How to become a Security Smart Contract Engineer

Security always has been a priority. Until now, mankind has relied their security in building walls, trenches and, if it has the option, alligator pits. And, of course, the military has swords or tanks, or whatever device the moment in the history provides.

IT Security was no different: Data is behind a wall of routers, firewalls and switches.

But, suddenly, someone named Satoshi Nakamoto created a world called “The Blockchain” and centuries of history crashing down. Now, everything is exposed, everything is in open field. The decentralization no longer allows physical security.

Now, like in a fantasy novel, the battle is commanded by wizards that attack the treasures with magic spells.

It this series of articles, I will try to tell my story and how I became a wizard for the greater good. To protect The Blockchain, to keep it safe from the dark wizards who try, everyday, to steal contracts and balances.

And my journey begins at Open Zeppelin. Open Zeppelin is a company that has smarts contracts security as their top priority. They have a lot of elements, such a predefined contracts, defenders or auditing services to protect the entire ecosystem.

And they had The Ethernaut, the first step to learn the magic spells. Through a series of challenges, you can understand the different types of attacks you have to protect your contracts from.

Hello Ethernaut

The idea of level 0 is simply to show how Ethernaut works.

The only precondition is to have Metamask and place it on the Rinkeby network. Of course, Ether is needed from this network, with the problem that it is already obsolete. Ouch.

Ethernaut has a number of aids available through the browser console. For example, to know the address with which you will be working on the contract, type player in the console:

To access the original contract data, we have, for example, the following:

The cost is variable, both in gas and in the price of ETH with respect to the USD. For example, this transaction has been 0.00264 ETH, with the current exchange rate, about 3.5$.

To inspect the contract, you have the instruction contract. And how do you see what code is in the contract? Through the ABI.

ABI, Application Binary Interface, is a kind of low-level API that transforms our code into a format understandable by machine language, without yet becoming such a language.

By deploying abi, you can see that there are pure functions, like info1, info2,… view functions like password or theMethodName….

In the statement they indicate “Type the method contract.info() and you will have all the information to complete the level”.

Ok, so it looks like there is a path to follow.

They are definitely telling us, instruction by instruction, what to do.

So far, so easy. We see that the infoNum function stored the number 42 and so we have continued to call the info42() function.

But now it tells us that we must know the password… ok, let’s go to the abi.

there is a function called password().

Sweet!, he has sent us through Metamask and mined the transaction.

Ethernaut tells us to click the Submit Instance button when we think we have finished the level.

Boomshakalaka, and the level is completed.

Ok, not bad for now. You have to know how to read a contract through the console, the abi mentioned, and pay attention.

The next challenge is called Fallback and is about stealing the balance of a contract. I can’t wait to solve it!

If you have any doubt, no matter how simple it may seem, write me here or on my twitter @azdraft_ and we’ll solve it together.

Happy hacking!