The constant PRICE_PER_TOKEN is 1 ether, which is represented by 10**18 wei in Solidity. This is a really large number.
In the function buy():
We know that integer overflow/underflow is a thing for old versions prior to Solidity 0.8. Since PRICE_PER_TOKEN is huge and we have control over numTokens, we can pick a suitable numTokens and make numTokens * PRICE_PER_TOKEN overflow.
How large numTokens is supposed to be? Let's do the math:
// INT_MAX = 2**256 - 1 = 115792089237316195423570985008687907853269984665640564039457584007913129639935// numTokens will multiply with 10**18, so take out the last 18 digits: 115792089237316195423570985008687907853269984665640564039457
// To overflow this thing after multiplication, add 1: 115792089237316195423570985008687907853269984665640564039458// After multiplication, the product is 115792089237316195423570985008687907853269984665640564039458000000000000000000// After overflow this becomes 415992086870360064, which is msg.value// This value is slightly less than 0.5 ether and it is suitable to solve this challenge
Solution
Copy and paste the challenge contract into Remix and interact with it via "At Address".
Call buy(115792089237316195423570985008687907853269984665640564039458) and send 415992086870360064 wei as msg.value.
Call sell(1).
Call isComplete() to verify if the challenge was successfully solved.
Token whale
Writeup
pragmasolidity ^0.4.21;contract TokenWhaleChallenge {address player;uint256public totalSupply;mapping(address=>uint256) public balanceOf;mapping(address=>mapping(address=>uint256)) public allowance;stringpublic name ="Simple ERC20 Token";stringpublic symbol ="SET";uint8public decimals =18;functionTokenWhaleChallenge(address_player) public { player = _player; totalSupply =1000; balanceOf[player] =1000; }functionisComplete() publicviewreturns (bool) {return balanceOf[player] >=1000000; }eventTransfer(addressindexed from, addressindexed to, uint256 value);function_transfer(address to,uint256 value) internal { balanceOf[msg.sender] -= value; balanceOf[to] += value;emitTransfer(msg.sender, to, value); }functiontransfer(address to,uint256 value) public {require(balanceOf[msg.sender] >= value);require(balanceOf[to] + value >= balanceOf[to]);_transfer(to, value); }eventApproval(addressindexed owner, addressindexed spender, uint256 value);functionapprove(address spender,uint256 value) public { allowance[msg.sender][spender] = value;emitApproval(msg.sender, spender, value); }functiontransferFrom(address from,address to,uint256 value) public {require(balanceOf[from] >= value);require(balanceOf[to] + value >= balanceOf[to]);require(allowance[from][msg.sender] >= value); allowance[from][msg.sender] -= value;_transfer(to, value); }}
The transferFrom(from, to, value) function calls _transfer(to, value):
This implementation is wrong. In fact, it deducts balance from msg.sender instead of from. Moreover, balanceOf[msg.sender] -= value has underflow problem.
Solution
Here is the attack plan:
Initially we have balanceOf[player] = 1000.
Create a proxy account in Metamask, call it backup.
player calls transfer(backup, 510). Here "510" can be any number greater than 500. If we transfer 510 tokens to backup, we now have 490 in player and 510 in backup.
backup calls approve(player, 500). This sets the allowance and prepares for transferFrom().
player calls transferFrom(backup, backup, 500). In this step, _transfer(backup, 500) is being called. Since _transfer() deducts balance from msg.sender instead of from, the player's account will be deducted 500. Recall that player's balance is 490 at this moment, so balanceOf[msg.sender] is going to underflow to a huge number. That is, the player account has a huge balance now.
Call isComplete() to verify if the challenge was successfully solved.
Retirement fund
Code Audit
pragmasolidity ^0.4.21;contract RetirementFundChallenge {uint256 startBalance;address owner = msg.sender;address beneficiary;uint256 expiration = now +10years;functionRetirementFundChallenge(address player) publicpayable {require(msg.value ==1ether); beneficiary = player; startBalance = msg.value; }functionisComplete() publicviewreturns (bool) {returnaddress(this).balance ==0; }functionwithdraw() public {require(msg.sender == owner);if (now < expiration) {// early withdrawal incurs a 10% penalty msg.sender.transfer(address(this).balance *9/10); } else { msg.sender.transfer(address(this).balance); } }functioncollectPenalty() public {require(msg.sender == beneficiary);uint256 withdrawn = startBalance -address(this).balance;// an early withdrawal occurredrequire(withdrawn >0);// penalty is what's left msg.sender.transfer(address(this).balance); }}
The collectPenalty() function has underflow problem:
Here startBalance is 1 ether, and the developer assumed that address(this).balance <= 1. This assumption is clearly false since an attacker can call selfdestruct() in a proxy contract to forcefully send ether to the challenge contract. This will make address(this).balance > startBalance, so startBalance - address(this).balance < 0 and it causes underflow. withdrawn will be a huge positive number.
Solution
Write a selfdestruct contract and deploy it with msg.value == 1 wei:
After that, copy and paste the challenge contract into Remix and interact with it via "At Address". Call collectPenalty(). This step must be done manually since collectPenalty() checks require(msg.sender == beneficiary) and we have beneficiary = player in the constructor. Call isComplete() to verify that the challenge was solved successfully.
uint256[] map is a dynamic array stored in storage:
In the case of a dynamic array, the reserved slot p contains the length of the array as a uint256, and the array data itself is located sequentially at the address keccak256(p).
Call set(35707666377435648211887908874984608119992236509074197713628505308453184860938,1) to overwrite isComplete.
Donation
Code Audit
pragmasolidity ^0.4.21;contract DonationChallenge {structDonation {uint256 timestamp;uint256 etherAmount; } Donation[] public donations;addresspublic owner;functionDonationChallenge() publicpayable {require(msg.value ==1ether); owner = msg.sender; }functionisComplete() publicviewreturns (bool) {returnaddress(this).balance ==0; }functiondonate(uint256 etherAmount) publicpayable {// amount is in ether, but msg.value is in weiuint256 scale =10**18*1ether;require(msg.value == etherAmount / scale); Donation donation; donation.timestamp = now; donation.etherAmount = etherAmount; donations.push(donation); }functionwithdraw() public {require(msg.sender == owner); msg.sender.transfer(address(this).balance); }}
Note that when the struct donation is declared, its location is not defined (memory or storage). In this case, Solidity picks storage by default. Since donation is uninitialized, it will be pointing to slot 0 and slot 2 (this struct has two entries, each entry is 32-byte long). Specifically, donation.timestamp points to slot 0 and donation.etherAmount points to slot 1.
Learn more about storage:
Solution
Let's anaylze the storage of this contract:
slot 0: since Donation[] public donations is a dynamic array, its length is stored in this slot.
Since donation is uninitialized, donation.timestamp overwrites slot 0 and donation.etherAmount overwrites slot 1. That is, we can overwrite owner with donation.etherAmount.
Now our task is choosing a suitable donation.etherAmount. This value is uint256, but we want it to represent an address. Note that there is another bug in the donate() function:
Since ether is just an alias of 10**18, this code is equivalent to:
In this way, msg.value will be a small number, definitely less than 1 ether. Here you can convert your Metamask wallet address to uint256, compute msg.value == <converted_address> / 10**36 and call donate(<converted_address>) together with the msg.value you just computed. Once owner is overwritten, call withdraw().
