Skip to content

Latest commit

 

History

History
128 lines (84 loc) · 3.24 KB

6.md

File metadata and controls

128 lines (84 loc) · 3.24 KB
Raw

A-Ethernaut-CTF

Day5 2024.09.03

Token

题目:

The goal of this level is for you to hack the basic token contract below.

You are given 20 tokens to start with and you will beat the level if you somehow manage to get your hands on any additional tokens. Preferably a very large amount of tokens.

Things that might help:

What is an odometer?

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Token {
    mapping(address => uint256) balances;
    uint256 public totalSupply;

    constructor(uint256 _initialSupply) public {
        balances[msg.sender] = totalSupply = _initialSupply;
    }

    function transfer(address _to, uint256 _value) public returns (bool) {
        require(balances[msg.sender] - _value >= 0);
        balances[msg.sender] -= _value;
        balances[_to] += _value;
        return true;
    }

    function balanceOf(address _owner) public view returns (uint256 balance) {
        return balances[_owner];
    }
}

解題:

請我們取得多餘的 token,代碼邏輯上面沒什麼錯誤,直覺上應該是要利用 overflow 來取得多餘的 token。

0.8.0 之後的版本,Solidity 已經加入了 overflow 檢查,所以題目使用 0.6.0 的版本。

在這個測試中,我們使用 (2**256) - 1 作為轉帳數量,這會導致溢位並使得餘額變為一個很大的數字。

然後,我們檢查餘額是否大於初始值,以確保溢位攻擊成功。

POC: Token.t.sol

補充:

Solidity v0.8.0 - overflow check

Delegation

題目:

The goal of this level is for you to claim ownership of the instance you are given.

Things that might help

Look into Solidity's documentation on the delegatecall low level function, how it works, how it can be used to delegate operations to on-chain libraries, and what implications it has on execution scope. Fallback methods Method ids

本關卡的目標是讓您獲得實例的所有權。

可能有幫助的事情

查看 Solidity 有關 delegatecall 底層函數的文檔,瞭解它的工作原理、如何將操作委託給鏈上庫,以及它對執行範圍的影響。

  • 回退方法
  • 方法 id
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Delegate {
    address public owner;

    constructor(address _owner) {
        owner = _owner;
    }

    function pwn() public {
        owner = msg.sender;
    }
}

contract Delegation {
    address public owner;
    Delegate delegate;

    constructor(address _delegateAddress) {
        delegate = Delegate(_delegateAddress);
        owner = msg.sender;
    }

    fallback() external {
        (bool result,) = address(delegate).delegatecall(msg.data);
        if (result) {
            this;
        }
    }
}

解題:

這個合約使用了 delegatecall 來調用 Delegate 合約的 pwn 方法,這將使得 Delegate 合約的 owner 變為攻擊者的地址。

我們可以通過調用 Delegation 合約的 fallback 方法來調用 Delegate 合約的 pwn 方法。

POC : Delegation.t.sol