From 305feece4bd77da2e382f110cae5aaf93c20fd86 Mon Sep 17 00:00:00 2001 From: leovct Date: Mon, 30 Sep 2024 14:26:43 +0200 Subject: [PATCH] chore: rename `doc/` to `docs/` --- README.md | 4 ++-- doc/EthernautCTF.md | 37 ------------------------------------- doc/QuillCTF.md | 15 --------------- 3 files changed, 2 insertions(+), 54 deletions(-) delete mode 100644 doc/EthernautCTF.md delete mode 100644 doc/QuillCTF.md diff --git a/README.md b/README.md index e225ecc..1a5075d 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ Puzzl3s šŸ§© is an engaging collection of web3-based puzzles and Capture The Fla The following challenges have been solved: -- [EthernautCTF](doc/EthernautCTF.md) -- [QuillCTF](doc/QuillCTF.md) +- [EthernautCTF](docs/EthernautCTF.md) +- [QuillCTF](docs/QuillCTF.md) ## Exploit diff --git a/doc/EthernautCTF.md b/doc/EthernautCTF.md deleted file mode 100644 index dc50a45..0000000 --- a/doc/EthernautCTF.md +++ /dev/null @@ -1,37 +0,0 @@ -# [EthernautCTF](https://ethernaut.openzeppelin.com/) - -| NĀ° | Contract | Done | Exploit PoC | Description | -| --- | ---------------------------------------------------------- | :--: | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 01 | [Fallback](../src/EthernautCTF/Fallback.sol) | āœ… | [FallbackExploit](../test/EthernautCTF/FallbackExploit.t.sol) | Call a contract with some value to target the `receive` method. | -| 02 | [Fallout](../src/EthernautCTF/Fallout.sol) | āœ… | [FalloutExploit](../test/EthernautCTF/FalloutExploit.t.sol) | Typo in the constructor name. | -| 03 | [CoinFlip](../src/EthernautCTF/CoinFlip.sol) | āœ… | [CoinFlipExploit](../test/EthernautCTF/CoinFlipExploit.t.sol) | The contract relies on `block.number` to generate a random value. | -| 04 | [Telephone](../src/EthernautCTF/Telephone.sol) | āœ… | [TelephoneExploit](../test/EthernautCTF/TelephoneExploit.t.sol) | Use a helper contract to make sure `tx.origin` and `msg.sender` are different. | -| 05 | [Token](../src/EthernautCTF/Token.sol) | āœ… | [TokenExploit](../test/EthernautCTF/TokenExploit.t.sol) | Exploit overflows and underflows of the `0.6.0` solidity compiler. | -| 06 | [Delegation](../src/EthernautCTF/Delegation.sol) | āŒ | [DelegationExploit](../test/EthernautCTF/DelegationExploit.t.sol) | Make use of the `delegatecall` to overwrite the storage of the main contract. | -| 07 | [Force](../src/EthernautCTF/Force.sol) | āœ… | [ForceExploit](../test/EthernautCTF/ForceExploit.t.sol) | Create a contract, fund it with some ether and use the `selfdestruct` method to send the contract balance to any other contract (e.g. a contract without any implementation). | -| 08 | [Vault](../src/EthernautCTF/Vault.sol) | āœ… | [VaultExploit](../test/EthernautCTF/VaultExploit.t.sol) | Read the password from the contract storage. | -| 09 | [King](../src/EthernautCTF/King.sol) | āœ… | [KingExploit](../test/EthernautCTF/KingExploit.t.sol) | Implement a helper contract that reverts when receiving ether. | -| 10 | [Reentrance](../src/EthernautCTF/Reentrance.sol) | āœ… | [ReentranceExploit](../test/EthernautCTF/ReentranceExploit.t.sol) | Perform all state changes before making external calls to avoid re-entrancy exploits. | -| 11 | [Elevator](../src/EthernautCTF/Elevator.sol) | āœ… | [ElevatorExploit](../test/EthernautCTF/ElevatorExploit.t.sol) | When calling an external contract, always check the returned value before using it! | -| 12 | [Privacy](../src/EthernautCTF/Privacy.sol) | āœ… | [PrivacyExploit](../test/EthernautCTF/PrivacyExploit.t.sol) | Read the key from the contract storage | -| 13 | [GatekeeperOne](../src/EthernautCTF/GatekeeperOne.sol) | āœ… | [GatekeeperOneExploit](../test/EthernautCTF/GatekeeperOneExploit.t.sol) | - Estimate the amount of gas a contract call would take using `gasleft` and binary search (dichotomy).
