You can use transfer. But using "call" is preffered as "transfer" function send fixed gas of 2500 to fallback function,whereas if sent using "call"..u can set as many "gas value" along with it
transfer assumes that reentrancy attack is impossible with 2500 gas. call does not make that assumption. By using call, you force yourself to write code against wider range of reentrancy attack
@@smartcontractprogrammer Why you are saying most users can't read solidity for this case. This kind of phishing attack works only when the wallet is not secured by provider it's not depending on the user right ? If we trick alice to use the contract but the wallet is secure (not using tx.origin == owner) this attack will not work. How is this dependant on the user ? It should be depending on the wallet provider ? Thanks for your videos I'm learning a lot through you it's AMAZING!
not true. it doesn't worked. Only the wallet contract owner can withdraw via attack contract calling. if other address "msg.sender" is calling to the attack contract, it always fails.
@serenity7116 Even if Eve tricked Alice to call the "attack function" it won't work because the attack contract can only be called by the attack contract owner and Alice is not the "attack contract owner". The code presented isn't complete.
What is tx.origin? 0:24
Contract vulnerable to phishing 0:57
Exploit 2:37
Demo 5:14
Preventative technique 6:24
Excellent! I never thought that the money will be stolen in this way.
😦 this seems super easy to be hacked !!! Thanks so much for the awareness 🙏
Excellent explanation. Thank you!
Excellent video, thank you so much!
Great, simple explanation. Thank you.
Great explanation.
Hello would u be able to transfer nfts as well?
Can we also use transfer function instead of using call function to transfer ether? Are they equivalent?
You can use transfer. But using "call" is preffered as "transfer" function send fixed gas of 2500 to fallback function,whereas if sent using "call"..u can set as many "gas value" along with it
transfer assumes that reentrancy attack is impossible with 2500 gas. call does not make that assumption. By using call, you force yourself to write code against wider range of reentrancy attack
The real question is how do we trick alice into using our malicious contract
Make a pretty UI, create a fake audit report, hype up the scam product on social media. Most users can't read Solidity
@@smartcontractprogrammer Why you are saying most users can't read solidity for this case. This kind of phishing attack works only when the wallet is not secured by provider it's not depending on the user right ? If we trick alice to use the contract but the wallet is secure (not using tx.origin == owner) this attack will not work. How is this dependant on the user ? It should be depending on the wallet provider ?
Thanks for your videos I'm learning a lot through you it's AMAZING!
Tell Alice if she sends 1 Eth to your malicious contract, she will get back in return 2 Eth. (Please don't do this though)
not true. it doesn't worked. Only the wallet contract owner can withdraw via attack contract calling. if other address "msg.sender" is calling to the attack contract, it always fails.
@serenity7116 Even if Eve tricked Alice to call the "attack function" it won't work because the attack contract can only be called by the attack contract owner and Alice is not the "attack contract owner". The code presented isn't complete.
@serenity7116 why don't you try to run the code and see why i said "code incomplete". 😅 See it your self.😂
It works, I just tried it. As far the attack function doesn't have a require check to be called, anybody can call the attack function