Smart Contract Hacking - 0x0C - Attacking Authorization with Web3.js
ฝัง
- เผยแพร่เมื่อ 12 ก.ย. 2020
- Attacking the vulnerable contract directly via the commandline and Node Web3.js.
From The Console Cowboys Blog
console-cowboys.blogspot.com/...
GitHub: github.com/cclabsInc/BlockCha...
👊Please don't forget to smash those LIKE & SUBSCRIBE buttons :D
💎Donate Ether or any Ethereum-Based (ERC-20) Tokens: 0xdef4c066177CA2dA76FBDa7E249960D2a43D60D6
Contact Info:
@Ficti0n on twitter:
/ ficti0n
cclabs.io
consolecowboys.com - แนวปฏิบัติและการใช้ชีวิต
This happened because 1. the contract is let anyone transfer the money to secure this you can do by adding modifier or some required state for protecting the amount and letting only the owner perform the action. and that is to most issue in some of the people do to the smart contract without required or assert statement check. And this is a g8 video :D
many things ain't clear for me, maybe because I'm new but overall I'm enjoying your videos. please keep it up !!
We would like to see more video about in this series. You explained so well each concept. Thank you for your efforts man !!
You bet.. there is more coming, I am just dealing with a whole course I am making for anouther vendor right now thats taking up a lot of my time.
@@ConsoleCowboys UCbTtR0pUsLQzA8xa7hrq1sA good day sir, i just try to ask you a favor, please donate us even a small generator becuase until now we dont have electricity yet sibce dec.16 we were hit by typhoon odette. Right now sir were just using candle light, we need to go to the city just to charge our phone. May you please little things share to us. I and my family will remember that thing. Thank you sir
@@ConsoleCowboys Do I need 1 Ether to start the game or can I start without having any Ethereum
Awesome video! Subscribed!
Help me please! I realized I’m in a coinbase wallet mining pool scam. The money is in a smart contract can I stop this by changing the allowance?
This is genius man! Incredible work. Very cool!
Thanks man.. If you see any missing videos in this sereies BTW.. TH-cam deleted a few but they are backed up on the consolecowboys vimeo FYI
@@ConsoleCowboys awesome and you’re welcome, much appreciated. Love learning new things!
@@ConsoleCowboys I wanted to check this series on vimeo to watch all the videos but i didn't found them when typings consoleCowboys. What name are you using on vimeo please ?
@@ouailtayarth4012 vimeo.com/consolecowboys/albums
@@ConsoleCowboys Thank you so much !
I need more of these
where can we find what youre pasting to terminal @ 8:14 minutes ? ive tried to do it while watching the video and it doesnt work when i type out what youve pasted...?
haha thats so you don't have to watch me type.. But you can also get all of those commands in the blog link under the description of this video.. This is actually a blog series which contains additional info for each subject and things like what I am typing in... And these video's are walkthroughs for that blog series each subject matter has a few videos associated with it.. You could use each separately but you would miss some context in some areas, or things like commands / code I am using. So check out the link for that. Additionally there is a github for this series. Additionally commands do sometimes change with web3.js in new versions or you could be typing it with something missing as well the syntax on javascript is wacky I think you are referring to this command I just grabbed from the blog link above accounts.then((v) => {(this.account = v[1])}) I believe grabbing accounts like that is something that was changed in the version I used and I had to update this command for this video.. so if your using an old version of node/web3.js that could also be the issue.
Where can I find the terminal for windows 8.1
If there is a function in which "if" check is implemented and out of "if" there are few other statements, will the outside statement still run, if "if" check is failed.? And can this function be called externally by an interface?
Write yourself a small function using exactly that and check the output.. maybe set a variable and see if the variable gets a value... A function should be callable if its a public function on the contract.. But as always.. test that theory by trying it.
Cool video, what kind of attack is this?
@ConsoleCowboys Do I need 1 Ether to start the game or can I start without having any Ethereum
This is a series.. if you want to know how remix and local blockchains function to follow this then watch the whole series...
Ok, what if a smart contract has a vulnerability deliberately baked in, so that the owner can do self-hack, something like a kill function? what is this vulnerability in this ChainLink contract? What went wrong with it?
I talk about that a few times in this series.. Review those types of functions and if they can be used maliciously either by the actual developer or an attacker steer clear of it with your funds. There should not be any function that sends off funds to some random user on a kill.. however maybe that kill is implemented for some kind of update to a newer version? Who knows.. need to review the code and understand what its doing..