- Another method is to use a `while` loop and to consume the gas tiny bits by tiny bits until the call succeeds.
- Perform operations using bit masks. | -| 14 | [GatekeeperTwo](../src/EthernautCTF/GatekeeperTwo.sol) | āœ… | [GatekeeperTwoExploit](../test/EthernautCTF/GatekeeperTwoExploit.t.sol) | - Create a contract that has a size equal to zero by putting all the logic inside the constructor. Indeed, a contract does not have source code available during construction.
- Solidity does not support bitwise negation, but a simple way to perform the operation is to use the XOR operation (`^`) with `0xff` (ones). | -| 15 | [NaughtCoin](../src/EthernautCTF/NaughtCoin.sol) | āœ… | [NaughtCoinExploit](../test/EthernautCTF/NaughtCoinExploit.t.sol) | Use the ERC20 `allowance` and `transferFrom` methods to send tokens on behalf of a nother address. | -| 16 | [Preservation](../src/EthernautCTF/Preservation.sol) (\*) | āœ… | [PreservationExploit](../test/EthernautCTF/PreservationExploit.t.sol) | Make use of the `delegatecall` to overwrite the storage of the main contract. This time it involved a bit more creativity as it required to overwrite an address (20 bytes) using a uint256 (32 bytes). | -| 17 | [Recovery](../src/EthernautCTF/Recovery.sol) | āœ… | [RecoveryExploit](../test/EthernautCTF/RecoveryExploit.t.sol) | The address of an Ethereum contract is deterministically computed from the address of its creator (sender) and its nonce (how many transactions the creator has sent). The sender and nonce are RLP-encoded and then hashed with keccak256. For a Solidity implementation, check the exploit code. | -| 18 | [MagicNumber](../src/EthernautCTF/MagicNumber.sol) | āœ… | [MagicNumberExploit](../test/EthernautCTF/MagicNumberExploit.t.sol) | - Use raw bytecode to create the smallest possible contract.
- Learn about initialization code to be able to run any runtime code.
- Learn about `create` to create a contract from the initialization code. | -| 19 | [AlienCode](../src/EthernautCTF/AlienCodex.sol) | āŒ | [AlienCodeExploit](../test/EthernautCTF/AlienCodexExploit.t.sol.txt) | The challenge requires to use solidity version `^0.5.0` but unfortunately, the minimum version supported by [forge-std](https://github.com/foundry-rs/forge-std) is `0.6.2`. Thus, the solution of this challenge won't be part of this repository. | -| 20 | [Denial](../src/EthernautCTF/Denial.sol) | āœ… | [DenialExploit](../test/EthernautCTF/DenialExploit.t.sol) | - Always set the amount of gas when using a low-level call. It will prevent the external contract to consume all the gas.
- Check the return value of low-level calls, especially when the address is controlled by someone else. | -| 21 | [Shop](../src/EthernautCTF/Shop.sol) | āœ… | [ShopExploit](../test/EthernautCTF/ShopExploit.t.sol) | - When calling an external contract, always check the returned value before using it!
