Read Only Reentrancy | Hack Solidity (0.8)

Smart Contract Programmer

30 Oct 202219:55

Summary

TLDRThis transcript details a step-by-step process of executing a read-only reentrancy attack on a smart contract, specifically targeting the Curve Finance pool. The speaker explains how to simulate the attack using Foundry, a framework for Ethereum development. The attack involves manipulating the contract's liquidity functions to exploit the timing discrepancy between function calls, allowing for an increased return on rewards based on an artificially inflated virtual price of the liquidity provider tokens.

Takeaways

🔍 A re-entrancy hack involves a malicious contract calling into a target contract, which then calls back into the original contract, creating a loop.
📌 In a read-only re-entrancy scenario, the hack contract first interacts with a 'date contract' before fully completing its initial call to the target contract.
🚀 The script provides a step-by-step guide on how to simulate a read-only re-entrancy attack using Foundry on the main network without actually hacking a contract.
🛠️ The example uses the Curve pool as a target for the simulated read-only re-entrancy attack.
📝 The script outlines the installation and initialization process of Foundry, including the necessary commands.
🔑 The hack contract is created with specific Solidity code, including the interface for the Curve contract and the ERC20 interface.
🔄 The attack simulates adding liquidity to the Curve pool, logging the virtual price, and then removing liquidity to trigger the re-entrancy.
📊 The script demonstrates how the virtual price can appear higher during the removal of liquidity due to the timing of the read-only re-entrancy.
🎯 The exploit involves staking LP tokens into a target contract that rewards based on the virtual price returned by the Curve pool's 'get virtual price' function.
📈 The script shows that by exploiting the timing of the read-only re-entrancy, more rewards can be obtained than in a normal transaction flow.
📋 The script includes a detailed explanation of the Solidity code used for the hack contract and the target contract, including function definitions and interactions.
🧐 The script concludes by showing the results of the simulated attack, highlighting the difference in rewards obtained before and during the liquidation process.

Q & A

What is a re-entrancy hack?
-A re-entrancy hack is a type of smart contract exploit where a malicious contract calls into a target contract and then the target contract calls back into the original malicious contract. This back-and-forth interaction can be exploited to manipulate the state of the target contract or extract additional benefits from it.
How does a read-only re-entrancy attack differ from a regular re-entrancy attack?
-A read-only re-entrancy attack is more complex than a regular re-entrancy attack. In a regular re-entrancy attack, the malicious contract can modify the state of the target contract during the callback. However, in a read-only re-entrancy attack, the malicious contract cannot modify the state of the target contract during the callback, but it can still exploit the timing of the function calls to gain an advantage.
What is the purpose of the 'hack' contract in the provided script?
-The 'hack' contract in the script is designed to simulate a read-only re-entrancy attack on the Curve pool. It is used to demonstrate how an attacker might exploit a vulnerability in the Curve pool's smart contract to gain additional benefits while the 'remove liquidity' function is being executed.
What are the key functions of the Curve pool contract that are being exploited in the script?
-The key functions of the Curve pool contract being exploited are 'getVirtualPrice', 'addLiquidity', and 'removeLiquidity'. The 'getVirtualPrice' function returns the value of the shares, 'addLiquidity' is used to add tokens to the pool, and 'removeLiquidity' is used to withdraw tokens from the pool.
How does the 'hack' contract manipulate the timing of function calls to execute a read-only re-entrancy attack?
-The 'hack' contract first adds liquidity to the Curve pool and then logs the value of the shares using 'getVirtualPrice'. It then initiates the 'removeLiquidity' function, which triggers the attack. During the execution of 'removeLiquidity', before it finishes, the 'hack' contract sends a transaction back to itself, which triggers the 'receive' function. Inside this 'receive' function, the 'hack' contract can call 'getVirtualPrice' again, this time while 'removeLiquidity' is still executing, and exploit the temporarily inflated share value to gain more rewards.
What is the role of the 'Target' contract in the script?
-The 'Target' contract is a hypothetical contract that is used to demonstrate how a read-only re-entrancy attack can be exploited. It has functions to stake LP tokens, unstake LP tokens, and get rewards based on the value returned by 'getVirtualPrice'. The 'hack' contract interacts with this 'Target' contract to show how an attacker could manipulate the timing of function calls to get more rewards than they would under normal circumstances.
How does the 'hack' contract ensure it gets the correct amount of rewards during the attack?
-The 'hack' contract ensures it gets the correct amount of rewards by staking LP tokens into the 'Target' contract before initiating the 'removeLiquidity' function. Once 'removeLiquidity' is called and the 'receive' function is triggered, the 'hack' contract calls the 'getReward' function on the 'Target' contract. The rewards are calculated based on the temporarily inflated 'getVirtualPrice' value, which is higher than it would be if the 'removeLiquidity' function had completed execution.
What is the significance of the 'receive' function in the 'hack' contract?
-The 'receive' function in the 'hack' contract is crucial for the read-only re-entrancy attack. It is the entry point for the transaction sent back to the 'hack' contract during the execution of 'removeLiquidity'. This function allows the 'hack' contract to execute additional code while the 'removeLiquidity' function is still running, enabling the exploit to take advantage of the inflated share value.
How does the script demonstrate the difference in rewards before and after the read-only re-entrancy attack?
-The script demonstrates the difference in rewards by showing the 'getVirtualPrice' value before and during the 'removeLiquidity' function execution. The 'getVirtualPrice' value is higher during the execution because liquidity is being removed, which temporarily inflates the share value. The script then compares the rewards calculated using this inflated value (inside the 'receive' function) with the rewards calculated after the 'removeLiquidity' function has completed, showing that more rewards are obtained during the attack.
What is the purpose of the 'setup' function in the 'hack' contract?
-The 'setup' function in the 'hack' contract is used to stake LP tokens into the 'Target' contract before initiating the attack. This is a necessary step to ensure that the 'hack' contract has tokens in the 'Target' contract to calculate rewards from, which is a key part of the read-only re-entrancy exploit.
What is the role of the 'Forge' tool in the script?
-The 'Forge' tool is used to compile and test the smart contracts written in the script. It is a development utility that helps in building, deploying, and interacting with smart contracts on the Ethereum blockchain.
How does the script ensure that the exploit is executed on the main network?
-The script uses a fork of the main network to execute the exploit. This allows the developer to test the attack without actually interacting with the real main network, thus preventing any real-world consequences while still simulating a realistic environment.