@@ConsoleCowboys Thank you! I will look through the series. The code i am currently digging through has a blacklist function that only owner can execute; isn't something commonly deployed by scam contract?
Please create more video like smart contract penetration testing and how to find bugs in smart contract.
this is a whole course there is about 3 hours of content and 100's of blog pages that follow a logical progression..
can we make a new token by direct copying the source code of a contract from etherscan or bsc and editing it on remix?
You can do whatever you want, and create any currency you want... I would suggest using ERC20 contracts from openzepplin and then being cognizant of the changes you make to those not creating vulnerable situations.
@@ConsoleCowboys so if we just copy past the ERC20 conract code and created our own token it can be hacked and the tokens get stolen ?
@@hanionline563 No you just now have your own version of it... Same as copy pasting your calc.exe to a new folder on your computer.. You can take the code and modify it but it wont effect the original
Hello I just got scam from a scam presale with a bsc link do you think you can help me to hack it? Pls man I really need that money
Man, one question, how i can study this content?? I think it's really cool but I never know where to find didactic content focused on this area, could you tell me something?
This is basically it man, thats why i created it.. I had to lab it up myself and figure it out.. everyone else talks in theoretical BS... I have more modules coming out shortly for DEFI attacks. as well as doing a security course more beginner/intermediate for a large vendor..
@@ConsoleCowboys What good news about the course, I hope everything goes well! But other than that, do you know of any content spread on the web or any tutors? I'm from Brazil and honestly, the content about hacking around here is a disappointment apart from the fact that there isn't a BR video about smart contract hacking...
@@diegocammilo_ Nope not realy.. other then solidity development... or just random videos there is not much..... You can try stuff like ivan on tech academy I think its rebranded to moralas.. he has decent content.. but its not hacking stuff
@@ConsoleCowboys Got it man, thanks a lot for the info, I was really a little lost about all this and I'll keep following your videos! Big hugs and much success!
Hi, I seen your videos on TH-cam, I have a coding problem. I have million in squid game coins that I cant sell with pancakeswap. I need to try and sell with python or something. Can you please help I reward you well. I seen people selling but I don’t know how to do it
Can this be done without ganache in real life like on main net
Code is code.
im getting thrown by the node, how to fix it?
Node is super touchy with syntax since its javascript and nests all kinds of functions.. double check everything and your versioning.. Older versions of web3 had a totally different syntax.. prior to last summer.. I had to change the syntax for these videos when the new one came out...
You doing great job man , but the only thing we want you to do in next videos is to fill the white spaces no need for it , fill the screen please 🥺🙏
I will keep that in mind for the recording of my full course I am doing right now... usually depends what i am taping if its multiple windows I like smaller stuff open.. so I can navigate through them.. but yea for stuff like just code in a IDE for sure I will remember to do that..
@@childrenofkoris For what exactly are you trying to use extensions for?
my eth is stuck in the contract and there isn't a withdrawal function, how to destroy it and send the stuck eth in my wallet?
You should not be destroying anything you dont own.. and if you do own it and code it learn from your mistake and dont send money to something before you test it.
@@ConsoleCowboys It was for a test and now I’m stuck, I own that smart contract
Hey i need ur help in this
Can u plz reply
Pls tell me the name of the other app after visual studio code
Thats remix, its heavily used in this course.. watch from the beginning to get a tutorial on using it.
Can you share the script you used at 8.06 ? i couldn't find it anywhere.
its just web3.eth.getAccounts. The rest of that text under it was printed from running that command, it created a promise and pulled back that info..
@@ConsoleCowboys ok understood. thank you.
This was awesome. My question is how would you go about reporting a vulnerability to a crypto token creator? I believe I found a security risk in a token. Just not sure how to get paid for it and worried I wont get compensated for finding it. Thanks for any help.
Not sure, I dont do bug bounties I just hack things.. try reaching out to the project owners..
@@ConsoleCowboys hello dear please could please help check the security level of token Smart contract before I deploy it to the mainnet 🙏
@@criskyraofficiel7275 I don't perform code audits..
@ConsoleCowboys hello dear please could please help check the security level of my token Smart contract before I deploy it to the mainnet 🙏
Sir pls help me my usd all hack too get
Thank you sharing your videos!! How in the world can I do bug hunting on the Blockchain? I don't get it! I can't find any guidance on bug hunting Ethereum Please let me know
Thats what this video series is.. go to the blog link in the description.. start at august 2020 read the blogs follow through the course over a few months worth of content a good 75pages of reading and 3 hours of video walkthrough.. Right now a new series has started continuing this series for people who can already find bugs and need to do advanced things, with coding and automation.
