Recovery

Recover Ether sent to a contract created using `CREATE` without a `receive` or `payable fallback` function.

Vulnerable Code

Analyze the Solidity code below to find the vulnerability.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

interface SimpleToken {
  function destroy(address payable _to) external;
}

contract Recovery {

  SimpleToken token; // Slot 0

  constructor() {
    token = new SimpleToken(); // Deploys SimpleToken using CREATE
    // Send 0.001 Ether to the deployed SimpleToken contract
    token.destroy{value: 0.001 ether}(payable(address(this)));
  }

  // Function to destroy the SimpleToken and recover funds
  function destroyToken() public {
    token.destroy(payable(msg.sender));
  }

  // Note: Neither Recovery nor SimpleToken (in its hypothetical implementation)
  // necessarily has receive() or fallback() payable functions.
  // The SimpleToken interface only declares destroy.
}

Submit Explanation

Explain the vulnerability and how to exploit it.

Your Explanation

Hints (6)

Just a little peak

Hint 1

Hint 2

Hint 3

Hint 4

Hint 5

Hint 6

Explanation

Discomfort = Learning

Recovery

Unveil Explanation