Web 3.0

Smart Contracts could be leaky


This talk is about sharing experiences with you about things that worked and that did not work as expected, when I wrote my first Smart Contract and deployed it to a "decentralised" server.

  1. How I leaked the sensitive flag{}, and,
  2. what was the fix I applied to prevent leaking sensitive information?



  • Web3.0 is interesting
  • Integer overflow is still possible, but exploitation isn't possible by standard means
  • Information leakage is a real problem

About Me

Current: Freelancer

History: C/C++ Secure Coding Instructor, Security Analyst Consultant, Scrum Master, Automation Engineer, Quality Engineer


At Leisure: Developer, Speaker/Trainer, Community Volunteer for Winja


Social Media:
  1. Twitter (_riddhishree)
  2. GitHub (riddhi-shree)
  3. Medium (@riddhi-shree)

1. Integer Overflow



function sellArticle(string memory _name, string memory _description, int256 _price) public {
    seller = msg.sender;
    name = _name;
    description = _description;
    price = uint256(_price);
    if(int256(balances[seller]) - _price >= 0) {
        balances[seller] -= price;


Integer Arithmetics



  1. Addition of 2 unsigned integers can overflow to a smaller value?
  2. Subtraction of 2 unsigned integers can underflow to a greater value?

True or False

Contract Address

$ npx hardhat run scripts/deploy.js --network rinkeby


Compiled 1 Solidity file successfully

Deploying contracts with account:  0x231E671534B96936B48D7C2b9455d8E7FfD21543

Account balance:  1838357085301522520


IntegerOverflow address:  0x39F5bCa98883609378f850780C46e2161B419A96


React Frontend


Overflow Exception!

What Happened?

"In Solidity 0.8, the compiler will automatically take care of checking for overflows and underflows."



2. Data Privacy


Smart Contract

Contract Address:
  1. Go to https://goerli.etherscan.io

  2. Search contract address:

  3. Locate "Contact Creation" transaction

  4. Click on corresponding "Txn Hash" value

  5. Select "Click to see More"

  6. Locate "Input Data" section

  7. Select "UTF-8"

How do I create Web3 capture-the-flag challenges, if the secret flag just can't be hidden from the world?

No such thing as Privacy?


New Contract Address:
  1. Go to https://rinkeby.etherscan.io/

  2. Search contract address:


  3. Locate "Contact Creation" transaction

  4. Click on corresponding "Txn Hash" value

  5. Select "Click to see More"

  6. Locate "Input Data" section

  7. Select "UTF-8"

The secret flag is not readable (just like that) by the world, anymore!

3. Capture-the-Flag

Contract Address: 0x5Ae52B13d270Cb8D06DCF188657B335A142E13C5


Network: Goerli

Can you solve this?


By Riddhi Shree Chaurasia