So you steal some eth but did you really steal to your own eth adress ? or is it just a demo ? thanks in advance.
I think the example with ABI on BSC was a hint ( to think about it) and ABI on his remix-ide was a demo.
I was scammed by crypto that I participated in the pre-sale today. 1.5k dollars. I think about how I will pay my debt. I'm terrible. Help you pleasee .
Can I pay to study? I still don’t understand?
This is free, not accepting payments.
Es una estupidez el contrato mismo esta permitiendo que cualquier usuario retire el saldo que quiera, coloca una verificación de que el que retire sea el mismo que deposita y intenta hackear a ver si puedes.
How to copy smart contract ?
Ok so when you ask me a question it needs some context otherwise I have no clue what your talking about... Always add context to your questions... Copy what contract? copy it from where? Copy it to where? What are you trying to do?
@@ConsoleCowboys hlo! can this contract be copied 0x6d85dd21d470e5c1e6af3a5198f0d5ac4dcdd7ef ? and make a token on it? if you can about how?
can you do some live hack to some random honeypot contracts?, amazing video btw
attacking a live target which I was not contracted to attack by the owner would be illegal
@@ConsoleCowboys i guess an owner of honeypot contract is not illegal too, they deserve it...
or can you upload some contract urself and do a live hack on it? it will be much appreciated.
@@koozow Does not matter what they deserve, if you are not contracted by the owner of a target, don't mess with it for your own good..
@@ConsoleCowboys i appreciate your advice and i get it, thanks man your channel is awesome
is this still possible?`
Everything is possible if you code it wrong.. Its on the developer to get it right..
hey, how easy is smart contract hacking compared to web app ?
Well it involved understanding solidity code.. As the vulnerabilities presented in this course do not exist in web apps.. and it involves the understanding that monitary transactions are a part of the system as well as all kinds of interesting protocols.. I wouldnt say its harder I would say you need to do a lot of research as its way different... and you cannot do pentesting/code audits on them without understanding things properly..
Hi, I was recently scammed for Ethereum and the smart contract still has it all on there. Would you be able to help me retrieve it and I will make sure you are compensated for it?
just Eth or Bsc
Solidity...
Why need web3? It would work from Remix too...
You need web3 in order to script attacks and directly attack things or interact with contracts... You can go the web3.js route.. or now I have been using web3. py lately.. I wil make a video on how to do that at some point.. Currently just working on the live CTF hacking portion of this series..
Pls make video on cloning ethereum blockchain and make our own blockchain ike binance smart chain polygon heco chain
I can't see any reason why I would want to do that for my hacking/R&D. So I doub't I would ever do that.
Do you have a discord
No I do not participate in chat rooms..
This is not a real attack because nobody would deploy a contract like this....and if they did surely nobody would ever send any funds to it. I've never written or seen a withdraw function that didn't have a require statement checking if the funds came from your wallet....so I don't understand what this video is trying to show me....All you did was deposit funds to a contract that doesn't keep track of who sent the funds nor does it check to make sure the withdraw is going to the right address.
You obviously are missing the point... but thanks for your input...
@@ConsoleCowboys That's why I asked what the point was...it's just a very basic interaction with a very insecure smart contract that would never be used in real life....when I clicked the video I thought it was hacking....there is no hacking.
@@williammcroberts5127 That's exactly the point.. this is a secure coding exploitation series that's about 3 hours of video and about 100 pages of blogs with labs covering various issues across typical insecure coding in solidity and ways to interact with external contracts and code contracts to attack issues while testing.. from simple to more advanced.. Showing issues that can arise and ways to address them with secure coding libraries as well as how to interact with them and hack them if they are incorrectly setup.. If you are just watching this one off video I can get why you are confused, this is a very small part of a whole.. and the point of this video is exactly as you stated.. how to interact with a public function for the most part.. and following that we show how to use secure libraries to address public functions etc.
@@williammcroberts5127 Yea a free smart contract security exploitation course.. no scams here lols this is a R&D / Penetration testing channel for Blockchain, IOT, Web Etc..
So... most of these meme contracts can get hacked?
You have information, I need advice
Hello. I want to contact you.
@ConsoleCowboys hello dear please could please help check the security level of my token Smart contract before I deploy it to the mainnet 🙏
I dont do smart contract audits..