- This challenge is very similar to challenge 11. | -| 22 | [Dex](../src/EthernautCTF/Dex.sol) | āœ… | [DexExploit](../test/EthernautCTF/DexExploit.t.sol) | The contract uses a division operation to compute the swap amount which can be exploited because of a precision loss. Indeed, Solidity does not support floating points. | -| 23 | [DexTwo](../src/EthernautCTF/DexTwo.sol) | āŒ | | | -| 24 | PuzzleWallet | āŒ | | | -| 25 | [Motorbike](../src/EthernautCTF/Motorbike.sol) | āŒ | | | -| 26 | [DoubleEntry](../src/EthernautCTF/DoubleEntry.sol) | āŒ | | | -| 27 | GoodSamaritan | āŒ | | | -| 28 | [GatekeeperThree](../src/EthernautCTF/GatekeeperThree.sol) | āŒ | | | -| 29 | [Switch](../src/EthernautCTF/Switch.sol) | āŒ | | | -| 30 | [HigherOrder](../src/EthernautCTF/HigherOrder.sol) | āŒ | | | -| 31 | [Stake](../src/EthernautCTF/Stake.sol) | āŒ | | | - -(\*) I opened a [PR](https://github.com/OpenZeppelin/ethernaut/pull/756) to prevent cheating in challenge 16. diff --git a/doc/QuillCTF.md b/doc/QuillCTF.md deleted file mode 100644 index e9e204c..0000000 --- a/doc/QuillCTF.md +++ /dev/null @@ -1,15 +0,0 @@ -# [QuillCTF](https://academy.quillaudits.com/challenges) - -| NĀ° | Contract | Done | Exploit PoC | Description | | -| --- | -------------------------------------------------- | ---- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| 01 | [RoadClosed](../src/QuillCTF/RoadClosed.sol) | āœ… | [RoadClosedExploit](../test/QuillCTF/RoadClosedExploit.t.sol) | - Use of `extcodesize` to check if an address is an EOA
- Lack of access control for some critical methods (e.g `addToWhitelist`) | -| 02 | [Confidential](../src/QuillCTF/Confidential.sol) | āœ… | [ConfidentialExploit](../test/QuillCTF/ConfidentialExploit.t.sol) | - Read private variables from storage | -| 03 | [VIPBank](../src/QuillCTF/VIPBank.sol) | āœ… | [VIPBankExploit](../test/QuillCTF/VIPBankExploit.t.sol) | - Wrong check of parameter to prevent users from withdrawing too many ethers at a time which leads to funds locked forever in the contract. | -| 04 | [SafeNFT](../src/QuillCTF/SafeNFT.sol) | āœ… | [SafeNFTExploit](../test/QuillCTF/SafeNFTExploit.t.sol) | - OpenZeppelin's ERC721 implementation of `safeMint` is not safe and performs an external call to the receiver address. | -| 05 | [Delegate](../src/QuillCTF/Delegate.sol) | āœ… | [DelegateExploit](../test/QuillCTF/SafeNFTExploit.t.sol) | - `delegatecall` can override variables of the calling contract. | -| 06 | [CollatzPuzzle](../src/QuillCTF/CollatzPuzzle.sol) | āŒ | [CollatzPuzzleExploit](../test/QuillCTF/CollatzPuzzleExploit.t.sol) | - Use huff to heavily optimize the contract by relying on opcodes directly. | -| 07 | [TrueXOR](../src/QuillCTF/TrueXOR.sol) | āœ… | [TrueXORExploit](../test/QuillCTF/TrueXORExploit.t.sol) | - Use the amount of gas left (with `gasleft()`) to return different values using a view function that takes no parameters
- Use `delegatecall` to keep the context of the main contract (especially, `msg.sender`, `msg.value` and `address(this)`). | -| 20 | [VoteToken](../src/QuillCTF/VoteToken.sol) | āœ… | [VoteTokenExploit](../test/QuillCTF/VoteTokenExploit.t.sol) (\*) | - The contract doesn't update its state when users transfer tokens | -| 21 | [PrivateClub](../src/QuillCTF/PrivateClub.sol) | āœ… | [PrivateClubExploit](../test/QuillCTF/PrivateClubExploit.t.sol) (\*) | - Not enough check of the parameters (e.g. `becomeMember`)
- Too much power given to the contract owner | - -(\*) Detailed reports have been written for these exploits: [VoteToken](../reports/QuillCTF/VoteToken.md) and [PrivateClub](../reports/QuillCTF/PrivateClub.md).