
Ethernaut: wargame to learn about smart contract security - elopio
https://ethernaut.zeppelin.solutions/
======
TACIXAT
If you're interested in smart contract security, this repo [1] is a good
resource too.

1\. [https://github.com/trailofbits/not-so-smart-
contracts](https://github.com/trailofbits/not-so-smart-contracts)

~~~
nemild
And more:

[https://consensys.github.io/smart-contract-best-
practices/](https://consensys.github.io/smart-contract-best-practices/)

[http://dasp.co](http://dasp.co)

Disclaimer: I contributed to the first link.

Also, I wrote this a while back for any experienced engineers that want to
learn Solidity:

[https://learnxinyminutes.com/docs/solidity/](https://learnxinyminutes.com/docs/solidity/)

------
socrates1024
Another related resource (seems similar to the design of ethernaut)
[https://github.com/pdaian/hackthiscontract](https://github.com/pdaian/hackthiscontract)

------
DINKDINK
Before investing time in learning how to program on ethereum, one should first
assess the engineering feasibility of it's blockchain:

[https://medium.com/@preethikasireddy/how-does-ethereum-
work-...](https://medium.com/@preethikasireddy/how-does-ethereum-work-
anyway-22d1df506369)

Take a look at their github and how the overwhelming majority of users can't
run a full node (If you can't run a full node, you rely on an intermediary,
you are not decentralized).

I'm not sure if the "marketing team behind a decentralized project" is still
doing it but they used to be continuing to market ethereum as an immutable
blockchain which is patently false due to their roll back of the DAO.

~~~
maiavictor
That's a blatant lie, running a full node is not required to "be
decentralized", for the same reason you don't need to run a full node in
Bitcoin. Light nodes have the same guarantees about the integrity and
irreversibility that full nodes do. Perhaps you should try learning about them
- see [https://github.com/ethereum/wiki/wiki/Light-client-
protocol](https://github.com/ethereum/wiki/wiki/Light-client-protocol) \-
before stating things you don't understand? The fact that the worst thing a
"fudster" like you has to say against Ethereum is that it had a hard fork to
revert a millionaire hack caused by a bug in early stages of the project;
whereas something not too different also happened to Bitcoin - see
[https://en.bitcoin.it/wiki/Value_overflow_incident](https://en.bitcoin.it/wiki/Value_overflow_incident)
\- when it had the same age; says it all.

I don't often comment here, but I simply can't understand why an human being
would come to the internet and hatefully attack things it doesn't like with
straight made-up facts. I mean, I know this is so common, I just don't get
why. This kind of thing makes me sad about humanity as a whole. Why can't we
be nice to each other?

~~~
nadaviv
> Light nodes have the same guarantees about the integrity and irreversibility
> that full nodes do.

This is not true. SPV nodes blindly follow the longest chain and are at the
mercy of miners. Running a full node guarantees you that all the protocol
rules are being followed to the letter, while an SPV node cannot verify chain
validity rules (like the 21M coin limit) and could be fooled to accept
payments with money made out of thin air.

> Ethereum is that it had a hard fork to revert a millionaire hack caused by a
> bug in early stages of the project; whereas something not too different also
> happened to Bitcoin

The Bitcoin developers fixed a bug in the Bitcoin protocol. The Ethereum
developers bailed-out a buggy smart contract written by a third-party, where
the bug had nothing to do with the Ethereum protocol itself. I don't think the
two are comparable.

Something that would've been comparable is the Bitcoin developers doing a
chain-rollback to save the funds lost by MtGox. Which of course would be a
horrible idea.

Also, when that happened in 2010, Bitcoin was a pet project valued at $0.08,
with a total market cap of ~$250k. Ethereum was nearly a two-billion dollars
project when they bailed out the DAO!

~~~
maiavictor
> where the bug had nothing to do with the Ethereum protocol itself. I don't
> think the two are comparable.

You're defining "bug" to fit your purposes. It wasn't "just a faulty
contract". The entire protocol had a reentrancy situation that wasn't intended
by any of its developers nor expected by any of its users, and that went
against the expected semantics of its official programming language; it was a
protocol bug, for any sensible definition. I don't see anyone neutral arguing
it wasn't.

If you argue The DAO hacker had the right for the Ether he got because "that's
what the code said", you could also claim the Bitcoin address had the right to
claim his billions BTC, because that's what the code said back then. He only
followed protocol rules and got all his money taken away by the hard fork.

~~~
nadaviv
> see anyone neutral arguing it wasn't.

Well, FWIW, I've never heard _anyone_, neutral or not, claiming the DAO hack
was a bug in the Ethereum protocol before now...

And that's because, well, it very clearly isn't. hackingdistributed has a good
overview[0] of the coding bug in the DAO that enabled the hack which I
recommended you to read.

Looking at this another way, this could've been avoided by the DAO developers
if they developed the smart contract more carefully. And the exact kind of bug
that lead to the hack was still possible on Ethereum following the bail-out
hardfork. So how can one claim the hardfork fixed a protocol bug?

> If you argue The DAO hacker had the right for the Ether

I didn't say that. I only argued about the differences between fixing a
protocol bug and bailing-out companies that build on top of the protocol.

[0] [http://hackingdistributed.com/2016/06/18/analysis-of-the-
dao...](http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/)

~~~
DennisP
I agree it wasn't a bug in the protocol. However, it was an issue that people
in general weren't aware of, and even the official tutorial code on
ethereum.org had similar vulnerabilities. For that reason I think the fork was
reasonable.

By comparison, Parity's wallet bugs were just a result of carelessness, and
independent audits probably would have discovered them. Consequently, the
community strongly pushed back when Parity tried to get a fork for the second
one.

------
djrconcepts
followed the instructions. was getting an error in the console when clicking
the blue button "Get new instance". refreshed the page and tried again. worked
after a few tries

~~~
splintercell
I presume you had Metamask installed?

------
evanvanness
The 21th century computing stack is being built.

------
dep_b
[https://en.m.wikipedia.org/wiki/The_Eternaut](https://en.m.wikipedia.org/wiki/The_Eternaut)

It’s not an association free name

~~~
davesque
It's named after that comic. Images from the comic are littered all over the
app.

