Fallout audit report

Executive summary

This report presents the results of OpenZeppelin Ethernaut CTF smart contracts Code review and security Analysis. The review was conducted on October 10th by David Kathoh.

scope

The review focused on the Fallout smart contract and sought to answer this question :

• Is it possible to claim ownership of the contract?

Project Targets

Repository: https://github.com/OpenZeppelin/ethernaut/……

Version: 4f80f8afa47793d9133f03b6c247d8b6b0adc673

Type: Ethereum

Platform: Solidity

Findings

Each issue has an assigned severity:

• Minor issues are subjective in nature. They are typically suggestions around best practices or readability. Code maintainers should use their own judgment as to whether to address such issues.
• Medium issues are objective in nature but are not security vulnerabilities. These should be addressed unless there is a clear reason not to.
• Major issues are security vulnerabilities that may not be directly exploitable or may require certain conditions in order to be exploited. All major issues should be addressed.
• Critical issues are directly exploitable security vulnerabilities that need to be fixed.

Wrong constructor definition -Critical

Fallout contract constructor is not well defined. The current definition allows everyone to take ownership of the smart contract by calling Fal1out() function.

Recommendation

Define the smart contract constructor with the construct keyword.

constructor() public payable {
    owner = msg.sender;
    allocations[owner] = msg.value;
  }

Conclusion

The smart contract within the scope was manually reviewed and analyzed.
As a result of the audit, 1 critical severity issue was found in the smart contract and needs to be addressed.

PS: THIS AUDIT IS DONE FOR LEARNING PURPOSES AND THE CODE BASE CONTAINS VULNERABILITY.