To beat this level, we need to somehow, get our hands on any additional tokens.
transfer()
function performing arithmetic operations without checking overflows and underflows.
Let's say we have a
uint8
, which can only have8
bits. That means the largest number we can store is binary11111111
(or in decimal,2^8 - 1 = 255
).Now if we increase it by
1
— the number is counterintuitively equal to0
even though we increased it. (If you add1
to binary11111111
, it resets back to00000000
, like a clock going from23:59
to00:00
).An underflow is similar, where if you subtract
1
from auint8
that equals0
, it will now equal255
(because uints are unsigned, and cannot be negative).
We can get our hands on any additional tokens by causing balances[msg.sender]
to underflow.
- To cause underflow call
transfer()
by passing a value greater than20
.
await contract.transfer(instance, 21);