CSSE 490 (Blockchain)

Lab 1 - Rose Rent

You have chosen to live on campus at Rose-Hulman, and are living in a new residence hall called the "Chain Block". Living in this residence hall, you are expected to pay your rent using Rose Coin (on our Rose Chain).You pay rent by sending ETH to the RoseRent smart contract via the depositRent() payable method. The problem is, you don't always have enough money!

Rent

Rent is due weekly. To pay your rent, you must send 4 ETH to the RoseRent smart contract (use the depositRent() method) before the end of the week. The landlord will check if you paid using the checkIfPaid() method, and if you haven't deposited enough you will be EVICTED!

Unemployment Allowance

Since you're a full-time student and don't have enough time to work a job that pays you in Rose Coins, you are eligible for RoseRent unemployment allowance. You can sign up for unemployment (by calling the startUnemployment() method, and then you will be able to claim a small amount (1 ETH) of Rose Coin each week.

Every week you can ask for more (by calling the getMoreAllowance() method), but that will only succeed in giving you more allowance once per week.

Your unemployment isn't enough to make rent, but if you are sneaky you may be able to claim more payments than the expected 1/week!

The RoseRent Smart Contract

This contract has all of the administration and regular use. Here's a quick description of the methods you'll be using:

• startUnemployment (string memory _reasonForUnemployement)
  Adds an account to the unemployment ledger and account holder can collect unemployment. Call this first before attempting to collect unemployment.
• claimUnemployment (uint32 _amountToWithdraw)
  Message sender provides an amount of money to withdraw, and if allowed the contract will transfer that much back to the message sender.
• checkUnemploymentAllowence() public view returns (uint256)
  This is a view (free call) that returns the message sender's current allowance.
• getMoreAllowance()
  Call this function to request more allowance -- note: you're limited to 1ETH/week
• depositRent () public payable
  Pay ETH to this method to put some rent in the contract.
• checkIfPaid (address _studentAddress) public view
  Another free function call that returns true if the provided address has paid enough rent.

You can find additional methods in the contract, but the ones above are the ones you should focus on for this lab.

Exploiting the System

Your job is to find and exploit a language-based error that leads to a logic problem in a smart contract.

The contract runs on the Rose Chain, and your job is to deploy a smart contract that exploits the RoseRent contract for personal gain -- enough to pay your rent.

It is recommended that you begin by deploying RoseRent on your own local blockchain and test your exploit there before you deploy to the Rose Chain and exploit the contract for real.

When you are ready to test out your work on the real RoseRent contract, you can find RoseRent deployed on the Rose Chain at this address: 0xaB8E377f284099e4881FEf8b3785A0c1a1ca57AC.

Minimum Requirements

1. You must interact with the deployed smart contract to:
   • Sign you up for unemployment
   • Collect your unemployment allowance
   • Pay rent early (today)
2. You must test your techniques on your local blockchain and show your TA or instructor your code before you try to execute it on the Rose chain.
3. Your contract interactions on the rose chain must be with the RoseRent contract at the address provided by your instructor.

Grading

You will earn one coder token for completing the minimum requirements (collecting unemployment).

You will earn one hacker token for maliciously interacting with the RoseRent contract to extract more than 2 ETH worth of allowance.

You may earn one more coder token for creating a new version of RoseRent.sol that is not vulnerable to your attack.

You may earn one more hacker token for collecting more than 99 ETH worth of allowance from the RoseRent contract (or by demonstrating other advanced exploitation).

You may earn up to one presenter token (max one across the four labs) for demonstrating your hack and fix to the class after everyone is done. You may only demonstrate one of the four labs for this token (you can't get more than one for demonstrating labs).