With our partners* and sponsors* we are organizing CCTF for the 7th. Just like at the previous events, we are providing a guide for beginners. This helps you to get started with hacking Ethereum smart contracts.
It is recommended to move step by step. Follow this guide and you will understand the basic logic of cryptocurrencies, blockchain and smart contracts.
Cryptocurrencies such as Bitcoin and Ethereum allow you to handle digital assets on decentralized networks. There is no central authority which can censor or block your account.
Accounts are stored in digital wallets, eg. “ethereum wallet”. If you use “Metamask ethereum wallet”, you have full access your wallet, meaning only you have the private keys that are needed to make transactions. The public part to share from this wallet is only your ethereum address. In fact, when you send 1 Ethereum to another person, to his address (into her/his wallet) what happens is that you sign a transaction with your private key that this 1 Ethereum no longer belongs to you, but to the other address. That’s it. The transaction gets propagated on the Ethereum network and miners verify that transaction.
Here are the screenshots in 3 steps of sending 1 Ethereum to another address:
No central bank or complicated legal processes: you have the power to make transactions anywhere in the world fast and with a few clicks. Also, none can block it. Follow this guide further and we will create your first Ethereum wallet.
But why Ethereum? Because you can do more with transaction: engage with smart contracts. Imagine coding a program that you upload to a decentralized network, it gets stored there and can be called anytime in the future. Or imagine a business that does not have physical contracts, just virtual ones on the blockchain. All these are secure as long as somebody successfully cheats/hacks the network consensus or exploits vulnerabilities in the smart contrats itself. It may sound complicated for the first, but it is not rocket science. Let’s start creating your wallet.
Creating a wallet
Most of the Ethereum hacks (breaking smart contracts, accessing accounts without or with weak authentication, phishing) do not require more than a web browser and a bit of coding skills. For the start, only a FireFox or a Chromium/Chrome web broswer is enough with the MetaMask addon. You can connect this wallet to the Ethereum test networks and play around.
Open your FireFox or Chromium browser and install the MetaMask extension: https://metamask.io/. Currenly, MetaMask is the most commonly used software by end users to interact with Ethereum contracts (these are called “dapps”/”decentralized apps” too).
After installing the extension, it either automatically opens up or you can open it from the top right bar in your browser.
The first step of using MetaMask is to generate your wallet. At this point you are asked to provide a password. Preferably, use a passphrase that is like a sentence, but does not include words from dictionaries (example: “HaxxA11co|ns”). Choose wisely.
Move on and read the phishing warning carefully!
Finally you need to make sure the secret backup words that allows restoring the wallet is secured: of course in a place only you can access and see. For playing you can just use paper, but for real wallets with high balances it is better to write the words on something that can survive even if your house burns down (eg. MyCryptoSeed)
All is set. Now you have an Ethereum wallet and inside: an Ethereum account.
Changing networks and faucets
MetaMask allows you to change between Ethereum networks. Please change to Ropsten Test Network and remember that the game will be played from there.
Faucets provide free Ethereum for you on the test networks. Now it is time to get some from: https://faucet.ropsten.be/ (if it does not work, you can find other Ropsten faucets online or contact the CCTF organizers).
Congratulations, you are ready: time to get into code and hacking!
Coding and compiling a smart contract
Let’s compile an example smart contract and interact with it. Open https://remix.ethereum.org/ where you get an example contract written in Solidity language. Remix website has an inbuilt compiler and if you click on “Start to compile” it will compile the code. Now you can swith to the “Run” tab. If you have MetaMask running, then you should see “Injected web3” in the environment.
MetaMask injects the so called web3.js into each website you visit, that way the website can communicate with MetaMask (also think about that: is it a good idea to inject to all sites?).
Deploying a smart contract
Make sure your MetaMask account is unlocked, switched to “Ropsten” and you got a coin from the faucet. Then click on “Deploy”.
MetaMask pops you up a transaction which is actually the deployment of the compiled smart contract to the Ropsten Ethereum test network. Now you may wonder what “gas fee” is? Gas limits the computational efforts of the smart contract, meaning you cannot deploy a computational heavy infinite loop for free. You can only use a smart contract if enough gas is provided. If you are ready, click on “Confirm”.
Wait until the transaction changes from “Pending” state to “Confirmed”. This is indicated in MetaMask. The network needs time to make sure your conract is broadcasted and mined successfully. If you click on the transaction, you have a button “View transaction on Etherscan”: click on it and have a look at what happened.
Interacting with the contract functions
By going back to https://remix.ethereum.org/ you can start playing with the “Deployed Contracts”, under the “Run” tab. You can call the deployed smart contract’s functions one by one. Each call you initiate takes a transaction. The executed code runs on all of the Ropsten Ethereum nodes.
Congratulations, you have compiled your first smart contract and interacted with it.
You have seen the very basics and it is time to think about what else can go wrong… Weak passwords, MetaMask seeds all over the place, programmers making mistakes in smart contracts that you can call, logic, broken crypto problems and so on.