Re-Entrancy is one of the oldest security vulnerabilities that was discovered in smart contracts. It is the exact vulnerability that caused the infamous 'DAO Hack' of 2016. Over 3.6 million ETH was stolen in the hack, which today is worth billions of dollars. 📚🔓
Re-Entrancy is the vulnerability in which if Contract A calls a function in Contract B, Contract B can then call back into Contract A while Contract A is still processing.
This can lead to some serious vulnerabilities in Smart contracts, often creating the possibility of draining funds from a contract.
Let's understand how this works with the example shown in the above diagram. Let's say Contract A has some function - call it f() that does 3 things:
- Checks the balance of ETH deposited into
Contract AbyContract BSends the ETH back toContract B - Updates the balance of
Contract Bto 0 - Since the balance gets updated after the ETH has been sent,
Contract Bcan do some tricky stuff here. IfContract Bwas to create afallback()orreceive()function in it's contract, which would execute when it received ETH, it could callf()inContract Aagain.
Since Contract A hasn't yet updated the balance of Contract B to be 0 at that point, it would send ETH to Contract B again - and herein lies the exploit, and Contract B could keep doing this until Contract A was completely out of ETH.
We will create a couple of smart contracts, GoodContract and BadContract to demonstrate this behaviour. BadContract will be able to drain all the ETH out from GoodContract.
The main idea of this project was to practice Foundry and its most basic commands for testing with Solidity.
🚨Note: One of the commands that helped us detect errors faster with -v (verbosity).
Verbosity of the EVM.
Pass multiple times to increase the verbosity (e.g. -v, -vv, -vvv).
Verbosity levels:
- 2: Print logs for all tests
- 3: Print execution traces for failing tests
- 4: Print execution traces for all tests, and setup traces for failing tests
- 5: Print execution and setup traces for all tests.
But you can only run the test, because we config in
foundry.tomlfile the verbosity.
- Use the
Check - Effect - Interactpattern in your external/public functions. - Or make use of the ReentrancyGuard contract that openZeppelin provides us.
# Clone this project
$ git clone https://github.com/catellaTech/REENTRANCY-ATTACK-FONUDRY
# Access
$ cd REENTRANCY-ATTACK-FONUDRY
# Install dependencies
$ forge install- Follow the instructions to install Foundry.
- $
forge build - $
forge test
- Solidity
- Foundry
This project is under license from MIT. For more details, see the LICENSE file.
Contributions are always welcome! Open a PR or an issue!
Made with ❤️ by catellaTech.