Dec 29, 2022
#9 — Ethernaut Challenge 9 — King
Objective:
- Send the contract an amount of ether larger than the current prize to become the new king.
Understanding the code:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract King {
address king;
uint public prize;
address public owner;
constructor() payable {
owner = msg.sender;
king = msg.sender;
prize = msg.value;
}
receive() external payable {
require(msg.value >= prize || msg.sender == owner);
payable(king).transfer(msg.value);
king = msg.sender;
prize = msg.value;
}
function _king() public view returns (address) {
return king;
}
}The first few variables declared in the King contract are the addresses king and owner and a uint of a prize.
The constructor sets the owner and the king to the address that deployed this contract. receive() is a fallback function of a type payable, allowing an address to send ether to the contract. From the require line, we can identify that the function ensures that the value of the address is greater than the prize and that the address calling the function is the contract's owner. After this check, the king address transfers all the value it holds to the contract.
The king function returns the address of the king of the contract.
How to hack the contract?
- Let’s open up the console first and check up the owner of the contract and the _king by typing in await contract.owner() and await contract._king() respectively. Both addresses would be the same.
- Now, let’s go to Remix IDE, an online IDE for writing smart contracts. Make a new file called KingAtx.sol which should contain the following code:
contract KingAtx{
constructor(address _target) public payable{
address(_target).call{value:msg.value}("");
}
}Yup, the code is this simple! So, we are sending more ether into the contract than is already present to become king and the contract owner.
The constructor executes as soon as the contract is deployed. It takes in the parameter of _target and sends ether to the contract.
We pass in (“”), which is empty data, to trigger the receive function on the King contract.
3. Before deploying, let’s check the current value of the prize variable by going to the console on the Ethernaut website, and typing await contract.prize(). Copy this number and go back to Remix IDE.
4. On the Remix IDE, on the deploy page, under the VALUE section, just paste the value you copied from Ethernaut.
5. Go back to Ethernaut to get the instance address and copy that address. On Remix, get that address, put it under the _target address, and hit Deploy. Sign on Metamask and done!
Note: make sure you are on the injected provider -Metamask environment when on the deploy page.
6. If you check the await contract.owner() and await contract._king() you should see your address appear as the king and the contract owner. Now you can submit the instance and move on to the next challenge.
Congratulations on completing this level, and thanks for sticking around, more solutions to the remaining challenges will be coming up in my next blog posts, so make sure to follow and clap for more similar content!
Thanks for reading this far. I wish you all the best!
