg.value * 10;

// allow transfers of tokens
function transfer(address _to, uint _amount) public {
require(balances[msg.sender] >= _amount);
balances[msg.sender] = balances[msg.sender] - _amount;
balances[_to] = _amount;

// clean up after ourselves
function destroy(address payable _to) public {

There are two contracts in this — Recovery and SimpleToken.

The Recovery contract has a function called generateToken() which generates the tokens for this contract.

The SimpleToken contract can receive and transfer ether and destroy itself with the selfdestruct keyword.

How to hack this contract?

  1. Go to goerli.etherscan.io and paste the address you just copied into the search bar. This will give you a page that shows details of your Recovery contract’s address.
  2. Under the Internal Txns section, in the column of the table listed as To and click contract creation. Click this link, and it will lead you to the missing contract address. Copy this.
  3. Open up the console on Ethernaut again and run the following code:
data = web3.eth.abi.encodeFunctionCall({
inputs: [{
}, [player]);

With this command, we are calling the destroy function on the SimpleToken contract and sending an argument with our address so that the funds transfer to the player, which is us.

5. Next, type in this code on the console:

await web3.eth.sendTransaction({
from: player,
data: data

This code needs to be executed so that the transaction made in the previous code can get through as the data variable.

6. Once you press enter, you’ll have to sign the Metamask and well done, you can now submit the instance.

Congratulations on completing this level, more solutions to the remaining challenges will be coming up in my next blog posts, so make sure to follow and clap for more similar content!

Thanks for reading this far. I wish you all the best!



I am a student in a university in India, I talk about web3 tech and blockchain because I am a web3 enthusiast!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rahul Pujari

I am a student in a university in India, I talk about web3 tech and blockchain because I am a web3 enthusiast!