✅Donate

Idea

keccak256(bytes("changeKeeper(address)")) // 0x097798381ee91bee7e3420f37298fe723a9eedeade5440d4b2b5ca3192da2428

This means you can't pass the string "changeKeeper(address)" to secretFunction(). Does it really prevent us from calling changeKeeper()? Not really.

Recall that functions are called based on function selector, which is just the first 4 bytes of the keccak256 of its signature. That is, we can call some random function signature to trigger a call to changeKeeper(), as long as their function selectors match.

To find a suitable function name with same function selector as changeKeeper() -> 0x09779838, I used Ethereum Signature Database:

Ethereum Signature Databasewww.4byte.directory

Ethereum Signature Database

Turns out refundETHAll(address) has the same function selector as changeKeeper(address), also they have the same function input tuple, which is perfect.

PoC

QuillCTF-PoC/Donate/test/Donate.t.sol at main · ret2basic/QuillCTF-PoCGitHub

Donate PoC