Very well explained !! 😍 Thank you!! I find this new serie is so valuable so far !! Every smart contract developer should learn this !! Question: If these has become known vulnerability in Solidity, is the company working on remedy to enhance protection via new versions ?
I am confused that Why at05:36 line 37 "constructer( TimeLock _timeLock) in this course, but in the course of "Reentrancy | Hack Solidity (0.6)" 05:30 line35 "constructor (address _etherstoreAddress)"? What is the difference between the two ways?
@@smartcontractprogrammer Thanks! I got it !So the "Reentrancy | Hack Solidity (0.6)" 05:30 line36 should be corrected as below: EtherStore public etherStore; constructor(address _etherStoreaddress) { EtherStore etherStore = Etherstore(_etherStoreaddress); } is that correct?
essentially, what it means is the malicious contract can modify the lockTime value? Is there a way to "lock" it internally, so it can't be modified at all from external contract?
If I try to do this in a real attack, would I have to deploy the original contract that has the vulnerability AND the contract that "attacks" the vulnerability with my Metamask wallet (injected Web3) ?
I don't think your attack function works correctly because all its doing is depositing Ether on the contract but its not withdrawing it anywhere. Let me know if I am missing something. Love your videos :)
"timeLock.withdraw()" Attack demonstrates how to bypass the time lock by exploiting overflow / underflow So code to withdraw ETH back to attacker is omitted. It's not hard to code either.
@@smartcontractprogrammer yes that's fine but in this case only attacker losses the ether, Alice's ether is still in the contract and she can still withdraw after 1 week, wht's the point of doing overflow or underflow then.
@@erog2927 I agree that the given example is not that critical in real life. but take this function as an example: // msg.sender has a balance of 20 ERC20 token // and _amount is set to 21 function transfer(address _to, uint256 _amount) public { balances[msg.sender] -= _amount; balances[_to] += _amount; } If you don't use the ^0.8.1 compiler version or don't use a SafeMath like library, the msg.sender balance would be 2^256 - 1 because of an underflow.
Uint overflow and underflow explanation 0:20
Code 3:10
Preventative techniques (using SafeMath) 9:43
This is fantastic. I was searching for an understanding of overflow and I got so much more. Thanks!
This is a great channel. Glad I got to know about this so early!
Amazing vid! just heads up to those watching rn, arithetic overflow and underflow reverts for solidity v0.8+
Why you are so expert?🥺❤️
This playlist should be updated for 0.8
most hacks are still relevant, except overflow / underflow
Very well explained !! 😍 Thank you!! I find this new serie is so valuable so far !! Every smart contract developer should learn this !!
Question: If these has become known vulnerability in Solidity, is the company working on remedy to enhance protection via new versions ?
no, not by new versions. Developers go around this problem by using SafeMath
Smart Contract Programmer ah got it! Thanks 🙏
Awesome, thanks a lot. Nice example
I am confused that Why at05:36 line 37 "constructer( TimeLock _timeLock) in this course, but in the course of "Reentrancy | Hack Solidity (0.6)" 05:30 line35 "constructor (address _etherstoreAddress)"? What is the difference between the two ways?
syntax
TimeLock public timeLock;
constructor(address _timeLock) {
TimeLock timeLock = TImeLock(_timeLock);
}
@@smartcontractprogrammer Thanks! I got it !So the "Reentrancy | Hack Solidity (0.6)" 05:30 line36 should be corrected as below:
EtherStore public etherStore;
constructor(address _etherStoreaddress) {
EtherStore etherStore = Etherstore(_etherStoreaddress);
}
is that correct?
Great video
essentially, what it means is the malicious contract can modify the lockTime value? Is there a way to "lock" it internally, so it can't be modified at all from external contract?
for example can this be solved by making lockTime internal?
Amazing
Thanks!
If I try to do this in a real attack, would I have to deploy the original contract that has the vulnerability AND the contract that "attacks" the vulnerability with my Metamask wallet (injected Web3)
?
yes. Also this attack no longer works with Solidity 0.8
So based on the answer you teach in the solidity 0.8 course, may I say "Arithmetic Overflow and Underflow " is not an issue any more?
yes
@@smartcontractprogrammer Thanks!
I don't think your attack function works correctly because all its doing is depositing Ether on the contract but its not withdrawing it anywhere. Let me know if I am missing something. Love your videos :)
"timeLock.withdraw()"
Attack demonstrates how to bypass the time lock by exploiting overflow / underflow
So code to withdraw ETH back to attacker is omitted. It's not hard to code either.
@@smartcontractprogrammer yes that's fine but in this case only attacker losses the ether, Alice's ether is still in the contract and she can still withdraw after 1 week, wht's the point of doing overflow or underflow then.
@@erog2927 I agree that the given example is not that critical in real life. but take this function as an example:
// msg.sender has a balance of 20 ERC20 token
// and _amount is set to 21
function transfer(address _to, uint256 _amount) public {
balances[msg.sender] -= _amount;
balances[_to] += _amount;
}
If you don't use the ^0.8.1 compiler version or don't use a SafeMath like library, the msg.sender balance would be 2^256 - 1 because of an underflow.
Problem solved in 0.8.1