Lab 4 - rhBay
Everyone's favorite auction site -- but better.
Your task in this lab is to win an auction from the rhBay smart contract. This is complicated, though, since your classmates will also be trying to win the auctions. To make matters worse, your TA has unlimited money and can outbid you easily.
Automate your bidding! Create a new smart contract that makes bids on your behalf. When you get out-bid, re-bid! Or better yet... find a way to make it so nobody can outbid you.
The New RHBay Smart Contract
This contract is the auction contract you will use in an attempt to win an item (and thus a reward of 1000ETH) during this lab. Your interactions will mainly focus on these exposed methods:
function bid(string itm) payable
Use this method to bid on an item specified by its nameitm. The name must match the string used when callingaddItem()(the owner of the items will tell you their names). This method will refund bidders who are outbid on the item.function finishItem(string itm) payable
Use this method to check if an auction is complete, and if it is complete "finalize" the item. Anyone can call this method, but it will only pay people who are supposed to get funds.function getCurrentHighestBidder(string itm) public view returns(address)
Use this method with an item string to find out who currently has the highest bid. Note that it is aview, so calling the function is free.function getCurrentHighestBid(string itm) public view returns()
Use this method with an item string to find out the value of the highest bid. This is also aview.function getTimeLeft(string itm) public view returns(int)
Use this method to figure out how many seconds are remaining in the auction. Negative values mean the auction has ended (no new bids).function verifyGrade() public payable
Once you've won an item, deposit at least 1000ETH into the contract using this function to prove that you did it.
Exploiting the System
Winning the auction is not enough. You should try to win the auction without spending too much ETH.This means you should block others from outbidding you.
The RHBay contract runs on the Rose Chain, and your job is to deploy a second smart contract that exploits the RHBay contract to deny future bidders from bidding on your item.
It is recommended that you begin by deploying the contracts on your own local blockchain and test your exploit there before you deploy to the Rose Chain and exploit the contract for real.
When you are ready to test out your work on the real RHBay contract,
you can find RHBay
deployed on the Rose Chain
at this address: 0x384B045BE1bf993612D6938aaEd8C6Ad5f70f039.
Minimum Requirements
- You must create a smart contract that can:
- Accept Ether from your wallet (we will loan you some to play with)
- Reference RHBay.sol contract functions by address and ABI
- Call
bid()and other methods as necessary to bid on and win items from RHBay. - Accept Ether from the RHBay contract (
bid()refunds your Ether when you are outbid) - Transfer Ether back to your wallet
- You must test your techniques on your local blockchain and show your TA or instructor your code before you try to execute it on the Rose chain.
- Your contract interactions on the rose chain must be with the RHBay contract at the address provided by your instructor.
- Your contract must be able to pay winnings (1000ETH) back to the contract when you win an item to prove that you won.
- You must be able to withdraw any funds you put into your malicious contract and refund your TA or instructor any funds loaned to you.
Grading
You will earn one coder token for bidding on an RHBay item and completing the minimum requirements.
You will earn one hacker token for maliciously interacting with the RHBay contract deployed on the Rose chain and winning an auction item by disallowing others to bid.
You may earn one more coder token
for creating a new version of RHBay.sol that is not vulnerable to your attack.
You may earn one more hacker token for being one of the first five students to win an auction (this is harder because you have more competition).