Ethernaut Level 8 — Vault
The Ethernaut is a Web3/Solidity based wargame inspired on overthewire.org. Here’s the solution to the Level 8— Vault.
The challenge is simple:
Unlock the vault to pass the level!
The Vault is a simple contract that is locked by a password. The password is stored in a private variable
It’s important to remember that all information on blockchain is public. Private vs public variables are useful for programmers to keep the code clean and implement programming paradigms like encapsulation, but do not provide information security. Private variables values can be read by anyone on blockchain.
How to do it? There are a number of ways. For one, I could go on the Etherscan and find the construction transaction and extract the password from there. The simplest method though should be using the Web3 JS client, namely the
getStorageAt function. The function takes two arguments: the target contract’s address and the slot number. The contract’s variables are kept in 32 bytes slots in the blockchain memory. Since
password is a second property declared, it’ll have index 1 (they’re indexed from 0):
> await web3.eth.getStorageAt(contract.address, 1)
Now that we have our password, we can unlock the vault and submit the challenge:
> await contract.unlock("0x412076657279207374726f6e67207365637265742070617373776f7264203a29")
That’s it! The main lesson here is simple: do not store any secrets on blockchain. Anything stored on blockchain is a public information, even in private variables.