CSSE 490 (Blockchain)

Lab 2 - Get on the List

You don't always put your name on the Leaderboard list, but when you do... you use a smart contract to do the work!

Your task in this lab is an advertising task: you are trying to become the most interesting student in this class by putting your name on a list more times than all the other students. You'll do this by writing a smart contract to exploit a vulnerability in the Leaderboard smart contract that allows you to bypass the "only on the list once" rule.

You will want to automate this! You will create a new smart contract that runs on your behalf; this means the smart contract's address is what will interact with the leaderboard. To prove that you did it, you will have your smart contract initialize (or "register") your actual account number when it first connects as your studentAlias. When we look at the leaderboard, you will get credit for the work your smart contract did.

The Leaderboard Smart Contract

This contract allows you to "register" your smart contract with the system, then you send it Ether to get put on the list. Once you're on the list, the contract refunds your Ether. It attempts to limit you to one entry on the list; if you re-register, it removes you from the list.

• initialize (address studentAlias)
  When called, this function identifies the msg.sender as your smart contract, then enables you to add your name and removes you from the board. The studentAlias you send should be the account you created for class (the one in MetaMask).
• getLeaderboardEntryByAlias (address studentAlias)
  You call this function with an address, and it finds the number of entries on the board that correspond to the contracts owned by that address. The input argument should be a student's RoseChain address, and the output will be the number of that students' contracts' entries.
• getLeaderboardEntryByCaller (address caller)
  You call this function with an address, and it finds the number of entries on the board recorded under that address. The input argument should be a student's contract address, and the output will be the number of that contracts' entries.
• addName (uint key) payable
  Your smart contract should call this function and provide it with the "secret" key and some Ether. If you provide the right key, it will add your contract's name to the board once, then refund your Ether.

Exploiting the System

Your job is to find and exploit a vulnerability in the system that bypasses the "already on the list" check, and call addName() more than once without re-calling initialize().

The contract runs on the Rose Chain, and your job is to deploy a smart contract that exploits the Leaderboard contract to use a re-entrancy vulnerability to get a bigger number next to your name on the list.

It is recommended that you begin by deploying the contract on your own local blockchain and test your exploit there before you deploy to the Rose Chain and exploit the contract for real. You can verify list entries by using methods on the LeaderBoard contract, or you can download the source code for the leaderboard web page and modify it for your purposes.

When you are ready to test out your work on the real RoseRent contract, you can find Leaderboard deployed on the Rose Chain at this address: 0x16c2f7f212B7bC53F5E032986660f0C99Cb59bAb.

Minimum Requirements

1. You must create a smart contract that can:
   • Accept Ether from your wallet (we will loan you some to play with)
   • Reference Leaderboard.sol contract functions by address and ABI
   • Call initialize() and addName() to get onto the list.
   • Accept Ether from the LeaderBoard contract (addName() sends your Ether back)
   • Transfer Ether back to your wallet
2. You must test your techniques on your local blockchain and show your TA or instructor your code before you try to execute it on the Rose chain.
3. Your contract interactions on the rose chain must be with the Leaderboard contract at the address provided by your instructor.
4. You must be able to withdraw any funds you put into your malicious contract and refund your TA or instructor at the end of the lab.

Grading

You will earn one coder token for completing the minimum requirements (getting on the list).

You will earn one hacker token for maliciously interacting with the Leaderboard contract deployed on the Rose chain and get on the list more than once (have a value > 1 next to your address).

You may earn one more coder token for creating a new version of Lab2_Leaderboard.sol that is not vulnerable to your attack.

You may earn one more hacker token for maliciously interacting with the Leaderboard contract deployed on the Rose chain and get on the list more than TEN TIMES (have a value > 10 next to your address).

You may earn up to one presenter token (max one across the four labs) for demonstrating your hack and fix to the class after everyone is done. You may only demonstrate one of the four labs for this token (you can't get more than one for demonstrating labs).