# Donate

## Idea

```solidity
keccak256(bytes("changeKeeper(address)")) // 0x097798381ee91bee7e3420f37298fe723a9eedeade5440d4b2b5ca3192da2428
```

This means you can't pass the string `"changeKeeper(address)"` to `secretFunction()`. Does it really prevent us from calling `changeKeeper()`? Not really.

Recall that functions are called based on function selector, which is just the first 4 bytes of the keccak256 of its signature. That is, we can call some random function signature to trigger a call to `changeKeeper()`, as long as their function selectors match.

To find a suitable function name with same function selector as `changeKeeper()` -> `0x09779838`, I used Ethereum Signature Database:

{% embed url="<https://www.4byte.directory/signatures/?bytes4_signature=0x09779838>" %}
&#x20;Ethereum Signature Database
{% endembed %}

<figure><img src="https://223316867-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVtlSxURaW2QQu6RU5%2Fuploads%2Fz2U4oYEfhe65bpyQZtU7%2Fimage.png?alt=media&#x26;token=ef4e3591-26f3-42c4-a051-facacaad2452" alt=""><figcaption></figcaption></figure>

Turns out `refundETHAll(address)` has the same function selector as `changeKeeper(address)`, also they have the same function input tuple, which is perfect.

## PoC

{% embed url="<https://github.com/ret2basic/QuillCTF-PoC/blob/main/Donate/test/Donate.t.sol>" %}
Donate PoC
{% endembed %}