The Rubixi Hack (Quick Explain)
Introduction
In this quick blog, we are exploring the Hack of Rubixi contract and how an innocent mistake can lead to a whole another level of hacks which is what happened here since this mistake allows anyone to take over the ownership of the contract.
To understand more about this and see a hands-on example you can check our blog about the Fallout Challenge from Ethernaut CTF:
https://medium.com/@hydraxchain/fallout-level-2-ctf-f9ffdfbe774e
Smart Contract Source Code
You can check the source code of the smart contract from here:
The issue behind this hack is that the Name of the contract is different from the name of the constructor.
Since in solidity 0.4 to define the constructor you use the same name of the contract
This does not exist anymore, now to define a constructor you have to use the keyword โconstructorโ
If you didnโt use the same name, the โconstructor โ is just a function like any other function. and here is exactly what happened, the constructor that is supposed to set the owner which is the โmsg.senderโ, and since the one who is deploying the contract is the owner. So, they assume that the โmsg.senderโ is the creator, whatever in this case since this became a function and anyone can call it. Therefore, Anyone calls this function will end up being the owner of this contract.
You can check it on etherscan from here:
Conclusion
That was a quick explain for the โRubixiโ contract hack.
Follow Us (Team):
- Zeyad Azima
Linkedin โ Twitter โ Github
- Mohammad Hussam Alzeyyat (MHZCYBER)
